+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
Internet Related/Filtering/Firewall Thread, Feeling thick: Smoothwall Transparent Proxy in Technical; SWG-1200, Guardian 3, updated to main 68. I always got the idea that all I had to do for guest ...
  1. #1

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    5,112
    Thank Post
    909
    Thanked 1,507 Times in 1,029 Posts
    Blog Entries
    47
    Rep Power
    652

    Unhappy Feeling thick: Smoothwall Transparent Proxy

    SWG-1200, Guardian 3, updated to main 68.

    I always got the idea that all I had to do for guest access via SSL login page was:
    * Plug in a second network port, give it an address in the guest VLAN
    * Set the default gateway of devices to this IP
    * Set up a transparent auth policy for all traffic coming in to this NIC for SSL Login page

    I cannot get anywhere though.

    The SSL Login page works on my normal range if I set it on a different proxy port (I don't want to break lots of things by testing transparent here though).

    The laptop I'm testing with can ping the Smoothwall IP, that is set as default gateway (all this is done statically for now)

    But when I try and load any page, nothing happens. Fiddler is telling me that requests are bouncing with 502, Failed DNS lookup. I've tried setting DNS to Google's servers, our ISPs servers, even to the Smoothwall IP, but nothing.

    What am I missing? Do I need DNS setting up internally to this range as well? Or is transparent proxy for guest access inherently undoable on an SWG device and I'll be forced into paying the big fat upgrade fee for a UTM device?

    /so confused

  2. #2

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    5,112
    Thank Post
    909
    Thanked 1,507 Times in 1,029 Posts
    Blog Entries
    47
    Rep Power
    652
    Right, setting up SSL login as a non-transparent proxy on the guest NIC, and inspecting traffic again in Fiddler, the system keeps trying to tunnel to smoothwall.domain.internal - which won't resolve because this is the guest VLAN with no access to main DNS. Is there a way of forcing the Smoothwall to use the IP of this secondary NIC instead of the FQDN?

    It actually repeatedly chains the request, so that very quickly the request header is
    Code:
    GET /clogin?https://smoothwall.domain.internal:442/clogin?https://smoothwall.domain.internal:442/clogin?https://smoothwall.domain.internal:442/clogin?https://smoothwall.domain.internal:442/clogin?...clogin?http://microsoft.com/
    I've got to be doing something wrong here

  3. #3
    drewp's Avatar
    Join Date
    Sep 2007
    Posts
    94
    Thank Post
    34
    Thanked 2 Times in 2 Posts
    Rep Power
    15
    Have you checked that you have setup the external access rules?

    System>> Administration>>External access
    Interface second NIC , Source All, Service other web access on HTTP (80)
    Interface second NIC , Source All, Service other web access on HTTPS (442)

  4. Thanks to drewp from:

    sonofsanta (27th March 2014)

  5. #4

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    5,112
    Thank Post
    909
    Thanked 1,507 Times in 1,029 Posts
    Blog Entries
    47
    Rep Power
    652
    Yup, found that on another thread round here - for source I set the network range of the guest devices, but even setting Port9_GUEST, ALL, ALL got me nowhere

    Further to the above, I've tried adding smoothwall.domain.internal to the hosts file of my test laptop to see if it helped, and it made no difference, even though pinging that domain name resovled correctly.

  6. #5

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    5,112
    Thank Post
    909
    Thanked 1,507 Times in 1,029 Posts
    Blog Entries
    47
    Rep Power
    652
    Anyone else?

    Can't load smoothwall.com today to get to the knowledge base...

  7. #6


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,485
    Thank Post
    867
    Thanked 853 Times in 674 Posts
    Rep Power
    197
    Our website is suffering a spot of downtime.
    Your issue is definitely dns related. The first thing i'd try is get this domain resolving on that network: that's the easiest. There is an option to go via ip, but it is hidden (backend config tweak). I will dig that out for you, but that would be a less preferred option.

  8. Thanks to tom_newton from:

    sonofsanta (31st March 2014)

  9. #7


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,485
    Thank Post
    867
    Thanked 853 Times in 674 Posts
    Rep Power
    197
    In the file settings/main/settings
    USE_HOSTNAME_IN_REDIRECTS=on
    is the thing to twiddle. Gets gui exposure ~main75

  10. Thanks to tom_newton from:

    sonofsanta (31st March 2014)

  11. #8

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    5,112
    Thank Post
    909
    Thanked 1,507 Times in 1,029 Posts
    Blog Entries
    47
    Rep Power
    652
    Quote Originally Posted by tom_newton View Post
    Our website is suffering a spot of downtime.
    Your issue is definitely dns related. The first thing i'd try is get this domain resolving on that network: that's the easiest. There is an option to go via ip, but it is hidden (backend config tweak). I will dig that out for you, but that would be a less preferred option.
    I'll start playing with the Ubuntu VM for the DHCP and see if I can set up a DNS zone solely for this record then... bit of a faff for the sake of the single record though, but I suppose mucking around with the backend setting would also affect the main network and involve more faff with certificates?

