In Short: Clients can't access the Internet. Following topology is present:
Server/Clients <-----> Router/Firewall <-----> MWG <-----> Router WAN
172.20.0.0/16 eth0(inbound): 172.20.0.255/16
172.30.0.0/16 eth1(outbound): 18.104.22.168/16
GW from server/clients: 172.x0.255.254(Router/Firewall). Default route for any destination is set to MWG (172.20.0.255). Firewall is fully open.
From To Source Destinaton Schedule Service Action
any any all all always all accept
Ping from client/server network to Google-dns (22.214.171.124) does not work.
Ping from MWG via Troubleshooting->Network Tools works.
Static routes are configured, so the MWG knows the route back.
It is a single appliance. Transparent router option is choosen; Port redirects are configured; director priority is configured to 99 (>0); Management IP is set to 172.20.0.255; Virtual IPs are configured on inbound and outbound interfaces, as mentioned in the documentation. If the virtual ips are present or not, has no effect.
Output of: ~# cat /proc/sys/net/ipv4/ip_forward gives me 1.
When I look into a packet trace while ping on a client is running, I can see, that the MWG gets the request, but no response is given.
When I configure the MWG directly as GW for servers, the problem does not change neither.
/edit: I also rebooted the appliance.
Is there any obvious mistake?
I don't see any obvious mistakes in your configuration. If cat /proc/sys/net/ipv4/ip_forward shows "1", the MWG should forward the traffic. I recommend to open a service request with support if not already done. Support will need a feedback file, tcpdump taken on the proxy (provide client IP and what was tested) and a network diagram.
According to a supporter, the MWG goes out with the client-ip and MWG mac address. The "problem" is, that the client-network is blocked (as it should be) on the gateway of last resort and we are not willig to let the client-network trough. However when NAT on MWG is enabled, the IP from MWG is the source address, which is accepted on the gateway of last resort.
When I activate IP-Spoofing (http/https) this should do the trick. However this does not work. Also it does not resolve my problem, because other protocols like DNS, ICMP are not spoofed.
Is there a possibility to activate NAT on MWG Transparent Router?
In transparent router mode, MWG will only NAT proxy traffic, i.e., web traffic redirected to the proxy listening port(s). Other traffic like DNS, ICMP, etc., are simply routed by the appliance without NATing, just like you saw.
Usually the router/firewall in such scenarios handles the primary NATing function. Is that not a possibility in your environment?