cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jank04
Level 7
Report Inappropriate Content
Message 1 of 4
‎08-20-2019 02:40 AM

MWG does not forward in transparent router mode

In Short: Clients can't access the Internet. Following topology is present:

 

Server/Clients <-----> Router/Firewall <-----> MWG                                               <----->  Router WAN
172.20.0.0/16                                                   eth0(inbound): 172.20.0.255/16
172.30.0.0/16                                                   eth1(outbound): 128.11.250.249/16
                                                                           GW: 128.11.120.35

GW from server/clients: 172.x0.255.254(Router/Firewall). Default route for any destination is set to MWG (172.20.0.255). Firewall is fully open.
From    To    Source    Destinaton    Schedule    Service   Action
any       any  all             all                  always         all           accept

Ping from client/server network to Google-dns (8.8.8.8) does not work.

Ping from MWG via Troubleshooting->Network Tools works.

Static routes are configured, so the MWG knows the route back.

It is a single appliance. Transparent router option is choosen; Port redirects are configured; director priority is configured to 99 (>0); Management IP is set to 172.20.0.255; Virtual IPs are configured on inbound and outbound interfaces, as mentioned in the documentation. If the virtual ips are present or not, has no effect.

Output of: ~# cat /proc/sys/net/ipv4/ip_forward gives me 1.

When I look into a packet trace while ping on a client is running, I can see, that the MWG gets the request, but no response is given.

When I configure the MWG directly as GW for servers, the problem does not change neither.

/edit: I also rebooted the appliance.

Is there any obvious mistake?

Thank you

0 Kudos
Reply
3 Replies
vkleineh
Employee
Employee
Report Inappropriate Content
Message 2 of 4
‎08-23-2019 03:22 AM

Re: MWG does not forward in transparent router mode

Hi,

I don't see any obvious mistakes in your configuration. If cat /proc/sys/net/ipv4/ip_forward shows "1", the MWG should forward the traffic. I recommend to open a service request with support if not already done. Support will need a feedback file, tcpdump taken on the proxy (provide client IP and what was tested) and a network diagram.

0 Kudos
Reply
jank04
Level 7
Report Inappropriate Content
Message 3 of 4
‎09-20-2019 01:29 AM

Re: MWG does not forward in transparent router mode

According to a supporter, the MWG goes out with the client-ip and MWG mac address. The "problem" is, that the client-network is blocked (as it should be) on the gateway of last resort and we are not willig to let the client-network trough. However when NAT on MWG is enabled, the IP from MWG is the source address, which is accepted on the gateway of last resort.

 

When I activate IP-Spoofing (http/https) this should do the trick. However this does not work. Also it does not resolve my problem, because other protocols like DNS, ICMP are not spoofed.

 

Is there a possibility to activate NAT on MWG Transparent Router?

0 Kudos
Reply
swilkens1
Employee
Employee
Report Inappropriate Content
Message 4 of 4
‎09-20-2019 05:00 AM

Re: MWG does not forward in transparent router mode

In transparent router mode, MWG will only NAT proxy traffic, i.e., web traffic redirected to the proxy listening port(s). Other traffic like DNS, ICMP, etc., are simply routed by the appliance without NATing, just like you saw.

Usually the router/firewall in such scenarios handles the primary NATing function. Is that not a possibility in your environment?

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC