Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SD-WAN and Normal Firewall Rules

XG86 Firewall v19.0MR1
TLDR: When i enable SD-Wan for a certain zone to use differente Gateway all other rules on that zone is ignored

I have 2 Zone and 2 Wan.
First LAN zone use ISP1 and ISP2 as a backup
For the Second Zone i need ISP2 default and ISP1 as backup...
On v17 this work perfectly
On v18 and v19 work because transformerd my old rule automatically on "migrated rule on sdwan tab"
The problem begin when i deleted this "migrated sdwan rule" and recreated normal one.

Maybe i dont understand something maybe not... but in this way the WAN work but all the rules for the second Zone is completely ignored
One rule permit Zone2 to reach an IP in Zone1... disabled the new SD-WAN rule and this work :/

Some help??



This thread was automatically locked due to age.
Parents
  • Make sure that you have explicitly selected the "network" or "host" in the source while creating the SD WAN route. To give you exact solutions, could you share a screenshot of the configuration? 

  • I checked now another client with the similar configuration, same Model and Firmware, and in that installation all work correctly.
    Only difference i think is the other one dont have migrated rule and have v18 from start (i'm not super sure tough)

    The SD-Wan rule work as exptected but all traffic go to WAN, i dont know why (in log i see packets for 192.168.0.x LAN using "go to wan" rule instead of blocking as the default rule of the firewall for traffic from this Zone to Lan Zone)

  • Is this zone marked as "WAN" type? You can check it under Network >> Zones


  • Off course not..
    Is a VLAN (the other client, where it work, is vlan and use the default wifi zone too)

  • So as I understand you have 2 Zones: LAN and WiFi zone, both defined as LAN Type. Then you have SD WAN policy defined for the WiFi Zone to be routed through WAN Gateways with GWEolo as primary link and GWTim as secondary link and both are marked as Active in the WAN Link Manager.

    The issue statement as I understand is that the traffic is routed using the SDWAN rule logic, while as per Firewall Rules defined, it should get blocked.

    Please confirm if the understanding is correct.

  • Not exactly

    I put my rule as example of what i mean.



    If i disable sd-wan rule i can access this printer/nas/server from my wifi zone.

    With SD-WAN rule active i cant and log show me only the bottom rule is hitted. All the others is ignored. All traffic go streight to the WAN regaldless of destination IP.
    As this rules WIFI to LAN traffic dont hit any rule but even the log show me that my ping test hit the rule "Wifi Internet" regaldless of WAN destination on it. (and not LAN)

    I know is very very strange... When the client have a break i try to reboot the firewall

  • You can try the following:

    1) Add a Gateway for LAN segment (Routing >> Gateways)

    2) Add a SD WAN route defining the Source network as Wi-Fi and Destination network as LAN segments and map the "LAN Gateway" as the Gateway for this communication

    Make sure this rule is placed above the existing SD WAN rule.

    This should route the LAN traffic using the correct FW rules and Route.

  • I found the solution.... (probably your fix can work too but i dont like it... is too "hacky")

    Is the routing precedence... in v17 default different from v18

    After i used this command all work as expected:

    system route_precedence set static sdwan_policyroute vpn

    Link to the  doc

Reply Children
No Data