This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

dual WAN, replies leave via incorrect interface

Hello, I am running XG 17.5 and I set up DNAT rule for packets coming to secondary WAN. It works, except case where source address is from WAN1 subnet. Replies to these packets are NATed correctly to WAN2 address, but are routed out via WAN1 interface instead of WAN2.

Is it a bug or expected behavior and is there a way to fix it?

Example: XG WAN1 address is 1.1.1.1, WAN2 address is 2.2.2.2. DNAT rule 2.2.2.2 to 192.168.1.50

packet is src 1.1.1.5, dst 2.2.2.2. Reply is src 2.2.2.2 dst 1.1.1.5, but it leaves XG on WAN1 interface, instead of WAN2.

This thread was automatically locked due to age.

Parents

0 Martin Hlavaty over 4 years ago

I am attaching tcpdump capture to make it more clear. Problem is, that packet arrives on Port4, but reply leaves on Port2 with address of Port4

18:57:54.312962 Port4, IN: IP 1.1.1.5.58206 > 2.2.2.2.500: isakmp: parent_sa ikev2_init
18:57:54.313435 Port1.26, OUT: IP 1.1.1.5.58206 > 192.168.1.50.500: isakmp: parent_sa ikev2_init

18:57:54.314053 Port1.26, IN: IP 192.168.1.50.500 > 1.1.1.5.58206: isakmp: parent_sa ikev2_init[]
18:57:54.314480 Port2, OUT: IP 2.2.2.2.500 > 1.1.1.5.58206: isakmp: parent_sa ikev2_init[]

Here is example of working connection, where source (5.5.5.5) is not in XG routing table.

20:29:17.155236 Port4, IN: IP 5.5.5.5.54196 > 2.2.2.2.500: isakmp: parent_sa ikev2_init
20:29:17.157140 Port1.26, OUT: IP 5.5.5.5.54196 > 192.168.1.50.500: isakmp: parent_sa ikev2_init

20:29:17.212375 Port1.26, IN: IP 192.168.1.50.500 > 5.5.5.5.54196: isakmp: parent_sa ikev2_init[]
20:29:17.213311 Port4, OUT: IP 2.2.2.2.500 > 5.5.5.5.54196: isakmp: parent_sa ikev2_init[]
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Martin Hlavaty over 4 years ago

I am attaching tcpdump capture to make it more clear. Problem is, that packet arrives on Port4, but reply leaves on Port2 with address of Port4

18:57:54.312962 Port4, IN: IP 1.1.1.5.58206 > 2.2.2.2.500: isakmp: parent_sa ikev2_init
18:57:54.313435 Port1.26, OUT: IP 1.1.1.5.58206 > 192.168.1.50.500: isakmp: parent_sa ikev2_init

18:57:54.314053 Port1.26, IN: IP 192.168.1.50.500 > 1.1.1.5.58206: isakmp: parent_sa ikev2_init[]
18:57:54.314480 Port2, OUT: IP 2.2.2.2.500 > 1.1.1.5.58206: isakmp: parent_sa ikev2_init[]

Here is example of working connection, where source (5.5.5.5) is not in XG routing table.

20:29:17.155236 Port4, IN: IP 5.5.5.5.54196 > 2.2.2.2.500: isakmp: parent_sa ikev2_init
20:29:17.157140 Port1.26, OUT: IP 5.5.5.5.54196 > 192.168.1.50.500: isakmp: parent_sa ikev2_init

20:29:17.212375 Port1.26, IN: IP 192.168.1.50.500 > 5.5.5.5.54196: isakmp: parent_sa ikev2_init[]
20:29:17.213311 Port4, OUT: IP 2.2.2.2.500 > 5.5.5.5.54196: isakmp: parent_sa ikev2_init[]
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 lferrara over 4 years ago in reply to Martin Hlavaty

For the dnat, are you using reflexive rule?
Cancel
Vote Up 0 Vote Down

Cancel
0 Martin Hlavaty over 4 years ago in reply to lferrara

I wasn't so I did a quick test now by enabling it, and it doesn't help.
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 4 years ago in reply to Martin Hlavaty

Martin,

create a policy routing:

https://community.sophos.com/kb/en-us/123579
Cancel
Vote Up 0 Vote Down

Cancel
0 Martin Hlavaty over 4 years ago in reply to lferrara

I tried that yesterday already, but it didn't help(it had no effect).
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 4 years ago in reply to Martin Hlavaty

Did you check the routing precedence?

https://community.sophos.com/kb/en-us/123610
Cancel
Vote Up 0 Vote Down

Cancel
0 Martin Hlavaty over 4 years ago in reply to lferrara

its configured like this. I think the problem is, that route is Connected, not static.

console> system route_precedence show
Default routing Precedence:
1. Policy routes
2. VPN routes
3. Static routes
Cancel
Vote Up 0 Vote Down

Cancel
+1 KingChris over 4 years ago in reply to Martin Hlavaty

Hi Martin Hlavaty

This is expected behaviour in any linux based system. Direct attached routes take precedence over everything. As such, as your client is within the same WAN IP range as you, the XG will route the traffic out that particular link.

The permanent solution to this is to get in contact with your ISP and ask why they have assigned you a /24 public or larger IP range if you do not own these IPs. The temporary workaround to this is to create a static route for the IPs you do not have access to/ownership of and route it out your WAN2 gateway. This will allow the routing to take place.

Thanks!

KingChris
Community Support | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel
0 Martin Hlavaty over 4 years ago in reply to KingChris

Thanks for the info.

Yes my wan and my customer's wan in same subnet. Solution would be to switch to separate /31 and let ISP's router to route it instead of having shared subet for multiple customers (probably to spare few IPs).
Cancel
Vote Up 0 Vote Down

Cancel