Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 1034 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Disallow some clients on LAN to use backup gateways

Alejandro Sanchez

Hello everyone.

I am running Sophos Firewall SFVH (SFOS 19.5.3 MR-3-Build652)
I have a primary fiber internet connection and a 4G connection as a backup gateway. This is set to enable when the primary connection fails.

I want to disallow Internet connection to some clients on the LAN side through the 4G gateway, to save bandwidth.

How can this be achieved?



This thread was automatically locked due to age.
  • 0

    Hi,

    I suggest you investigate client groups, linked NAT rules and sd-wan features.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • +1

    I solved it using SD-WAN profiles and SD-WAN routes

    SD-WAN Profiles:

    Create two profiles, one for the main gateways and one for the backup gateways. In my case, using load balancing. 

    SD-WAN Routes

    I used this approach: block everything and let some clients pass. You can choose the other way around, depending on your needs. 

    Create a SD-WAN Route using the LAN as incoming interface. In Source Networks, Add the definitions for the computers allowed to use all gateways. Check "Select SD-WAN Profile" in the "Link selection settings". As a SD-WAN Profile, select the main gateway profile created earlier. 

    For the block everything route, create a new SD-WAN Route using the LAN as incoming interface, and "Select SD-WAN Profile" in the "Link selection settings". As a SD-WAN Profile, select the main gateway profile created earlier, and be sure to check "Route only through specified gateways".

    This way, when the main gateways are offline and the backup gateways took over, the computers in the LAN will not connect to internet. 

    In my case, I have servers in the DMZ zone that will use the default gateways in Routing / Gateways

Unfiltered HTML