Routing all traffic from LAN to Internet over VPN Tunnel in DMZ

Question

Sophos UTM Configuration 
 
 Interfaces 
 
 External (WAN) 82.x.x.x 
 DMZ 10.0.0.1 /8 
 Internal (LAN) 192.168.0.1 /24

Network Services - DNS - Global - Allowed Networks 
 
 DMZ Network 
 LAN Network 
 
 Forwarders - DNS Forwarders 
 
 Google DNS 1 
 Google DNS 2

Network Services - DHCP 
 
 Interface: Internal 
 
 Range Start: 192.168.0.100 
 Range end: 192.168.0.110 
 DNS Server 1: 192.168.0.1 
 Default Gateway: 192.168.0.1

Network Protection - Firewall 
 
 Internal Network -> DNS, http, https, http proxy, http Web Cache, ftp, tftp -> Internet IPv4 
 
 Internal Network -> Any -> DMZ Network 
 
 DMZ Network -> Any -> Internet IPv4

NAT - Masquerading 
 
 Internal Network - External WAN 
 
 Internal Network - DMZ Network 
 
 DMZ Network - External WAN

Web Protection - Web Filtering - Global - Transparent Mode 
 
 Allowed Networks 
 
 DMZ Network 
 Internal Network

DMZ Router (VPN Client) Configuration 
 
 10.0.0.2 
 255.0.0.0 
 GW 10.0.0.1 
 DNS 10.0.0.1

VPN Client Router in DMZ with IP 10.0.0.2 is connected with External VPN Service. When i connect my Notebook directly to this Router, and set the following ip configuration manually on Notebook

10.0.0.5 
 255.0.0.0 
 GW: 10.0.0.2 
 DNS: 10.0.0.1

I can connect to Internet via VPN Tunnel, works perfect.

But when i connect my Notebook to Internal LAN Network and get via DHCP IP Configuration, 192.168.0.x i can ping to 10.0.0.1 UTM Interface and Router 10.0.0.2. 
 
 How do i have to adapt the routing and firewall settings in Sophos UTM, that all the access to Internet is routed from 192.168.0.0 /24 over 10.0.0.0 /8 through VPN Tunnel??

Thanks a Lot!

apijnappels · Accepted Answer

Good that it works now and indeed a little strange since you had both internal -> internet IPv4 and internal -> dmz and dmz -> internet IPv4 allow rules IIRC. 
 Perhaps someone can explain why in this case specifically "any" is required, I don't have an explanation for it.

apijnappels · Answer

I think you need te create a policy route under Interfaces and routing -> static routing -> policy routes with the following settings: 
 Route type: Gateway route Source interface: Internal Source network: Internal (Network) Service: any (if you want all traffic to be routed this way or ie. Web Surfing for just web surfing protocols and nothing else Destination network: Internet IPv4 (or if you also use IPv6 you can make a group where you combine Internet IPv4 and IPv6 into 1 group or make an additional route) Gateway: Your router in DMZ 10.0.0.2 
 This will send all selected traffic (configured under service) coming from your internal network arriving on the internal interface destined for the internet to the router in your DMZ. 
 PS. Why do you masquerade your internal network to your DMZ? If you make sure that your router 10.0.0.2 knows how to get to your internal network you can just route from internal to dmz and you don't need to use NAT....

apijnappels · Answer

I didn't notice earlier, but it's because of your transparent web filtering setup. This will intercept all http(s) traffic from internal (since internal is configured to use it) hence it will not be send using the gateway route. 
 If you either remove Internal from the web filtering or disable web filtering completely, I think it will work. Or it may also work if you create another gateway route like the first one, but instead of Internal (Network) as source try Internal (Address) so it applies specifically to the UTM itself (this may or may not work, I honestly don't know).