Skip to main content

Turn on IP address Spoofing

Updated

Under normal operation, web traffic filtered by the Smoothwall Appliance is proxied, so any upstream network appliance (such as a perimeter Firewall) sees all web requests as originating from the Smoothwall Appliance’s internal IP address.

Turning on IP address Spoofing on the Web Proxy makes upstream devices see client web traffic as originating from the client’s true IP address. IP address Spoofing sets the source IP address of a web request to the requesting client's IP address instead of the Smoothwall Appliance’s IP address.

This allows upstream appliances, such as firewalls, to see web requests made by client devices, and also enables advanced Source NAT and Firewall control of web traffic when the Smoothwall Appliance is deployed as a firewall itself.

  Important

If you have any further questions about using IP address Spoofing on your Smoothwall Appliance, or encounter any issues, contact the Support Team.

Why use IP address Spoofing

There are two main reasons you may want to use IP address Spoofing, detailed below.

Access control and Source NAT

IP address Spoofing allows you to control how the Smoothwall Appliance routes traffic between networks.

For example, you may be using the Smoothwall Appliance as your firewall and want to send your curriculum LAN web traffic out on a higher-bandwidth ISP line. You also want to send your BYO devices’ network traffic out on a separate ISP line with a lower bandwidth.

The Smoothwall Appliance only has one IP address when acting as a web proxy. To send traffic out on different IP addresses and ‘spoof’ the client's IP address, turn IP address Spoofing on, then use Source Network Address Translation (NAT) .

When you turn on IP address Spoofing, your network sees the traffic as originating from the client and Smoothwall Appliance applies the Source NAT rules, instead of the settings in the Local traffic section.

Reporting on traffic

If you have a Firewall upstream of your Smoothwall Appliance, all HTTP/S web traffic that is not intercepted by Smoothwall Filter (for example, SSH or DNS traffic) managed through your Firewall rules appears to be originating from your Smoothwall Appliance’s IP address.

IP address Spoofing allows your upstream Firewall to see the client that’s making the request.

How to turn on IP address Spoofing

  1. Ensure you have multiple interfaces configured from Network > Configuration > Interfaces.
  2. Turn on IP address Spoofing by selecting the Spoofing checkbox when setting up or editing a Web Proxy authentication policy . IP address Spoofing is managed at an interface level, so you can’t turn it on for a single Web Proxy authentication policy.
  3. If you have a Firewall upstream of your Smoothwall Appliance, ensure your network routes return traffic back to it. The Smoothwall Appliance then removes the ‘spoof’ from the traffic and routes it back to the client.

      Important

    If you don’t direct traffic back to your Smoothwall Appliance, your Firewall will direct return traffic directly to the client. Because the client didn’t make the request, this asymmetrical routing causes packet loss and intermittent service.