https://community.sophos.com/sophos-xg-firewall/f/discussions/105765/routing-to-another-gateway-on-the-same-lan-subnet-as-sophos-xgHello everyone, I have a behavior I don&#39;t know how to solve. Your help will be really appreciated :). My Sophos XG is the default gateway, DGXG (192.168.0.250), for my subnet LAN1. My LAN1 is deployed between 2 sites using a fibre. DGXG is connecteden-USTelligent Community 12https://community.sophos.com/thread/421131?ContentTypeID=1Tue, 19 Nov 2019 18:46:40 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:f8595130-e3ce-4b73-9f28-8897f50c4125Edson Siqueira<p>Hello&nbsp;ShunzeLee,</p> <p>&nbsp;</p> <p>I&#39;m trying to do the same thing, but I tried to use this command &quot;set advanced-firewall bypass-stateful-firewall-config&quot; and it didn&#39;t worked for me. Actually the command worked but the route didn&#39;t, the machines in the subnet 192.168.0.0 /24 can&#39;t access machines in the subnet 192.168.5.0 /24 for example.</p> <p>&nbsp;</p> <p>If I add a static route to 192.168.5.0 /24 in&nbsp;any windows machine in the subnet 192.168.0.0 /24 it works good, but if an add a static route in Sophos XG like bellow it didn&#39;t work.</p> <p>&nbsp;</p> <p>Can you help me?</p> <p>&nbsp;</p> <p><a href="/cfs-file/__key/communityserver-discussions-components-files/126/pastedimage1574188675584v1.png"><img src="/resized-image/__size/320x240/__key/communityserver-discussions-components-files/126/pastedimage1574188675584v1.png" alt=" " /></a></p><div style="clear:both;"></div>https://community.sophos.com/thread/386992?ContentTypeID=1Fri, 19 Oct 2018 07:58:07 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:a8d6940c-85ed-4a0a-a663-ce1c8870bb55max.mo<p>Hello,</p> <p>&nbsp;</p> <p>I can confirm that worked perfectly .</p> <p>No need to use a MASQ.</p> <p>Thanks again.</p> <p>Enjoy your weekend.</p> <p>&nbsp;</p> <p>Best Regards, Maxime</p><div style="clear:both;"></div>https://community.sophos.com/thread/386972?ContentTypeID=1Fri, 19 Oct 2018 03:32:20 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:f7d37a6e-2934-4e5d-99d5-320a542d4c8frfcat_vk<p>Hi,</p> <p>I hope that works for you, but I would have thought an MASQ on your outgoing gateway is required?</p> <p>Ian</p><div style="clear:both;"></div>https://community.sophos.com/thread/386971?ContentTypeID=1Fri, 19 Oct 2018 03:03:18 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:5e5fe019-68d9-4908-aedf-716edf1ec184max.mo<p>Hello,</p> <p>&nbsp;</p> <p>Thanks a lot !</p> <p>&nbsp;</p> <p>I completed your post with <a href="/products/xg-firewall/f/sophos-xg-firewall-general-discussion/79041/troubleshooting-guide-for-xg">https://community.sophos.com/products/xg-firewall/f/sophos-xg-firewall-general-discussion/79041/troubleshooting-guide-for-xg</a>.</p> <p>&nbsp;</p> <p>I think it solved my case.</p> <p>I need to do more tests to be sure :)</p> <p>&nbsp;</p><div style="clear:both;"></div>https://community.sophos.com/thread/386965?ContentTypeID=1Fri, 19 Oct 2018 01:55:54 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:4eb001fa-256d-45dd-9730-f52b2a27d4bbShunzeLee<p>Maybe it was blocked with XG as&nbsp;asymmetric route.</p> <p><a href="/cfs-file/__key/communityserver-discussions-components-files/126/_5E970D5C317AEF8D3175_.png"><img src="/resized-image/__size/1040x1240/__key/communityserver-discussions-components-files/126/_5E970D5C317AEF8D3175_.png" alt=" " /></a></p> <p>Only one way pass through XG will be blocked as&nbsp;asymmetric route.</p> <p>If you can&#39;t change the network structure, you may bypass asymmetric routing on XG with following command.