Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

dual WAN, replies leave via incorrect interface

Hello, I am running XG 17.5 and I set up DNAT rule for packets coming to secondary WAN. It works, except case where source address is from WAN1 subnet. Replies to these packets are NATed correctly to WAN2 address, but are routed out via WAN1 interface instead of WAN2.

Is it a bug or expected behavior and is there a way to fix it?

 

Example: XG WAN1 address is 1.1.1.1, WAN2 address is 2.2.2.2. DNAT rule 2.2.2.2 to 192.168.1.50

packet is src 1.1.1.5, dst 2.2.2.2. Reply is src 2.2.2.2 dst 1.1.1.5, but it leaves XG on WAN1 interface, instead of WAN2.

 



This thread was automatically locked due to age.
Parents Reply Children
  • its configured like this. I think the problem is, that route is Connected, not static. 

     

    console> system route_precedence show
    Default routing Precedence:
    1. Policy routes
    2. VPN routes
    3. Static routes

     

  • Hi  

    This is expected behaviour in any linux based system.  Direct attached routes take precedence over everything.  As such, as your client is within the same WAN IP range as you, the XG will route the traffic out that particular link.

    The permanent solution to this is to get in contact with your ISP and ask why they have assigned you a /24 public or larger IP range if you do not own these IPs.  The temporary workaround to this is to create a static route for the IPs you do not have access to/ownership of and route it out your WAN2 gateway.  This will allow the routing to take place.

    Thanks!

    KingChris
    Community Support | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Thanks for the info.

    Yes my wan and my customer's wan in same subnet. Solution would be to switch to separate /31 and let ISP's router to route it instead of having shared subet for multiple customers (probably to spare few IPs).