Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

snat multiple gateways

SNAT with multiple WAN gateways isn't working..

WAN Gateway 1 = Port3 - its public with /27 worth of aliases

WAN Gateway 2 = Port5 - its public with /28 worth of aliases 

(IP Host) SNAT with Port3 aliases work for all of the rules I've created.

(IP Host) SNAT rules for Port5 don't work at all. They use the main Port3 address no matter what I do.

Anyone know how to fix this? I'm not doing any thing exotic. Not using SD-Wan or failover...Just simple rules for in and simple rules for out.



Added TAGs
[edited by: Raphael Alganes at 9:57 AM (GMT -7) on 16 Oct 2024]
Parents Reply Children
  • Working SNAT Out

    Source: Data g68
    Service: Any service
    Destination: Any host
    Source: R199_4 -Port3:6
    Service: Original
    Destination: Original
    Inbound: Any interface
    Outbound: Any interface
    Last used: 2024-10-16 02:56:24

    Working Firewall rule Out 

      LAN, g68 
    WAN, Any host
    DNS, NTP, PING, 71..

    So I have 12 rules like the above all working using port3 aliases.

    As a simple test ... If I take the above working rule and change it to Source: Port5:6 the traffic fails.

    I've also tried 

    Source: Data g68
    Service: Any service
    Destination: Any host
    Source: R199_4 -Port3:6
    Service: Original
    Destination: Original
    Inbound: Port1
    Outbound: Port5
    Last used: 2024-10-16 02:56:24

    Even tried Masq with "Override source translation (SNAT) for specific outbound interfaces" 

     

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • Hello,

    Your SNAT rule should be as below:

    Mayur Makvana
    Technical Account Manager | Global Customer Experience

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

  • Why? I need controlled outbound connections via each interface alias. 

    Original source - Translated source (SNAT)

    The above pic looks like all connections can access all external connections .I don't see any separation. 

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • Hello,

    You need to review the settings of "Override source translation (SNAT) for specific outbound interfaces" in snapshot shared. You might wants to open support ticket to understand or differentiate it. Do share us the ticket number for tracking purpose.

    Mayur Makvana
    Technical Account Manager | Global Customer Experience

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

  • I thank you for the info and will try the changes.

    In the above default SNAT IPv4 you modified and created ranges for each different interface Port. Do all SNAT rules above rely on this default rule? I still don't understand why SNAT port3 alias rules work without "Override source translation" and Port5 wouldn't?    

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • Hello,

    The NAT policy executed from the top to down approach. If any matching NAT rule found then the traffic will passes through it. It would not go for further NAT rule check.

    While having multiple gateway and wanted to SNAT with different alias IP, we need to configure  "Override source translation (SNAT) for specific outbound interfaces"

    Mayur Makvana
    Technical Account Manager | Global Customer Experience

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.