Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 7698 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NAT Masquerade & Source NAT on guest network with web filtering

jwalker55

We have a Guest network, and I'd like traffic coming from this network going out to the internet to use a different public IP than my internal networks. The network has Web Filtering enabled in transparent mode.

I created a NAT masquerade rule:

Guest (Network) External Interface   /   Guest External IP

I then added the source NAT rule:

SNAT Source
Traffic selector: Guest (Network) Any Internet IPv4
Source translation: External Interface [Guest External] (Address)

If I have web filtering on, web traffic will use the UTM's IP.  With web filtering off, the masq/snat seems to work fine. Is there any way around this?



This thread was automatically locked due to age.
  • 0

    I know there's a Feature Request for this, Jason, and you might want to comment on and vote for that.

    Your idea won't work, so you can delete that SNAT.

    At present, there's only a workaround.  It turns out that Multipath rules are aware of the original source of traffic that passes through the HTTP/S Proxy...

    Set the netmask on External to /32, put a switch in between the UTM and your ISP and connect both the current External interface and a new interface named "External Guest" with the same default gateway.  Now, you have Uplink Balancing activated and you can make a Multipath rule that sends web requests from "Guest (Network)" via the "External Guest" interface.  In order:

    1. Guest Network -> Web Surfing -> Internet : bind to External Guest
    2. Any -> Any -> Any : bind to External

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    As of 03 June 2017, this is now possible! See How to change the outgoing interface for Web Filtering.

    Rather than use the suggested method of enabling this capability, do the following as root:

    cc set http enable_out_interface 1

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML