Showing results for 
Search instead for 
Did you mean: 
Level 7

Transparent Proxy in Router mode and Bridge mode and WCCP

Hi Guys,

               How will I set the following:

Transparent Proxy in Router mode

1.) Do I need to have 2 nic's enabled?  What would I set in the nic's ip if

1.) Firewall local IP is, if  there would be 2 nic's what would be the nic 1 and what IP would I set in nic 2?

a.) What would be the gateway of nic 1 and nic 2? Please give me example

Transparent Proxy in Bridge mode

1.) How many nic's do I need to set?

2.) Please give me an example diagram

How will I set WCCP if we have routers in 2 branches will I redirect the port 80/443 to webgateway for filtering to enable it?

What are other things I need to enable the WCCP setup?

Thank you guys.

0 Kudos
3 Replies
Level 17

Re: Transparent Proxy in Router mode and Bridge mode and WCCP


you should have a quick look into the product guide, starting on page 95. It gives some brief overview about the proxy modes and how to set them up. I do not think that it answers all questions, but maybe gives a good start.

I will try to show how I understand the proxy modes (which does not mean that these are the only useful deployment methods!):

1.) Transparent Router

LAN Computer ---> MWG ---> Firewall ---> Internet

In a "normal" environment I would have two NICs on MWG. In case the LAN uses a network my LAN PC would have the following network configuration as an example:




In this case I would have one NIC on MWG configured to the IP So MWG becomes the default gateway for my network. I would configure a second NIC to and set the default gateway on MWG to MWG can only have ONE gateway, which should point to its way to the internet.

So a client now starts browsing, sends all traffic to MWG, MWG forwards it to the firewall, the firewall forwards it to the internet and vice versa.

It should also be possible to use only one NIC and have the firewall and MWG both acting as routers in the same network, but a router with only one interface does not make too much sense. If you want to keep all networks transparent bridge might be a better choice.


You will need two NICs. Basically you treat MWG like a smart, filtering network cable. An example may look like this:

WIthout MWG:

Client Computer ---> Switch ---> Router (Firewall) ---> Internet

With MWG you just have to hook MWG into the environment:

Client Computer ---> Switch ---> MWG ---> Router (Firewall) ---> Internet

For example you could remove the Firewall from the switch port it currently uses, plug MWG into this port with NIC1 and plug NIC2 to the Firewall interface which was in the switch before (no warranty that this works - I think it should).

Clients have the firewall IP as their default gateway. When they talk to the default Gateway all traffic passes MWG . Everything that is not related to HTTP will go into NIC1 and leave via NIC2, just like it would pass a network cable. Everything related to HTTP will be intercepted by MWG. MWG will need one IP address, which could be bound to a third interface or assigned to the bridge itself to allow talking to the internet and being maintained.

3.) WCCP

No clue about WCCP. There are some WCCP experts around here.



0 Kudos
Level 7

Re: Transparent Proxy in Router mode and Bridge mode and WCCP

Hi Andre,

2.)  How can the traffic pass through webgateway if the default gateway is the firewall? I still don't get it.

Also, If the webgateway is down, would there still be internet or would the communication will be down also?

0 Kudos
Level 17

Re: Transparent Proxy in Router mode and Bridge mode and WCCP


The client talks to the firewall because the firewall is its default gateway. MWG is deployed as a bridge and is placed between the client and the firewall. When the client sends his packets to the firewall they physically pass MWG, and MWG picks up the packets it is interested in. As mentioned in the bridge mode MWG acts and feels like a network cable, so no need to think about IP addresses, you just put MWG physically between the clients and the current default gateway. There are various options to achieve this.

If this is a network (very simple):


The red cable connects the LAN with the firewall (physically). This is where we could put in an MWG in bridge mode, like this:


MWG has two NICs, eth0 and eth1. In Bridge mode they do not require an IP address, basically both interfaces act as a bridge, which means that everything you send (physically!) into eth0 comes out again on eth1 and everything you sent into eth1 comes out again on eth0.

MWG will pass all traffic untouched unless it is HTTP(s) traffic. In this case it will be intercepted and passed through the proxy.

In this bridge mode MWG still needs at least one IP (could be in the example network) either on a third interface or on the bridge itself. This is required to allow MWG to talk to the Firewall (and internet), and to maintain it.

In case MWG dies network communication will be interrupted. We have a failover kit which allows to bypass the bridge when the process is down.



0 Kudos