XG v18.5: MTA mode and alias IP addresses

Do you configure "set routing sd-wan-policy-route system-generate-traffic enable" and "system route_precedence set static vpn sdwan_policyroute"

from your linked URLs https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/122602/sophos-firewall-how-to-setup-mta-mode-when-you-have-multiple-wan-ports-or-alias-ip-addresses

or from https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/CommandLineHelp/DeviceConsole/Set/index.html#routing

Hi Dirk, thank you for your reply. As far as I know, SD-Wan can only be used when multiple Internet Service Providers (WAN-Ports) are available. Did I understand this correctly?

Can I skip the "Create a SD-WAN Rule with Destination ANY and Service SMTP" point in the instructions and only execute the two commands below?

set routing sd-wan-policy-route system-generate-traffic enable
system route_precedence set static vpn sdwan_policyroute

Do you see a risk here because the system is a production environment and I have no experience with SD-Wan. could i contact you directly about this?

Best regards

Fridolin

Hi Fridolin,

you can use SD-WAN with only one ISP too. (i use this at home, because traffic is counted)

But right, it is created to distribute traffic over multiple provider.

The part "If you have a single WAN interface with multiple alias IP addresses. Configure a NAT rule for SMTP with the specific public IP traffic that traffic will be sent from."

from : https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/122602/sophos-firewall-how-to-setup-mta-mode-when-you-have-multiple-wan-ports-or-alias-ip-addresses

should work ...

But I think after MTA is processing the mail, your exchange isn't the source any more.

Try "any" within your source NAT and if it works, check logviewer to tune the rule more specific.

Feel free to send me a PM. But I am very busy currently.

Thanks Dirk, I could solve the issue by select Any as original source. 

However, it is still unclear to me why the IP of the exchange is not the sender and can be set as a source.