cancel
Showing results for 
Search instead for 
Did you mean: 
jank04
Level 7
Report Inappropriate Content
Message 1 of 4

MWG does not forward in transparent router mode

In Short: Clients can't access the Internet. Following topology is present:

 

Server/Clients <-----> Router/Firewall <-----> MWG                                               <----->  Router WAN
172.20.0.0/16                                                   eth0(inbound): 172.20.0.255/16
172.30.0.0/16                                                   eth1(outbound): 128.11.250.249/16
                                                                           GW: 128.11.120.35

GW from server/clients: 172.x0.255.254(Router/Firewall). Default route for any destination is set to MWG (172.20.0.255). Firewall is fully open.
From    To    Source    Destinaton    Schedule    Service   Action
any       any  all             all                  always         all           accept

Ping from client/server network to Google-dns (8.8.8.8) does not work.

Ping from MWG via Troubleshooting->Network Tools works.

Static routes are configured, so the MWG knows the route back.

It is a single appliance. Transparent router option is choosen; Port redirects are configured; director priority is configured to 99 (>0); Management IP is set to 172.20.0.255; Virtual IPs are configured on inbound and outbound interfaces, as mentioned in the documentation. If the virtual ips are present or not, has no effect.

Output of: ~# cat /proc/sys/net/ipv4/ip_forward gives me 1.

When I look into a packet trace while ping on a client is running, I can see, that the MWG gets the request, but no response is given.

When I configure the MWG directly as GW for servers, the problem does not change neither.

/edit: I also rebooted the appliance.

Is there any obvious mistake?

Thank you

3 Replies
McAfee Employee vkleineh
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: MWG does not forward in transparent router mode

Hi,

I don't see any obvious mistakes in your configuration. If cat /proc/sys/net/ipv4/ip_forward shows "1", the MWG should forward the traffic. I recommend to open a service request with support if not already done. Support will need a feedback file, tcpdump taken on the proxy (provide client IP and what was tested) and a network diagram.

jank04
Level 7
Report Inappropriate Content
Message 3 of 4

Re: MWG does not forward in transparent router mode

According to a supporter, the MWG goes out with the client-ip and MWG mac address. The "problem" is, that the client-network is blocked (as it should be) on the gateway of last resort and we are not willig to let the client-network trough. However when NAT on MWG is enabled, the IP from MWG is the source address, which is accepted on the gateway of last resort.

 

When I activate IP-Spoofing (http/https) this should do the trick. However this does not work. Also it does not resolve my problem, because other protocols like DNS, ICMP are not spoofed.

 

Is there a possibility to activate NAT on MWG Transparent Router?

Highlighted
McAfee Employee swilkens1
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: MWG does not forward in transparent router mode

In transparent router mode, MWG will only NAT proxy traffic, i.e., web traffic redirected to the proxy listening port(s). Other traffic like DNS, ICMP, etc., are simply routed by the appliance without NATing, just like you saw.

Usually the router/firewall in such scenarios handles the primary NATing function. Is that not a possibility in your environment?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community