Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 2 answers
  • Subscribers 40 subscribers
  • Views 3162 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall Route traffic through GRE Tunnel

RichardHughes1

Hello,

I am really struggling with this and would greatly appreciate any help that could be given. I have set up an X4B.net GRE tunnel using this guide: https://support.sophos.com/support/s/article/KB-000035813?language=en_US#GRE_route. This seems to be functioning and I can ping the remote gateway from the Sophos Firewall (as long as I do not select an interface under Diagnostics > Tools > Ping).

The difficulty that I am currently having is that I can't seem to find a way of routing SMTP traffic to the GRE tunnel. As this is a GRE tunnel, nothing for it shows in the control panel so I am not sure how to route this traffic as there is no visible interface for this tunnel.

GRE / IPIP is the only option that I have at the moment and routing SMTP through the X4B tunnel is supported, I just don't know how to configure this on the Sophos Firewall.

I have tried creating a NAT rule but every time I send an email to the Sophos Firewall, it's sent out via the WAN port instead of the GRE tunnel.

I'd really appreciate any help that could be given. I've spent days on this and I am really unfamiliar with the Sophos Firewall as I am still currently using the Sophos UTM and haven't yet moved over fully to the Sophos Firewall.

Cheers,
Richard



This thread was automatically locked due to age.
Parents
  • 0

    Hello  ,

    Thanks for reaching out to Sophos Community

    Could you check in your SF console and select option. Then, Enter the following command. - system route_precedence show

    The result must show the following:

    Routing Precedence:
    1. Policy routes
    2. VPN routes
    3. Static routes

    If the VPN routes is not above the Static routes, re-arrange the route precedence by entering the following command.

    system route_precedence set policyroute vpn static

    Kindly let us know how it goes. Have a nice day and thank you for choosing Sophos.

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Reply
  • 0

    Hello  ,

    Thanks for reaching out to Sophos Community

    Could you check in your SF console and select option. Then, Enter the following command. - system route_precedence show

    The result must show the following:

    Routing Precedence:
    1. Policy routes
    2. VPN routes
    3. Static routes

    If the VPN routes is not above the Static routes, re-arrange the route precedence by entering the following command.

    system route_precedence set policyroute vpn static

    Kindly let us know how it goes. Have a nice day and thank you for choosing Sophos.

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Children
  • 0 in reply to Raphael Alganes

    Hi Raphael,

    Thank you so much for getting back to me and for providing me with the info and commands. I ran the first command and this returned the following:

    Routing Precedence:
    1. Static routes
    2. SD-WAN policy routes
    3. VPN routes

    I don't seem to have "Policy routes" but I have "SD-WAN policy routes".

    The second command didn't work for me (not sure why?), but I tried "sdwan_policyroute" instead, which it did accept. The routes now show as:

    Routing Precedence:
    1. SD-WAN policy routes
    2. VPN routes
    3. Static routes

    I've tried sending another test email after making that change but it's still routing through the WAN port (PortB) and showing the WAN IP address as the sender of the message in the email header.

    I am not sure if I have missed something, I have a feeling that routing needs to be set up via the CLI? I only have a MASQ NAT rule set up at the moment. I used this guide: Sophos Firewall: How to setup MTA mode when you have multiple WAN ports or alias IP addresses.

    Regards,
    Richard

Unfiltered HTML