XG Bridge not Routing

Hi,

I am fairly new to Sophos XG and need some advice regarding a particular setup.

Currently we have an XG450 (SFOS 17.5.0 GA) setup in Bridge mode as shown:

BRIDGE:

              IP: 192.168.1.40

              GW: 192.168.1.1

              Gateway Name: WAN1

              Routing is NOT enabled

PORT 2: WAN (bridge member)

PORT 3: LAN (bridge member)

Dynamic Routing is off for all Zones

All Servers, Network equipment and clients are part of the network 192.168.1.0/24. DHCP is provided by Windows Server with GW: 192.168.1.1.

Due to bandwidth limitations we would like to get a second ISP. For testing purposes we have purchased a small Netgear 4G LTE Modem (192.168.2.1).

I have connected the 4G modem to PORT 8:

  • Adding the Modem as a second WAN Link
    • Zone: WAN
    • IP: 192.168.2.2
    • GW: 192.168.2.1
    • Gateway Name: WAN2
    • From the WAN

 

 

The ultimate goal is really to have Firewall Rules and direct certain traffic to either WAN1 or WAN2 using the Primary Gateway setting. But load balance can solve our immediate problem.

Just so I don’t make this port too long, I have tried a lot of things but ultimately I believe the main issue is that I can’t get the FW route between the two networks.

I tried Enabling Routing on the bridge pair (so it can participate in routing decisions) but when I do that I loose connection to my ISP, even before I start trying to add second link.

I am a bit lost with this one, so any help you can give me would be great.

  • You will need firewall rules, not routing rules. The firewall rules allow you to manage traffic flow by application and/or web policies. Also you get anti-xx, mail scanning etc which you don't get using routing.

    Ian

  • In reply to rfcat_vk:

    Hi thanks for the reply.

    I did try that. It was the first way I tried but unfortunately the traffic keeps going out via WAN1. This is how my second gateway looks like

    So to not disrupt the normal traffic I applied the Gateway changes to the Tech Web Rule (basically an allow all for Domain Admins) as per the screen shots.

      

    The reason why I think the problem is routing is because, a client computer will get an IP via DHCP that looks like: IP: 192.168.1.50 /24 and GW: 192.168.1.1. For some reason, even though the FW rule says the Primary Gateway should be Telstra 4G (WAN2) (PORT 8) it doesn’t.

    Both log viewer and a simple trace rout from the client confirmed the traffic is still being sent via the Bridge (in PORT 3 and out PORT 2) via Telstra WAN.

    I suspect is because the client's Gateway is 192.168.1.1 which is the Router attached to the Bridge interface (Port 2).

    Based on some trace routes i noticed that:

    • With Routing disabled on the Bridge the first jump goes to the client's gateway and not the FW interface.
    • If i enable routing (i tested this on a different bridge setup for testing) the first jump is the FW port and then the FW sends it to the Gateway. It feels like this is when the FW gets involved in routing the traffic.

    Does that make any sense?  

  • In reply to techbsc:

    Hi,

    you might need to tick the NAT box on the Telstra 4g interface.

    Where does this rule sit in your rule list? It is a very general rule and will allow all traffic on the LAN to use that rule.

    I am trying understand what you mean user gateway and the firewall interface.

    The rule will allow the traffic from the user LAN to the Telstra gateway 4G if that is your top rule.

    Ian