Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 36 subscribers
  • Views 3171 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SD-WAN and Normal Firewall Rules

Giovanni Meroni

XG86 Firewall v19.0MR1
TLDR: When i enable SD-Wan for a certain zone to use differente Gateway all other rules on that zone is ignored

I have 2 Zone and 2 Wan.
First LAN zone use ISP1 and ISP2 as a backup
For the Second Zone i need ISP2 default and ISP1 as backup...
On v17 this work perfectly
On v18 and v19 work because transformerd my old rule automatically on "migrated rule on sdwan tab"
The problem begin when i deleted this "migrated sdwan rule" and recreated normal one.

Maybe i dont understand something maybe not... but in this way the WAN work but all the rules for the second Zone is completely ignored
One rule permit Zone2 to reach an IP in Zone1... disabled the new SD-WAN rule and this work :/

Some help??



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to Giovanni Meroni

    So as I understand you have 2 Zones: LAN and WiFi zone, both defined as LAN Type. Then you have SD WAN policy defined for the WiFi Zone to be routed through WAN Gateways with GWEolo as primary link and GWTim as secondary link and both are marked as Active in the WAN Link Manager.

    The issue statement as I understand is that the traffic is routed using the SDWAN rule logic, while as per Firewall Rules defined, it should get blocked.

    Please confirm if the understanding is correct.

Children
  • 0 in reply to Mayuresh Bhagwat

    Not exactly

    I put my rule as example of what i mean.



    If i disable sd-wan rule i can access this printer/nas/server from my wifi zone.

    With SD-WAN rule active i cant and log show me only the bottom rule is hitted. All the others is ignored. All traffic go streight to the WAN regaldless of destination IP.
    As this rules WIFI to LAN traffic dont hit any rule but even the log show me that my ping test hit the rule "Wifi Internet" regaldless of WAN destination on it. (and not LAN)

    I know is very very strange... When the client have a break i try to reboot the firewall

  • 0 in reply to Giovanni Meroni

    You can try the following:

    1) Add a Gateway for LAN segment (Routing >> Gateways)

    2) Add a SD WAN route defining the Source network as Wi-Fi and Destination network as LAN segments and map the "LAN Gateway" as the Gateway for this communication

    Make sure this rule is placed above the existing SD WAN rule.

    This should route the LAN traffic using the correct FW rules and Route.

  • +1 in reply to Mayuresh Bhagwat

    I found the solution.... (probably your fix can work too but i dont like it... is too "hacky")

    Is the routing precedence... in v17 default different from v18

    After i used this command all work as expected:

    system route_precedence set static sdwan_policyroute vpn

    Link to the  doc

Unfiltered HTML