Hello
I am hoping that someone can help me

We have recently purchased a hardware web filtering system installed at one of our main sites (host 192.168.1.0) and the intention is to use the same box to provide web based filtering for the remainder of our sites (Remote 192.168.2.0). We currently use the Lan-to-Lan IPSEC VPN between the drayteks routers on each site which have been very reliable. The draytek is on 192.168.1.254 and the filtering box is on 192.168.1.253. The internal LAN Network switch goes into the filtering box and it output goes to the LAN1 of the Draytek on the host site (Invisable gateway)

I thought we could use Policy Based Routing on the remote site to route port 80 and 443 traffic to the box on the host site.

On the remote site I have created 2 rules (one for 80 and the other for 443). For test reasons I have selected my IP of 192.168.2.10 as the source to any destination on port 80
THe interface is VPN and then selected the VPN between the sites.
Gateway: left as default gateway

This got me to route my internet traffic through the Host sites internet connection as it i looked up on WhatIsMyIP gave me the hosts site Ext IP address and my int IP address

BUT I need it to go to the filtering box IP so I created 2 PBR Rules on the host Draytek (one for port 80 etc)

Protocol: Any
IP Range, My (remote) internal IP
Destintaion: Any
Port 80

Interface LAN1
Specific gateway :192.168.1.253

Now this gets me to the webfiltering box logon page from my remote IP, so I put in my credentials and all looks OK. but when I try go to a web page it states it has too many redirects.
The web filtering engineers state that they think that the Draytek is NATing

I am not a routing or Draytek expert but wondered if anyone could give any hints how I may proceed to resolve this.

Many thanks in advance

dannyhackett wrote: Now this gets me to the webfiltering box logon page from my remote IP, so I put in my credentials and all looks OK. but when I try go to a web page it states it has too many redirects.

I'm surprised you got this far (given that this 'web filtering box' seems to have IN and OUT ports - and you're presumably connected to the OUT port in this scenario)...any more details available for it? ...
... the 'web filtering box' must use its 192.168.1.253 address to communicate with the PC @ 192.168.2.10, at this stage, rather than working as some kind of bridge.

Can you use CURL or Wireshark to see what it replies with, when you try and access the internet? (I would have expected general lack of connectivity to be the symptom, rather than 'too many redirects').

He also wrote: The web filtering engineers state that they think that the Draytek is NATing

VPN-wise, it will be Routing, unless you have selected the "NAT" option in the LAN-LAN VPN entry ...

Hi
Thank you for your response. Unfortuately I am not onsite until next week, I will try wireshark to see what is happening and let you know.
I agree the VPN is not NATing, it is ROUTING but I am unsure about the PBR on the host site. I will have further information next week.

Thanks again

Something you could use, which might shed some light on what is happening, is Telerik Fiddler . It's a (free) debugging proxy that can display and decode web traffic. You would use this at the site without the 'web filtering' box.

I have been on the phone with the engineer and the webfilter acts as a bridge.

They did some packet capturing on the smoothwall device and it shows that my traffic is getting to the smoothwall with the sites I am attempting to visit but it states that it is coming from the 'host' draytek IP Address 192.168.1.254 instead of my remote source IP. The host PBR must be forwarding on my traffic as its rule is based on my source IP but at some stage it appears that it is being NATed by the host Draytek. The engineer said "it sounds like more of a Source NAT firewall policy (as in if this rule is met, NAT the traffic using the Drayteks IP address" I cannot see anything about this in the configuration. The router is mostly at default configuration as far as the firewall is concerned and only configuration is the VPNs we have in place

Can you think of anything that may NAT the address to the drayteks internal IP?

Really appreciate your help

dannyhackett wrote: The host PBR must be forwarding on my traffic as its rule is based on my source IP but at some stage it appears that it is being NATed by the host Draytek. The engineer said "it sounds like more of a Source NAT firewall policy (as in if this rule is met, NAT the traffic using the Drayteks IP address"
Can you think of anything that may NAT the address to the drayteks internal IP?

If you select "WAN/LAN" in Route Policy, then select one of the WANs in the pull-down list, an option appears which says "Packet Forwarding to WAN via" and the options are "Force NAT" or "Force Routing". However, if a LAN is selected (something I've never done), that choice disappears...

I wonder if this behaviour (i.e. to "Force NAT" is hard coded by Route Policy, when sending traffic to a LAN?

You could hunt for a Telnet command that might modify this behaviour...
...I can't see why the Vigor would need to NAT in this scenario.