Routing to another gateway on the same LAN Subnet as Sophos XG

Hello everyone,

 

I have a behavior I don't know how to solve.

Your help will be really appreciated :).

My Sophos XG is the default gateway, DGXG (192.168.0.250), for my subnet LAN1. My LAN1 is deployed between 2 sites using a fibre.

DGXG is connected to the WAN1

I can connect on every devices on the LAN1.

On this LAN1 I have another gateway, ZXG (192.168.0.10), that is connected to another DMZ1 network,

From LAN1 if we want to reach DMZ we need to use ZXG.

I created one route static (policy route as well) on the XG firewall, but we can not reach the servers on DMZ1.

To reach this servers I had to put a persistent route on the device in LAN1.

 

Do you have any ideas of waht could be done to make it working as expected without adding persistent route on workstations?

 

Thanks for your help.

Best regards, Maxime

  • Why not remove all your routes and do it with a firewall rule, you must know the destination IP address range?

    Ian

  • In reply to rfcat_vk:

    Hello,

     

    Thanks for your response.

    I did not try that one.

    I know the destination subnet.

    So you mean changing the primary gateway in the advanced setting of the firewall network rule?

    good idea, I will give it a try tomorrow.

     

    thanks !

  • In reply to rfcat_vk:

    Hell I tried to do a firewall rule with a gateway but this did not work either.

     

    Do you have another idea?

     

    Thanks for your help.

    Best Regards, Maxime

  • In reply to max.mo:

    Either method mentioned should work, however each gateway or device needs to know the routes on each end.

     

    I did this while migrating to Sophos from Sonicwall.

     

    Maybe I am missing something, can you sketch it out?

  • In reply to max.mo:

    Hi,

    where does your rule sit in the list of rules?

    Please post a copy of your rule.

    Which firewall rule is blocking the traffic?

    Ian

  • In reply to rfcat_vk:

    Hello,

     

    Thanks for your response.

    My rule is on top of the top and there is no blocking traffic :

     

    There was hit to the rule :

     

    the other gateway device is a sonicwall. WE replaced a sonicwall by one sophos but there is still one sonicwall on the other side.

     

    I will try to sketch it out today.

    Thanks for your help.

    Maxime

  • Maybe it was blocked with XG as asymmetric route.

    Only one way pass through XG will be blocked as asymmetric route.

    If you can't change the network structure, you may bypass asymmetric routing on XG with following command.

    set advanced-firewall bypass-stateful-firewall-config add source_network 192.168.0.0 source_netmask 255.255.255.0 dest_network 192.168.X.0 dest_netmask 255.255.255.0

    set advanced-firewall bypass-stateful-firewall-config add source_network 192.168.X.0 source_netmask 255.255.255.0 dest_network 192.168.X.0 dest_netmask 255.255.255.0

    Try it.

  • In reply to ShunzeLee:

    Hello,

     

    Thanks a lot !

     

    I completed your post with https://community.sophos.com/products/xg-firewall/f/sophos-xg-firewall-general-discussion/79041/troubleshooting-guide-for-xg.

     

    I think it solved my case.

    I need to do more tests to be sure :)

     

  • In reply to max.mo:

    Hi,

    I hope that works for you, but I would have thought an MASQ on your outgoing gateway is required?

    Ian

  • In reply to rfcat_vk:

    Hello,

     

    I can confirm that worked perfectly .

    No need to use a MASQ.

    Thanks again.

    Enjoy your weekend.

     

    Best Regards, Maxime