UTM - Multiple WAN connections with separate LANs

Hello everyone,

currently we have a simple setting with a SG210, one LAN (192.168.10.x) and one internet connection (WAN interface). Everything is working great!

However, because we are in the countryside our internet is quite slow (only 6 MBit/s). So we plan to get 2 more internet connections.

Would it be possible to add the 2 more internet connections to the SG and also create two additional LANs such as "Guest (192.168.20.x)" and maybe one more, lets say "LAN Test (192.168.30.x). Each LAN is connected to its own physical switch.

Each LAN should be separate and isolated. No traffic allowed between the LANs. Each LAN gets its own WAN connection associated. No failover is needed.

LAN1 => WAN1

Guest => WAN2

LANTest => WAN3

Would that be possible? If I understand it correctly then all 6 ethernet ports of the SG would be used in this scenario.

Thank you in advance for your help!

Greetings Aktuator

  • Shure you can do this. You must handle this with firewall, routing and masquerading.  Because you have only one Standard-Gateway. But you can also define Rules that if one Internetconnect is down, the Packets can take another way or other ways by defining this in "interfaces" "multipath" and "uplink-balancing". I hope my translation form German to English is correct.


    Greetings Peter

  • In reply to piddae:

    Thank you Peter - I think that's exactly the answer I was looking for! :-)

    Just one follow up question: You said that I only have one Standard Gateway. Does that mean it is only possible to define one standard Gateway for the entire SG, for example WAN1 and all the other WAN interfaces can only be used by LAN2 + LAN3 by defining the Firewall rules, Multipath etc.? Did I get that right?



  • In reply to Aktuator:

    yes you can define only one Standard Gateway. If you try to set another you will get a warning from your Sophos.

  • In reply to piddae:

    ps. if you set 2 Gateways how shall the router (firewall) decide which one to take? This must be unique on every Router/Firewall.

  • In reply to piddae:

    ok great!

    Thank you very much Peter - your information helped me a lot!

  • In reply to Aktuator:

    Your welcome.

  • If WAN1, WAN2, and WAN3 all have a gateway configured in it, then you can simply configure the Masquerading rule for Each LAN with a specific WAN interface. In total, you will require 3 masquerading rule, one for each LAN network. That should be enough for each LAN to go to the internet without failing over to other WAN links.