Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates
We'd love to hear about it! Click here to go to the product suggestion community
i have an internal network 10.10.10.0/24 that i want to route to a second uplink 192.168.178.1 that routes packets to a network e.g. 126.96.36.199
But some target ip addresses like 188.8.131.52 and 184.108.40.206 from the target network should be routed through the default WAN interface and not the second uplink 192.168.178.1. Source is the given internal network 10.10.10.0.
I have especially a problem with the understanding of NAT in this case as the network 10.10.10.0/24 needs to be natted with one interface. Here i can choose of course my second interface uplink 192.168.178.1. In this case all traffic from the source network 10.10.10.0 would be leaded out through the second uplink. But what about the excluded target ips?
How would i achieve this task most suitable.
Would you please try to create NAT rules for the excluded target IPs first and give them a higher position. Then configure the NAT rules for the entire destination network and give them lower priority. This should help you achieve what you want.
In reply to Jaydeep:
which NAT rules do you mean? Source and destination transformation (NAT tab) or Masquerading?
I don't think we're understanding what you want to do. A diagram would help.
Cheers - Bob
Based on the numbers given, it appears that both connections are private IP to public IP, without VPN tunnels. I think you have two options:
- Have a public IP for every device in the 10.x.x.x network, and use 1-to-1 SNAT rules to assign them public addresses.
- Have a masquerading rule for each interface, which can work with as little as one public IP address on each interface.
In either case, it may work to simply to define POLICY routes:
- for source a to destination b, a gateway rule routes to the desired interface address, or an interface rule routes to the designated interface object.
As JaDeep said, the most precise rule is prioritized first, then the broader rule is prioritized later. Prioritization is easier than creating mutually-exclusive rules.
JaDeep or Bob Alfson may be able to edit my suggestion. I am working from theory, as your problem is outside my direct experience.
In reply to DouglasFoster:
So, here is a chart to the network map:
In reply to Rumak18:
WebAdmin can't make the correct routes with overlapping subnets on two different interfaces - see #3.1 in Rulz (last updated 2019-04-17). Please show pictures of the Edits of the two Interface definitions. If you prefer, obfuscate IPs like 84.XX.YY.121, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51. That lets us see immediately which IPs are local and which are identical.
In reply to BAlfson:
Hey Balfson ,
thank you for your help. I appreciate. I 've just uploaded new pictures to the previous to get more precious. Second WAN interface is a dhcp interface where we get the ip adress from our local provider.
So, the second interface does not have IPs in 220.127.116.11/24 - that was just a shortcut you used in the graph? If it does, then copy the 'Routes Table' here from 'Support >> Advanced'.
Hi, unfortunately the upload with the correct diagram today did not succeeded. So here is the right one.
"Blue" means "internal ips" and green means "real external ips".
To answer your question:
Yes, the second interface does not have IPs in 18.104.22.168/24.
Why not select 'IPv4 Default Gateway' in the 'Second WAN' and then use Multipath rules?
Sorry, i just don't understand the sense in multipath rules as there i have only "source" + "service" + "destination" to define. I'm absolutely not aware of how to solve this.
You select "By interface" in a Multipath rule to have traffic use a specific interface.
Yeah, i see it. But i really don't know what to configure.