I've been having an issue with V18 MR-4 for some time now and really can't seem to figure it out. I have a workstation 172.30.30.104 attempting to ping a printer 172.20.20.30. As you can see in the capture below, the ping reaches the printer and it attempts to respond. It should be sending the response packet to Port1.30 however it is trying to send it to my WAN port (Port2). There is a simple firewall rule in place that allows any port from 172.30.30.0/24 to 172.20.20.30/32. This seems to be an issue with SD-WAN because if I change the precedence from sdwan_policyroute, vpn, static to vpn, static, sdwan_policyroute I am able to ping and get the response from the printer just fine. I want to keep sdwan_policyroute as the first priority because I use it for VPN/MPLS. I also want to say during this point of testing, I have NO sdwan rules configured yet the return traffic still wants to go to Port2 when sdwan_policyroute is the highest precedence. Whether sdwan is the highest precedence or not, the traffic continues to use firewall rule 33 which is the correct rule. What could I possibly be missing here? I don't see how I can configure a policy/rule anywhere to get this traffic just to route between the VLANs and ignore the SDWAN configuration.
*RIP routing is enabled with 172.20.20.0/24 listed but not 172.30.30.0/24*Both 172.20.20.0/24 and 172.30.30.0/24 are VLANs both behind Port1 routed by this XG only.*No static routes are configured and there is only one IPsec tunnel that uses 172.30.30.0/24 as a Local Network for the tunnels.
Hi Hugh Herron,
Thank you for reaching out to the Community!
For testing, can you configure the static route for both VLANs and select Port1 as an interface?
Reference document: Add a unicast route
Community Support Engineer | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts If a post solves your question use the 'Verify Answer' button.
I appreciate the response - unfortunately I actually did try this as well. I added both subnets (VLANs) as interface routes using the port like you described but the XG still would not recognize it needed to send traffic back through Port1.30 instead of Port2 during testing. This is of course with sdwan_policyroute set to 1st precedence.
Thanks for the update. I would suggest you open a support case at support.sophos.com for in-depth troubleshooting and send me your support case number by sending a personal message so I can help with the follow-up if needed.