Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 39 subscribers
  • Views 1473 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

failover wan masquerading not working

Nathan Ridge

Scenario

We want to offer a NBN/4G failover solution for our customers. We are a layer 2 provider so we have full access to radius ips etc

I have setup the UTM so that Port #2 is NBN which is the primary wan and have set an internal private IP as its wan IP, ie 192.168.111.1 and then also have a 4G WWAN setup as the active failover which has a wan IP of say 192.168.111.2, then in radius we used a Framed-Route for the public wan address on both connections with the 4G having a metric of 250, so only active when the NBN is offline. This side of things we do a lot and works well in a Cisco environment.

What I then tried was just make an IP Host entry for the public IP and change the default SNAT rule so the source translation from MASQ to the WAN IP Host entry, in theory this should do what I want but doesn't.... I figured maybe I need to bind that Public IP to a loopback or physical interface but there isn't a equivalent of loopback on the SFOS so I tried doing an alias interface on both the NBN interface and the LAN interface, in both cases I could then ping the Public IP outside in no problems, If i do a ping inside out from the Public IP i could also ping, but from the lan or bridge interface ping fails. 

Looking in the packet trace I can try and ping google and see the icmp packet sourcing the lan interface and leaving the ppp interface but it shows firewall and nat rule 0 which im guessing is not matching ? and not masquerading on the way out ? but its a standard lan to wan fw rule with the default unlinked snat rule

I thought I was trying to do something pretty logical and basic here which is quite easy on other platforms, am I over looking something with the UTMS or need to approach it a different way?

cheers and tia



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    Assuming you're able to access the internet on XG through the alias interface(Added on NBN interface).

    Nathan Ridge said:
    Looking in the packet trace I can try and ping google and see the icmp packet sourcing the lan interface and leaving the ppp interface but it shows firewall and nat rule 0 which im guessing is not matching ?

    If the traffic isn’t matching any firewall rule, then it must be getting violated due to some reason. You'll be able to see the 'Reason' property besides 'Status'.

    Could you please post a packet capture snapshot?

    Ensure to take a packet capture on destination IP.

    eg: If you're trying to ping 1.1.1.1 then use BPF string: host 1.1.1.1 and proto ICMP

    Also, please take an observation with a new LAN to WAN firewall rule and a NAT rule on top with SNAT as 'WAN IP Host'.

  • 0 in reply to FormerMember

    Hi Yash,

    so these are the basic default fw and nat rules i thought would work ( without making any interface with the wan IP 103.131.41.34 just leaving it as a Host entry )

    two WAN connections like so



    with Frame-Routes pointing to those ips via radius at ppp time for the 103.131.41.34 public IP. Yes we could use public IPs on both WAN interfaces as well but in theory it should not matter if we intend only to MASQ against the single common IP and if we can use 1 ip in todays ip4 market instead of 3 thats a big win.

    then i enable a packet capture to host 8.8.8.8 and throw a ping from bridge 0 at it

    fails..

    in the packet capture 

    nat and rule 0

Reply
  • 0 in reply to FormerMember

    Hi Yash,

    so these are the basic default fw and nat rules i thought would work ( without making any interface with the wan IP 103.131.41.34 just leaving it as a Host entry )

    two WAN connections like so



    with Frame-Routes pointing to those ips via radius at ppp time for the 103.131.41.34 public IP. Yes we could use public IPs on both WAN interfaces as well but in theory it should not matter if we intend only to MASQ against the single common IP and if we can use 1 ip in todays ip4 market instead of 3 thats a big win.

    then i enable a packet capture to host 8.8.8.8 and throw a ping from bridge 0 at it

    fails..

    in the packet capture 

    nat and rule 0

Children
  • FormerMember
    0 FormerMember in reply to Nathan Ridge

    Thank you for sharing the requested information.

    If you ping 8.8.8.8 from the bridge interface(br0) then ICMP request will be sent to the network connected behind the br0 interface, not over the WAN.

    To check whether the firewall is performing SNAT correctly or not you need to start a ping from an end machine located behind br0 interface.

    Additionally, to access the internet directly on XG you'll need to perform SNAT for firewall-generated traffic.

    Click here to find more information on "How to NAT Sophos Firewall generated traffic"

    console> set advanced-firewall sys-traffic-nat add destination <network> netmask <subnet mask> interface <WAN interface> snatip <IP address>

  • 0 in reply to FormerMember

    ok yup i have setup a laptop on the lan behind br0 and run a ping to 8.8.8.8 and its replying! I assumed the diagnostics ping picking the interface br0 as the source would infact bind the source ip to the ip of the interface..

    So this second part you mention, its like the Local to WAN rule yeah? Do i require this say for example so the local name server service can work and the utm can check for updates etc? or only required if it want the pings from diags to work?

  • 0 in reply to Nathan Ridge

    This is really bizzarre.. when i found the outbound testing from a laptop working no problems, i unplugged the port 2 NBN wan and watched the pings stop, counted about 45 seconds and then both inbound and outbound pings re-established over the WWAN to the common WAN IP, happy days.

    I then plugged the NBN WAN port back in, after about 5 seconds when the pppoe re-established the pings both ways broke, thats fine, waited a minute.. waited 2 minutes, waited 5 minutes... didn't re-establish, yet i could still get to the common wan IP via the gui and look around the UTM config, wtf ... rebooted the UTM and without changing config in any way the inbound pings now work again but now the outbound pings from the laptop still broken...

    im convinced now there is some kind of problem of flaw with this NAT config in v18, there is just no rhyme or reason to the behavior

  • FormerMember
    0 FormerMember in reply to Nathan Ridge

    Request to perform the following steps and share session output here or via PM.

    ==> Login to SSH > 4. Device Console

    console> tcpdump 'host 8.8.8.8 and proto ICMP

    In another SSH session run below command.

    console> drop-packet-capture 'host 8.8.8.8 and proto ICMP

    ==> After that, start a ping from a laptop using below command.

    C:\Windows\system32>ping -n 2 8.8.8.8

  • 0 in reply to FormerMember

    thanks Yash, please standby a few mins, i rolled it back to v17 SFOS. I am just doing some testing but it looks like its working stable and as intended having the lan to wan fw rule set to primary and secondary gw, having the NAT rule just set to the common WAN ip and in the wan management having the WWAN setup as Backup interface and NBN active..

    We tried with the WWAN set as Active with both a 1 metric and 100 metric, it would work to switch over to WWAN as the backup and pings would come back but because it was active it looked not to tear down the connection when the NBN come back and it would never recover..

    Once we have tested everything working it will be interesting to see what the v18 migrated fw and nat rules will be

Unfiltered HTML