  12. #9

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    5,112
    Thank Post
    909
    Thanked 1,507 Times in 1,029 Posts
    Blog Entries
    47
    Rep Power
    652
    Well I'm narrowing the issue down, but it still isn't working

    I have an Ubuntu VM running dnsmasq acting as DHCP server and DNS server. The problem now appears to be that the Smoothwall won't let it make DNS requests.

    The Ubuntu VM is in the same subnet as the second SW interface and can ping the second SW interface. I can't ping anything else. If I try and ping google.com from the command line I get told ping: unkonwn host google.com

    If I add a static DNS entry e.g. address=/google.co.uk/173.194.41.191 and then ping google.co.uk from within Ubuntu, I get told From 10.45.208.3 icmp_seq=1 Destination Port Unreachable

    smoothwall.domain.local is added as a static entry in dnsmasq. Trying to access google.co.uk gets me nowhere - it still reports that the DNS lookup failed, as earlier.

    With the static google.co.uk entry in dnsmasq, though, I can get the SSL login page up (only if I browse to google.co.uk), login and then browse google.co.uk to my heart's content - just not any of the links.

    So: the issue specifically appears to be with the Ubuntu VM getting access through the Smoothwall. There's a transparent proxy policy against the VM's IP, for no authentication (set to Network Admin), and there's a non-transparent policy set to the same, with Ubuntu configured to use it (via the installation option). I can run apt-get update successfully so it seems the machine can talk to the internet, just not in all the ways it requires.

    System > Admin Options > External Access has HTTP and HTTPS traffic from the guest VLAN allowed on the guest NIC. I've tried setting the following policies under Zone Bridging but it's made no difference:
    swdns.PNG
    I tried switching dnsmasq to use port 5353 and amending them accordingly with no gain.

    Help!

  13. #10

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    5,112
    Thank Post
    909
    Thanked 1,507 Times in 1,029 Posts
    Blog Entries
    47
    Rep Power
    652
    Anyone?

  14. #11

    Join Date
    May 2010
    Posts
    1,115
    Thank Post
    108
    Thanked 101 Times in 76 Posts
    Rep Power
    51
    Just a guess but tried DNS proxy ? Services » DNS » DNS proxy on the interface ?

  15. Thanks to caffrey from:

    sonofsanta (30th April 2014)

  16. #12

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    5,112
    Thank Post
    909
    Thanked 1,507 Times in 1,029 Posts
    Blog Entries
    47
    Rep Power
    652
    Quote Originally Posted by caffrey View Post
    Just a guess but tried DNS proxy ? Services » DNS » DNS proxy on the interface ?
    UTM only, doesn't exist on our SWG

  17. #13

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    5,112
    Thank Post
    909
    Thanked 1,507 Times in 1,029 Posts
    Blog Entries
    47
    Rep Power
    652
    Just tested setting an IP on the VLAN and if the Ubuntu box has that as the default gateway (i.e. has a route to the internet that isn't via the Smoothwall) everything works beautifully. Devices get the Smoothwall's second NIC as the default gateway, the first time they try to get to the internet they get the login page, and they can then browse to their heart's content until they hit a blocked page.

    I don't want an IP setting for this VLAN though, such that it's wholly segregated from the rest of the network. I would really like to get Ubuntu getting its DNS through the Smoothwall - I just need a way, any way, for the Smoothwall to whitelist any and all traffic from the source IP of the Ubuntu box. @tom_newton? @OB1? @AMLightfoot? Anyone?

  18. #14

    AMLightfoot's Avatar
    Join Date
    Feb 2011
    Location
    Hampshire, England
    Posts
    2,243
    Thank Post
    406
    Thanked 662 Times in 414 Posts
    Rep Power
    272
    Zone bridging?

    I'm having some trouble working out what you're looking for but @ibpalle suggested Zone Bridging

  19. #15

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    5,112
    Thank Post
    909
    Thanked 1,507 Times in 1,029 Posts
    Blog Entries
    47
    Rep Power
    652
    Quote Originally Posted by AMLightfoot View Post
    Zone bridging?

    I'm having some trouble working out what you're looking for but @ibpalle suggested Zone Bridging
    Tried setting up zone bridging as shown in post #9 (the tiny image near the bottom that blends almost seamlessly into the edgueek background ) but I don't know if that's not working because a) it fundamentally won't work or b) I've set it up wrong (likely the case).

    Do these look right? Do I need to set up the converse rule as well? Should I use the default gateway's internal IP for destination rather than the DNS servers I'm trying to get to? (10.45.208.2 is the IP of the Ubuntu box, the Smoothwall's second NIC is 10.45.208.3)

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Smoothwall transparent proxy
    By Marc_Lemar in forum Internet Related/Filtering/Firewall
    Replies: 13
    Last Post: 15th September 2013, 11:55 PM
  2. Smoothwall transparent proxy mode
    By Nathaniel in forum Internet Related/Filtering/Firewall
    Replies: 7
    Last Post: 14th May 2012, 09:04 AM
  3. Smoothwall Transparent Proxy one one port only
    By robk in forum Internet Related/Filtering/Firewall
    Replies: 3
    Last Post: 8th April 2010, 03:31 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •