This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

how to setup 3 wan with 3 network client without fail over/redundant/load balance in sophos xg 19

hi

how i can set wan 1 for netwock client 1, wan 2 for network client 2 and wan 3 for network client 3 in new firmware 19.

i was try and try to setting route precedent from, static, sd-wan and vpn, also i change sd-wan, static and vpn but its not work

i also try to set sd-wan route to make network client use specific wan gateway but still not working

i also change sla, healt check and still same.

for my network simulations

wan 1 = 10.10.1.0/29 ===> 10.10.11.0/24

wan 2 = 10.10.2.0/29 ===> 10.10.22.0/24

wan 3 = 10.10.3.0/29 ===> 10.10.33.0/24

anybody here can help me?



This thread was automatically locked due to age.
Parents
  • Hello there,

    Thank you for contacting the Sophos Community.

    You can use SDWAN for this scenario or simply Firewall Rules and NAT rules.

    If you’re using SDWAN rules, just make sure that every SDWAN rule has a matching NAT rule, or all the traffic will be leaving using the default SNAT.

    If the issue persist, take a GUI packet capture of your traffic to confirm which Firewall Rule and NAT rules is being used and take a screenshot of your WAN interfaces, as well as your NAT and SDWAN rules.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply
  • Hello there,

    Thank you for contacting the Sophos Community.

    You can use SDWAN for this scenario or simply Firewall Rules and NAT rules.

    If you’re using SDWAN rules, just make sure that every SDWAN rule has a matching NAT rule, or all the traffic will be leaving using the default SNAT.

    If the issue persist, take a GUI packet capture of your traffic to confirm which Firewall Rule and NAT rules is being used and take a screenshot of your WAN interfaces, as well as your NAT and SDWAN rules.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Children
  • OK, I think I get the SDWAN option: in an SDWAN Route specify the client1 interface as the Incoming Interface, then switch to Primary and Backup Gateways and specify wan1 as the primary gateway and None as the secondary, then check Route Only Through Specified Gateways and that's it?

    And then create a SNAT rule for Outbound of wan1, MASQ. Repeat SDWAN route and SNAT rule for each client/wan pair. Is that correct? I guess also a DHCP server for each client port as well?

    ORIGINAL:

    Would it be an option to configure the WAN ports (static, DHCP, etc), then to create a bridge1interface that includes the client1 port (LAN zone) and the wan1 port (WAN zone), with the checkbox for routing? Then bring up a DHCP server on the bridge1 interface, and also a NAT rule for bridge1. And do the same for bridge2 (client2/wan2) and bridge3 (client3/wan3)? Or is the whole bridge thing not necessary?

    Though my mind breaks as I try to figure out if each client will be restricted to its own WAN only. (Which sounds like a requirement of the OP.) So maybe we actually need LAN1, LAN2, LAN3 and WAN1, WAN2, WAN3 zones and then triplicated firewall rules to allow LAN1 > WAN1, etc, so that client1 is prohibited (by omission) from routing to wan2 or wan3?

  • hi

    thanks for the reply

    i have tried for both scenario as you describe above, the result its same. our network client still use random gateway.

    i have turn off health check, SLA, and i never create fail over rules.

  • OK, I think I get the SDWAN option: in an SDWAN Route specify the client1 interface as the Incoming Interface, then switch to Primary and Backup Gateways and specify wan1 as the primary gateway and None as the secondary, then check Route Only Through Specified Gateways and that's it?

    yes, i create 4 sd-wan rules to make networks client use internet connection like i want.

    its for real configurations

    1. ONE SERVER TO ASTINET

    2. NETWORK SERVER TO BIZNET

    3. VPN CON TO BIZNET

    4. LAN NETWORK TO INDIHOME

    SD-WAN PROFILE

    GATEWAY

  • Hello Timit,

    Is all the traffic coming from the same interface or different interfaces?

    Also for Link Section Settings, select the Primary and Backup option instead of a profile.

    And for testing purposes don’t select DSCP marking for now.

    Did you get a chance to take a GUI PCAP?

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • hi emma

    thanks  for the reply. after i change all sd-wan to unselect dscp marking. all our client network is working like we want...

  • and i this thread can mark to solve. thanks

  • Hello timit,

    Thank you for the update, glad to hear your traffic is flowing as expected.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.