how to setup 3 wan with 3 network client without fail over/redundant/load balance in sophos xg 19

Hello there,

Thank you for contacting the Sophos Community.

You can use SDWAN for this scenario or simply Firewall Rules and NAT rules.

If you’re using SDWAN rules, just make sure that every SDWAN rule has a matching NAT rule, or all the traffic will be leaving using the default SNAT.

If the issue persist, take a GUI packet capture of your traffic to confirm which Firewall Rule and NAT rules is being used and take a screenshot of your WAN interfaces, as well as your NAT and SDWAN rules.

Regards,

OK, I think I get the SDWAN option: in an SDWAN Route specify the client1 interface as the Incoming Interface, then switch to Primary and Backup Gateways and specify wan1 as the primary gateway and None as the secondary, then check Route Only Through Specified Gateways and that's it?

And then create a SNAT rule for Outbound of wan1, MASQ. Repeat SDWAN route and SNAT rule for each client/wan pair. Is that correct? I guess also a DHCP server for each client port as well?

ORIGINAL:

Would it be an option to configure the WAN ports (static, DHCP, etc), then to create a bridge1interface that includes the client1 port (LAN zone) and the wan1 port (WAN zone), with the checkbox for routing? Then bring up a DHCP server on the bridge1 interface, and also a NAT rule for bridge1. And do the same for bridge2 (client2/wan2) and bridge3 (client3/wan3)? Or is the whole bridge thing not necessary?

Though my mind breaks as I try to figure out if each client will be restricted to its own WAN only. (Which sounds like a requirement of the OP.) So maybe we actually need LAN1, LAN2, LAN3 and WAN1, WAN2, WAN3 zones and then triplicated firewall rules to allow LAN1 > WAN1, etc, so that client1 is prohibited (by omission) from routing to wan2 or wan3?

OK, I think I get the SDWAN option: in an SDWAN Route specify the client1 interface as the Incoming Interface, then switch to Primary and Backup Gateways and specify wan1 as the primary gateway and None as the secondary, then check Route Only Through Specified Gateways and that's it?

And then create a SNAT rule for Outbound of wan1, MASQ. Repeat SDWAN route and SNAT rule for each client/wan pair. Is that correct? I guess also a DHCP server for each client port as well?

ORIGINAL:

Would it be an option to configure the WAN ports (static, DHCP, etc), then to create a bridge1interface that includes the client1 port (LAN zone) and the wan1 port (WAN zone), with the checkbox for routing? Then bring up a DHCP server on the bridge1 interface, and also a NAT rule for bridge1. And do the same for bridge2 (client2/wan2) and bridge3 (client3/wan3)? Or is the whole bridge thing not necessary?

Though my mind breaks as I try to figure out if each client will be restricted to its own WAN only. (Which sounds like a requirement of the OP.) So maybe we actually need LAN1, LAN2, LAN3 and WAN1, WAN2, WAN3 zones and then triplicated firewall rules to allow LAN1 > WAN1, etc, so that client1 is prohibited (by omission) from routing to wan2 or wan3?

Wayne Folta said:

OK, I think I get the SDWAN option: in an SDWAN Route specify the client1 interface as the Incoming Interface, then switch to Primary and Backup Gateways and specify wan1 as the primary gateway and None as the secondary, then check Route Only Through Specified Gateways and that's it?

yes, i create 4 sd-wan rules to make networks client use internet connection like i want.

its for real configurations

1. ONE SERVER TO ASTINET

2. NETWORK SERVER TO BIZNET

3. VPN CON TO BIZNET

4. LAN NETWORK TO INDIHOME

SD-WAN PROFILE

GATEWAY