I'm looking to add a backup cellular ISP service to my home network such that in the event my primary ISP is down, Sophos XG will use the backup cellular ISP. However, I really only want to use the backup cellular ISP to maintain internet connectivity for certain devices and not everything on my network. Is there any way to do this with Sophos XG?
After reading the SD-WAN policy routing help section several times, watching this video and experimenting with my setup, it seems having an SD-WAN policy route set to 'Any' for all of the traffic selector…
Thank you for reaching out to Sophos Community.
You need to set up 2 SD-WAN policies, one with source & destination as ANY, and select Primary gateway as 'Primary ISP' & Backup gateway as 'None'.
On top of that, you need to add a new policy with required source machines and select Primary gateway as 'Primary ISP' & Backup gateway as 'cellular ISP'.
Click here to know more information on "SD-WAN Policy Based Routing".
Ah that's perfect - haven't messed with SD-WAN policies before but that looks to be exactly what I was looking for. Thank you.
Sophos XG guides for home users: https://shred086.wordpress.com/
So I'm sure I'm screwing something up but when I setup one SD-WAN policy (I don't have my backup ISP yet, but just trying to set up the first SD-WAN policy routing rule) with the settings in the screenshot below, I'm having issue with traffic between my VLANs (subnets). Any ideas what might be the issue?
Have you added static routes to communicate with your VLAN networks or VLAN interfaces are configured on Sophos Firewall?
Yes, my VLAN interface and firewall rules are setup - I’ve been using this setup for a couple years now. It’s just once I added that SD-WAN policy, nothing seems to work across VLANs. Again, I’m sure I’m missing something with how SD-WAN policies work.
Can you please check the route precedence in CLI?
Login to SSH > 4. Device Console
console> system route_precedence show
This is what’s shown:
1. SD-WAN policy routes
2. VPN routes
3. Static routes
Please change 'Static routes' precedence on top of 'SD-WAN policy routes' and check whether VLAN communication works with the SD-WAN policy route or not.
console> system route_precedence set static sdwan_policyroute vpn
Thanks Yash Kothari, everything seems to be working normally after that change. However, I guess I’m confused why that made a difference as I don’t have any static routes defined? Edit: I think this article explains why. Basically all I’m trying to achieve is:
1) All devices on my networks on all VLANs/subsets can only use my primary ISP.
2) Certain devices on my network can use my primary ISP, but also my backup ISP when the primary ISP is down.
I’m hoping the SD-WAN policies can achieve this.
Just received my backup ISP modem and attempting to get this to work. Using the SD-WAN policy routing rules as suggested:
#1 SD-WAN policy routing:
#2 SD-WAN policy:
When I disconnect my primary gateway (CenturyLink), my Home Server doesn't appear to use the Backup gateway (i.e. the #2 SD-WAN policy routing) thus not using the backup ISP. If I disable the #1 SD-WAN policy routing, everything seems to work as expected, but I'm not sure if this is setup correctly.
Based on the explanation of SD-WAN policy routing here, it states:
"If both gateways are unavailable, XG Firewall evaluates other SD-WAN policy routes. If it doesn't find another matching policy route, it applies the default route (WAN link load balancing)."
My understanding is with the #1 SD-WAN policy routing, everything going through Sophos XG should be routed to the Primary Gateway only. However, if the Primary Gateway is down, then other SD-WAN policy routes are searched for and in this case, my Home Server should match to the #2 SD-WAN policy routing which has both the Primary and Backup gateway specified. Since the Primary gateway is down, I would expect it to start using the Backup gateway. All other traffic/devices on my network would not be able to access the internet since there's no other matching SD-WAN policy routes and I have "Override gateway monitoring decision" checked on the #1 SD-WAN policy routing to prevent it from applying the default WAN link load balancing.
However, that it doesn't appear to work as I described so I'm obviously missing something here. As I mentioned, if I disable the #1 SD-WAN policy routing, it works as expected.
Edit: By unchecking "Override gateway monitoring decision" on my #1 SD-WAN policy route, everything seems to work as expected. My main concern was it reverting to the WAN link load balancing and start using my backup ISP but I'm assuming when I setup my backup ISP gateway and selected "Manually" for "Activate this gateway", it will never be used except for when the #2 SD-WAN policy routing is being used. I'm not sure what the purpose of the #1 SD-WAN policy route (pictured above) is though. It seems that would be the default behavior even without that rule.