Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 7700 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NAT Masquerade & Source NAT on guest network with web filtering

jwalker55

We have a Guest network, and I'd like traffic coming from this network going out to the internet to use a different public IP than my internal networks. The network has Web Filtering enabled in transparent mode.

I created a NAT masquerade rule:

Guest (Network) External Interface   /   Guest External IP

I then added the source NAT rule:

SNAT Source
Traffic selector: Guest (Network) Any Internet IPv4
Source translation: External Interface [Guest External] (Address)

If I have web filtering on, web traffic will use the UTM's IP.  With web filtering off, the masq/snat seems to work fine. Is there any way around this?



This thread was automatically locked due to age.
Parents
  • 0

    I know there's a Feature Request for this, Jason, and you might want to comment on and vote for that.

    Your idea won't work, so you can delete that SNAT.

    At present, there's only a workaround.  It turns out that Multipath rules are aware of the original source of traffic that passes through the HTTP/S Proxy...

    Set the netmask on External to /32, put a switch in between the UTM and your ISP and connect both the current External interface and a new interface named "External Guest" with the same default gateway.  Now, you have Uplink Balancing activated and you can make a Multipath rule that sends web requests from "Guest (Network)" via the "External Guest" interface.  In order:

    1. Guest Network -> Web Surfing -> Internet : bind to External Guest
    2. Any -> Any -> Any : bind to External

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    I know there's a Feature Request for this, Jason, and you might want to comment on and vote for that.

    Your idea won't work, so you can delete that SNAT.

    At present, there's only a workaround.  It turns out that Multipath rules are aware of the original source of traffic that passes through the HTTP/S Proxy...

    Set the netmask on External to /32, put a switch in between the UTM and your ISP and connect both the current External interface and a new interface named "External Guest" with the same default gateway.  Now, you have Uplink Balancing activated and you can make a Multipath rule that sends web requests from "Guest (Network)" via the "External Guest" interface.  In order:

    1. Guest Network -> Web Surfing -> Internet : bind to External Guest
    2. Any -> Any -> Any : bind to External

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML