This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Outgoing (SMTP) Traffic uses undefined WAN Line

Hi all,

I have Sophos XG 18.5.4 with multiple WAN lines (different vendors for failover) and also multiple IP addresses per wan line.

Outgoing SMTP traffic needs to fit MX config in internet so I defined SD WAN and NAT rules as described here

https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/122602/sophos-xg-how-to-setup-mta-mode-when-you-have-multiple-wan-ports-or-alias-ip-addresses

to reduce outgoing SMTP traffic to 2 of our 3 WAN lines (SD WAN) and also NAT rule to reduce to one IP per line (fitting MX config).

Now I get rejected mails because our third line was used!

SD WAN rule:

NAT rule

XG is in MTA mode.

I also changed Route Precedence to Static - VPN - SD-WAN.

What's the mistake?

This thread was automatically locked due to age.

Top Replies

dirkkotte over 1 year ago in reply to GernotMeyer +1 suggested

If a static route matches, the traffic use this way.. Would try to move the SD-WAN policy routes to top.

0 GernotMeyer over 1 year ago

come on... no help ;-(

any suggestions?
Cancel
Vote Up 0 Vote Down

Cancel
0 Erick Jan over 1 year ago

Hi GernotMeyer,

Thank you for contacting Sophos Community. Have you checked the log viewer, tcpdump or conntrack, would it be possible to share it here so we can check what has transpired?

Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Karlos over 1 year ago in reply to GernotMeyer

Hi GernotMeyer,

I'm assuming you would like Port10 and Port 2 as your primary and backup gateways for your SMTP traffic? Or did you want traffic load balanced between them?

Karlos
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 dirkkotte over 1 year ago in reply to GernotMeyer

Do you really configure "set routing sd-wan-policy-route system-generate-traffic enable" as described within the article you linked?

Otherwise, SD-Wan routes are not used for "system generated traffic"

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel
0 GernotMeyer over 1 year ago in reply to dirkkotte

Hi,

sorry for late answer:

Here result of ssh commands:

console> show routing sd-wan-policy-route system-generate-traffic
SD-WAN policy route is turned on for system-generated traffic.

console> system route_precedence show
Routing Precedence:
1. Static routes
2. VPN routes
3. SD-WAN policy routes
Cancel
Vote Up 0 Vote Down

Cancel
0 GernotMeyer over 1 year ago in reply to Karlos

Hi, Port 10 and 2 can be used. load balaced or wighted. But NO other port should be used but will be.

Best Gernot
Cancel
Vote Up 0 Vote Down

Cancel
0 dirkkotte over 1 year ago in reply to GernotMeyer

If a static route matches, the traffic use this way..

Would try to move the SD-WAN policy routes to top.

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up +1 Vote Down

Cancel