[Sophos XG] [Routing and multiple gateways] Replicate v17 scenario in v18

Hi guys,

I have a doubt about how to achieve the same thing that could be done in the past with v17 and I'm struggling with v18

 

Scenario:

 

Basically, I have 2 WANs, one for everything and the other one for X special thing and cannot be used for anything else, so bot have to be active and cannot be fail-over'd between them. Also,a MPLS which connects to a remote office and if that fails, a Policy-based VPN that provides connectivity.

In v17 to achieve that, it would require

  • Gateway for the MPLS with policy based routing.
  • IPSec with the WAN1 and the remote WAN.
  • Firewall rule1 to allow "LAN" to "Remote" office.
  • Firewall rule2 to allow X special thing in the "LAN" through WAN2 by selecting the 2nd WAN in the firewall rule and no backup (hability to choose "main" WAN to use)
  • Firewall rule3 to allow "LAN" to "WAN" any through WAN1 and no backup nor load balance.
  • Having route precedence "static - policy - vpn"

In v18 (from what I have seen) there's no option to only choose one WAN. What comes to my mind is:

 

  • Creating a static route for WAN1 that takes priority last, but that breaks the MPLS/VPN backup scenario.
  • Creating a PBR entry, which routes the special case through WAN2, MPLS traffic through the MPLS gateway and then another one that routes everything else through WAN1. The problem is that if the MPLS fails, the traffic won't go through the IPSec and the failover won't occur.
  • Above scenario but I switch the route precedende to "static - vpn - policy" it will never match the MPLS, unless I create an static route and the I'll not be able to monitor the link to have automatic failover.
  • Setting weight in the WANs will decrease the chances to use the 2nd WAN but it will eventualy use it (there's no 0 option).
  • Following the PBR idea, replace the Policy-Based VPN with Route-Based and then create a GW for the IPSec below the MPLS PBR rule (realistic option but unsure how the remote company will say yes to changing the IPSEC).

 

The last one is the only possible solution that I have come to realistically doing. But what if I NEED Policy-Based VPN?

 

Any ideas how to achieve the same thing on v18 that could be done on v17? Any help is appreciated.

 

Thanks!

 

  • In reply to H_Patel:

    Hi H_Patel,

     

    Thanks for your answer, I just finished reading the article and according to it, It recommends the same thing that I stated in my points:

     

    • Creating a PBR entry, which routes the special case through WAN2, MPLS traffic through the MPLS gateway and then another one that routes everything else through WAN1.

     

    The problem with that is that in case the MPLS goes down, all trafic will go to the GW and broke the VPN Failover. If I switch the route precedende to have VPN first, it will never go through the MPLS unless I create an static route that takes precedencce first, but loses the ability to monitor the MPLS through PBR.

     

    And using Linked NATs brokes the idea to decouple NATs from rules and even Sophos recommends using them only for migrating purposes.

    So, any ideas?

    • Setting weight in the WANs will decrease the chances to use the 2nd WAN but it will eventualy use it (there's no 0 option).

    You can set the other Interface as Backup. This is actually "0" in terms of Load Balancing. Backup Interfaces will only be used in case of calling by some process. Like PBR, like Static Route. 

     

    There are certain scenario, which are not perfectly fine reproducible right now, as you will mix different scenarios.

    As Sophos tries to push the VTI Technology, it will help in this case. 

    The Policy based VPN routing options are limited as the Static option. 

     

    Wrote some points about this here: 

    https://community.sophos.com/products/xg-firewall/f/recommended-reads/121408/routing-in-xgv18-with-sd-wan-pbr

     

    As you could place the default route on Backup, you could actually rebuild most of this quite easily.