I'm looking to add a backup cellular ISP service to my home network such that in the event my primary ISP is down, Sophos XG will use the backup cellular ISP. However, I really only want to use the backup cellular ISP to maintain internet connectivity for certain devices and not everything on my network. Is there any way to do this with Sophos XG?
After reading the SD-WAN policy routing help section several times, watching this video and experimenting with my setup, it seems having an SD-WAN policy route set to 'Any' for all of the traffic selector…
Thank you for reaching out to Sophos Community.
You need to set up 2 SD-WAN policies, one with source & destination as ANY, and select Primary gateway as 'Primary ISP' & Backup gateway as 'None'.
On top of that, you need to add a new policy with required source machines and select Primary gateway as 'Primary ISP' & Backup gateway as 'cellular ISP'.
Click here to know more information on "SD-WAN Policy Based Routing".
So I'm sure I'm screwing something up but when I setup one SD-WAN policy (I don't have my backup ISP yet, but just trying to set up the first SD-WAN policy routing rule) with the settings in the screenshot below, I'm having issue with traffic between my VLANs (subnets). Any ideas what might be the issue?
Sophos XG guides for home users: https://shred086.wordpress.com/
Have you added static routes to communicate with your VLAN networks or VLAN interfaces are configured on Sophos Firewall?
Yes, my VLAN interface and firewall rules are setup - I’ve been using this setup for a couple years now. It’s just once I added that SD-WAN policy, nothing seems to work across VLANs. Again, I’m sure I’m missing something with how SD-WAN policies work.
Can you please check the route precedence in CLI?
Login to SSH > 4. Device Console
console> system route_precedence show
This is what’s shown:
1. SD-WAN policy routes
2. VPN routes
3. Static routes
Please change 'Static routes' precedence on top of 'SD-WAN policy routes' and check whether VLAN communication works with the SD-WAN policy route or not.
console> system route_precedence set static sdwan_policyroute vpn
Thanks Yash Kothari, everything seems to be working normally after that change. However, I guess I’m confused why that made a difference as I don’t have any static routes defined? Edit: I think this article explains why. Basically all I’m trying to achieve is:
1) All devices on my networks on all VLANs/subsets can only use my primary ISP.
2) Certain devices on my network can use my primary ISP, but also my backup ISP when the primary ISP is down.
I’m hoping the SD-WAN policies can achieve this.
Just received my backup ISP modem and attempting to get this to work. Using the SD-WAN policy routing rules as suggested:
#1 SD-WAN policy routing:
#2 SD-WAN policy:
When I disconnect my primary gateway (CenturyLink), my Home Server doesn't appear to use the Backup gateway (i.e. the #2 SD-WAN policy routing) thus not using the backup ISP. If I disable the #1 SD-WAN policy routing, everything seems to work as expected, but I'm not sure if this is setup correctly.
Based on the explanation of SD-WAN policy routing here, it states:
"If both gateways are unavailable, XG Firewall evaluates other SD-WAN policy routes. If it doesn't find another matching policy route, it applies the default route (WAN link load balancing)."
My understanding is with the #1 SD-WAN policy routing, everything going through Sophos XG should be routed to the Primary Gateway only. However, if the Primary Gateway is down, then other SD-WAN policy routes are searched for and in this case, my Home Server should match to the #2 SD-WAN policy routing which has both the Primary and Backup gateway specified. Since the Primary gateway is down, I would expect it to start using the Backup gateway. All other traffic/devices on my network would not be able to access the internet since there's no other matching SD-WAN policy routes and I have "Override gateway monitoring decision" checked on the #1 SD-WAN policy routing to prevent it from applying the default WAN link load balancing.
However, that it doesn't appear to work as I described so I'm obviously missing something here. As I mentioned, if I disable the #1 SD-WAN policy routing, it works as expected.
Edit: By unchecking "Override gateway monitoring decision" on my #1 SD-WAN policy route, everything seems to work as expected. My main concern was it reverting to the WAN link load balancing and start using my backup ISP but I'm assuming when I setup my backup ISP gateway and selected "Manually" for "Activate this gateway", it will never be used except for when the #2 SD-WAN policy routing is being used. I'm not sure what the purpose of the #1 SD-WAN policy route (pictured above) is though. It seems that would be the default behavior even without that rule.
After reading the SD-WAN policy routing help section several times, watching this video and experimenting with my setup, it seems having an SD-WAN policy route set to 'Any' for all of the traffic selector options (e.g. source networks, destination networks, etc.) is not required with the following assumptions:
Based on this setup, your backup gateway should not be used when your primary gateway is down. Again, the goal is to only use a backup gateway for certain devices when the primary gateway is down.
To use the backup gateway for a specific application, device, network, etc., you must create an SD-WAN policy route as desired (e.g. 'Source networks' set to your device static IP address), and set the 'Primary gateway' and 'Backup gateway'.
For a device that isn't associated with a SD-WAN policy route, it will simply use the static routes then jump to the default route (WAN link manager). However, the default route in this case should only allow the primary gateway to be utilized since we didn't specify the backup to be used. For any device that does have an SD-WAN policy route, it will first use the static routes followed by the created SD-WAN policy route which specifics it can use either the primary gateway or backup gateway, so in the event the primary gateway goes down, only these device(s) will use the backup gateway.
Would be great to get confirmation from one of you smart Sophos XG folks if the above is accurate.