XG Bridge not Routing


I am fairly new to Sophos XG and need some advice regarding a particular setup.

Currently we have an XG450 (SFOS 17.5.0 GA) setup in Bridge mode as shown:




              Gateway Name: WAN1

              Routing is NOT enabled

PORT 2: WAN (bridge member)

PORT 3: LAN (bridge member)

Dynamic Routing is off for all Zones

All Servers, Network equipment and clients are part of the network DHCP is provided by Windows Server with GW:

Due to bandwidth limitations we would like to get a second ISP. For testing purposes we have purchased a small Netgear 4G LTE Modem (

I have connected the 4G modem to PORT 8:

  • Adding the Modem as a second WAN Link
    • Zone: WAN
    • IP:
    • GW:
    • Gateway Name: WAN2
    • From the WAN



The ultimate goal is really to have Firewall Rules and direct certain traffic to either WAN1 or WAN2 using the Primary Gateway setting. But load balance can solve our immediate problem.

Just so I don’t make this port too long, I have tried a lot of things but ultimately I believe the main issue is that I can’t get the FW route between the two networks.

I tried Enabling Routing on the bridge pair (so it can participate in routing decisions) but when I do that I loose connection to my ISP, even before I start trying to add second link.

I am a bit lost with this one, so any help you can give me would be great.

  • You will need firewall rules, not routing rules. The firewall rules allow you to manage traffic flow by application and/or web policies. Also you get anti-xx, mail scanning etc which you don't get using routing.


  • In reply to rfcat_vk:

    Hi thanks for the reply.

    I did try that. It was the first way I tried but unfortunately the traffic keeps going out via WAN1. This is how my second gateway looks like

    So to not disrupt the normal traffic I applied the Gateway changes to the Tech Web Rule (basically an allow all for Domain Admins) as per the screen shots.


    The reason why I think the problem is routing is because, a client computer will get an IP via DHCP that looks like: IP: /24 and GW: For some reason, even though the FW rule says the Primary Gateway should be Telstra 4G (WAN2) (PORT 8) it doesn’t.

    Both log viewer and a simple trace rout from the client confirmed the traffic is still being sent via the Bridge (in PORT 3 and out PORT 2) via Telstra WAN.

    I suspect is because the client's Gateway is which is the Router attached to the Bridge interface (Port 2).

    Based on some trace routes i noticed that:

    • With Routing disabled on the Bridge the first jump goes to the client's gateway and not the FW interface.
    • If i enable routing (i tested this on a different bridge setup for testing) the first jump is the FW port and then the FW sends it to the Gateway. It feels like this is when the FW gets involved in routing the traffic.

    Does that make any sense?  

  • In reply to techbsc:


    you might need to tick the NAT box on the Telstra 4g interface.

    Where does this rule sit in your rule list? It is a very general rule and will allow all traffic on the LAN to use that rule.

    I am trying understand what you mean user gateway and the firewall interface.

    The rule will allow the traffic from the user LAN to the Telstra gateway 4G if that is your top rule.


  • In reply to rfcat_vk:

    Hi Ian,

    Thanks for the reply and apologies for the late response.

    After some testing I realised the problem was a lot more "basic" that i thought. Basically when you have multiple ISPs (so multiple Gateways) and you have rules using one gateway or the other your Firewall needs to be able to Route between the two networks. 

    The issue i have is that when i enable Routing on the Bridge interface (highlighted blue in the graph) no network traffic would go out via Telstra WAN gateway. This is caused due to the fact that the ISP Router for Telstra WAN has Routing protocols enabled and since i can't access that router i can't make it talk with the Firewall via the bridged interface.

    It is a bit hard to explain but simply put that Router (Telstra WAN) is basically there to support a state wide WAN that connects thousands of sites. Unfortunately the bandwidth supplied is not enough which is why we were looking to have a second gateway to direct specific traffic.

    You are absolutely right about the rules. We basically setup a test network with two 4G routers and it all works fine. 

    All i can do to solve the problem is contact the ISP provider and see if we can setup the firewall to talk with the router properly.



  • under NETWORK -> Interfaces

    what did you tag in the network interface facing 1.1? is it a WAN/LAN/or a custome ZONE?


    secondly, you should put (or the ip of your sophos firewall) in every client/end-user pc as the gateway.

    third make a firewall rule,

    from zone : LAN
    from host:

    to zone: WAN

    to host: any

    uncheck NAT & routing boxes, but choose a primary gateway. (choose the WAN interface)


    the logic is if you are interconnecting the firewall, it doesn't have a single rule/routing/switching even if you set it up as a bridge mode.. everything must be put up.. different type of zone like LAN, WAN, custom ZONE you will need to specify a routing via gateway if wan or static/policy routing if LAN/custom ZONE

  • In reply to des villar:

    it depends on what do you really want to achieve, do you want to have just a firewall router that for filtering inter connected networks? or do you want it to act as a gateway where here you can decide where the end clients will go?


    if you want it to just interconnect, tag every interface to LAN, make a firewall rule from

    from zone: LAN

    from host: ANY or an ip/ range of clients depends on who you like

    to zone: LAN

    to host: ANY

    check the security filter you want and that's it



    if you want to control you LAN facing clients and make the firewall as a gateway on where to send the traffic and make 2 connection as the  WAN

    from zone: LAN

    from host: ANY or an ip/ range of clients depends on who you like

    to zone: WAN

    to host: ANY


    check the security filter

    uncheck Rewrite source address (masquerading)

    uncheck Use gateway-specific default NAT policy

    Primary gateway: choose you WAN network where to go