XG to XG RED VPN With Multiple WAN interfaces

Hi folks,


Could someone has ideia if is it possible create a RED VPn between XG devices  using multiple WAN interfaces in Branch and Head office ?




H.O WAN 1  ---------------RED TUN 1----------------------------   B.O WAN 1

H.O WAN 1  ---------------RED TUN 2----------------------------   B.O WAN 2

H.O WAN 2  ---------------RED TUN 3----------------------------   B.O WAN 1

H.O WAN 2  ---------------RED TUN 4----------------------------   B.O WAN 2


Best regards



  • I guess, you cannot perform 4 tunnels, but 2. 

    The point is, XG is using a Random Outbound IP, if not specify via CLI.


    But this command relies on the destination.

    So basically you cannot use it 4 times to bind it properly. 

  • In reply to LuCar Toni:

    Hi LuCar Toni,


    Thanks by your response.

    Well, I already suspected this, but I would like to confirm :)

    I would be interesting has a option to bind it.


    Best regards


  • In reply to Carlos Cesario:

    Lets wrap this topic up. 

    I guess, there is no real "reason" to build up 4 tunnels. 





    This is the standard scenario.


    On AB you would say, Port1 is reachable with Interface A, PortB is reachable with Interface B. 




    In Case of a Port not reachable.


    Question is, what is happening with your DNS? Because the Tunnel A-1 Is not there anymore, you could force XG to build up the Tunnel between A-2 with a DNS record.

    But : Would there be a real use case for this? Because you will have a drop in the "Performance" anyway. 


  • In reply to LuCar Toni:

    Hi LuCar, 


    The reason to usage 4 tunnels is because I will usage OSPF to routing across these tunnels, I like Ipsec Bind option in Cyberoam OS.

    With this I have total control about the path/routing/failover.


    Currently I have several Cyberoam OS devices using this model with IPSEC, and I´m lokking solution to convert it to Sophos XG.


    This is the reason :)


    Best regards



  • In reply to Carlos Cesario:

    Hi Carlos,


    You can set up 4 independent RED tunnels. But, if you need to apply Link Load Balancing (not failover), it would be possible with the release SFOS v18. So I think we need to wait for Sophos' SD-WAN feature which will be enabled on version 18.



  • In reply to Cenk Tezdiyar:

    Hi  tahnk yu by your feedback.



    Weel, and how can I do the following as LuCar told



    Head office Port WAN 1 ------------ Branch office Port Wan 1

    Head office Port WAN 2 ------------ Branch office Port Wan 2


    I tried setup firewall rules on Head office allowing the specific traffic comming Branch office port Wan 1 to Head office Port WAN 1 to portas 3400 tcp and 3410 udp, but it seeems there are a global rule that allowing it. 

    I cannot control this traffic.

    Any tip!?




  • In reply to Carlos Cesario:

    You have to build up two tunnels.

    Tunnel1: XG A is Server, XG B Client. 

    Tunnel2: XG a is Client, XG B is Server. 




    Client will Always connect. So Basically XG waits on all Interfaces for a Port 3400 connection. 

    You have to Control the Client Site, which interface should be used "outbound". 


    The KBA has a small note:

    • If the RED server firewall have more than one WAN interface, a sys-traffic-nat rule is necessary to force a correct NAT for the RED server firewall. This can be done in the XG Firewall's console.



    This will more or less build up a redundancy in most scenario. 

  • In reply to LuCar Toni:

    Hi LuCar,

    Thanks again by your great sugestion.

    But sys-traffic-nat, or even static route does not work as expected with RED connections.

    Even using sys-traffic-nat or static route on client side, the RED connect by other WAN interface (outbound interface).  The RED connections does not respect this.


    Best regards



  • In reply to Carlos Cesario:

    I recently deployed this setup.

    Can you post your sys-nat rule? What did you insert into this rule? 

  • In reply to LuCar Toni:

    Hi LuCar,



    On Client Side


    sys-nat rule


    Network interfaces




    On Server Side



    As you can see the remote Ip address online is the IP address from Interface port B






  • In reply to Carlos Cesario:

    Hi folks.

    Any tip!?  :)




  • In reply to Carlos Cesario:

    I assume 45. is your other XG? 

    Your other XG has one or two Interfaces? 

    Did you already verify via tcpdump, that this rule is not hitting / working? 

  • In reply to LuCar Toni:



    The 45. is my client side that I would like that Red Tunnel usage as outbound  :)


    the Both XG had two WAN interfaces


    Yes, with tcpdump on server side I can see traffic from my CLient side using the both WAN address, it seema Red Unnel ignore SNAT rule and choose randon the output interface.




  • In reply to Carlos Cesario:

    You need to setup this sys-nat rule from the Client side, because the client will actually start the connection. 

    From Client, you are forcing XG to build up the Connection anyways with the GUI option.