Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 38 subscribers
  • Views 4900 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HOW TO SELECT SPECIFIC GATEWAY

Axelum Corp

Hi, 

I am new to Sophos Firewall XG.

I have two ISP with different gateways: 1.1.1.1 and 2.2.2.2 (not real gateways)

Now I want end users who are using internet to be connected to gateway 1.1.1.1

and for VPN users connected to gateway 2.2.2.2.

How do I do this?

Thank you.



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi and Thanks for reaching out to Sophos Community.

    Please mention your Firmware version as the method to select gateways is completely different in v17.5 and v18.

    Did you mean that you have two separate IP addresses given by the ISP and you want to use one to MASQ the outgoing internet traffic and the other one for external VPN users to connect ?

  • 0 in reply to FormerMember

    Hi Sir,

    Our firmware version is V17.5.

    Yes we were given two IP addresses and we want to assign each for internet traffic and the other one is for VPN users.

  • FormerMember
    0 FormerMember in reply to Axelum Corp

    For the traffic that is going out to the internet, You need to enable Masquerading (NAT) in the Firewall rule (all the rules that allow traffic from LAN to WAN) and keep the outbound address as your required IP address.

    You will have to make an IP address host inside a NAT host so don't get confused while adding Outbound host.

    This will MASQ the outgoing traffic with the selected IP address.

    For SSL VPN, You can use the "Override hostname" option and add your second IP there to force users to connect to that specific IP.

    ==> Navigate to VPN > Show VPN settings



    You will need to re-download configurations in the machines if SSL VPN is already configured. Also you won't be able to perform failover for SSL VPN if you have or will have more than one ISPs with "Override hostname" enabled.

  • FormerMember
    0 FormerMember in reply to homerjs

    In v18, To configure the specific outgoing NATed IP, NAT rule will be required.

    You can either edit your current NAT rule or create a new one.

    • Configure 'original source' as your local IP range or you can choose to keep 'ANY' there as well.
    • Change 'Translated Source (SNAT)' to the IP you want to NAT LAN to WAN traffic with.
    • In 'outbound interface' select your ISPs interface.

    Make sure to have a SD-WAN rule (in case of multiple ISPs) that has the same ISP-Gateway defined as primary gateway.

    Routing > SD-WAN Policy routing

    ==> SSL VPN configuration remains the same. You can follow the previously given steps.

  • 0 in reply to FormerMember

    I need to do both rules in v18 (nat and sd-wan) ?

  • FormerMember
    0 FormerMember in reply to homerjs

    NAT rule is mandatory. You can skip the SD WAN policy route if you only have one ISP configured on XG.

    If you're skipping the SD WAN rule then ensure to select the outbound interface in the NAT rule, otherwise XG will NAT all the outgoing traffic with that specific MASQ IP and that will be problematic in multiple gateway load balancing scenario.

Unfiltered HTML