</p> <p><span style="color:#ff0000;">set advanced-firewall bypass-stateful-firewall-config add source_network 192.168.0.0 source_netmask 255.255.255.0 dest_network 192.168.X.0 dest_netmask 255.255.255.0</span></p> <p><span style="color:#ff0000;">set advanced-firewall bypass-stateful-firewall-config add source_network 192.168.X.0 source_netmask 255.255.255.0 dest_network 192.168.X.0 dest_netmask 255.255.255.0</span></p> <p>Try it.</p><div style="clear:both;"></div>https://community.sophos.com/thread/386963?ContentTypeID=1Fri, 19 Oct 2018 01:29:17 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:13ad40eb-bf35-4795-89d2-81519a6fe75fmax.mo<p>Hello,</p> <p>&nbsp;</p> <p>Thanks for your response.</p> <p>My rule is on top of the top and there is no blocking traffic :</p> <p><a href="/cfs-file/__key/communityserver-discussions-components-files/126/pastedimage1539930163029v1.png"><img src="/resized-image/__size/320x240/__key/communityserver-discussions-components-files/126/pastedimage1539930163029v1.png" alt=" " /></a></p> <p><a href="/cfs-file/__key/communityserver-discussions-components-files/126/pastedimage1539930185036v2.png"><img src="/resized-image/__size/320x240/__key/communityserver-discussions-components-files/126/pastedimage1539930185036v2.png" alt=" " /></a></p> <p>&nbsp;</p> <p>There was hit to the rule :</p> <p><a href="/cfs-file/__key/communityserver-discussions-components-files/126/pastedimage1539930237597v3.png"><img src="/resized-image/__size/320x240/__key/communityserver-discussions-components-files/126/pastedimage1539930237597v3.png" alt=" " /></a></p> <p>&nbsp;</p> <p>the other gateway device is a sonicwall. WE replaced a sonicwall by one sophos but there is still one sonicwall on the other side.</p> <p>&nbsp;</p> <p>I will try to sketch it out today.</p> <p>Thanks for your help.</p> <p>Maxime</p><div style="clear:both;"></div>https://community.sophos.com/thread/386938?ContentTypeID=1Thu, 18 Oct 2018 17:37:44 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:01ebf046-7dba-453e-9ea2-c0f27e85c858rfcat_vk<p>Hi,</p> <p>where does your rule sit in the list of rules?</p> <p>Please post a copy of your rule.</p> <p>Which firewall rule is blocking the traffic?</p> <p>Ian</p><div style="clear:both;"></div>https://community.sophos.com/thread/386935?ContentTypeID=1Thu, 18 Oct 2018 17:06:53 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:08ce70de-08f9-486b-8a4d-1fb0189bf8f8AADD<p>Either method mentioned should work, however each gateway or device needs to know the routes on each end.</p> <p>&nbsp;</p> <p>I did this while migrating to Sophos from Sonicwall.</p> <p>&nbsp;</p> <p>Maybe I am missing something, can you sketch it out?</p><div style="clear:both;"></div>https://community.sophos.com/thread/386891?ContentTypeID=1Thu, 18 Oct 2018 09:32:19 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:b6fcaa13-61e8-4fb3-a430-47c882de2f2fmax.mo<p>Hell I tried to do a firewall rule with a gateway but this did not work either.</p> <p>&nbsp;</p> <p>Do you have another idea?</p> <p>&nbsp;</p> <p>Thanks for your help.</p> <p>Best Regards, Maxime</p><div style="clear:both;"></div>https://community.sophos.com/thread/385790?ContentTypeID=1Thu, 11 Oct 2018 04:24:10 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:661dc7a8-c6fe-4ef6-987b-490c0e629bb4max.mo<p>Hello,</p> <p>&nbsp;</p> <p>Thanks for your response.</p> <p>I did not try that one.</p> <p>I know the destination subnet.</p> <p>So you mean changing the primary gateway in the advanced setting of the firewall network rule?</p> <p>good idea, I will give it a try tomorrow.</p> <p>&nbsp;</p> <p>thanks !</p><div style="clear:both;"></div>https://community.sophos.com/thread/385788?ContentTypeID=1Thu, 11 Oct 2018 04:16:46 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:423a4104-7a1b-48f8-b2be-17e00813776frfcat_vk<p>Why not remove all your routes and do it with a firewall rule, you must know the destination IP address range?</p> <p>Ian</p><div style="clear:both;"></div>