Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

snat multiple gateways

SNAT with multiple WAN gateways isn't working..

WAN Gateway 1 = Port3 - its public with /27 worth of aliases

WAN Gateway 2 = Port5 - its public with /28 worth of aliases 

(IP Host) SNAT with Port3 aliases work for all of the rules I've created.

(IP Host) SNAT rules for Port5 don't work at all. They use the main Port3 address no matter what I do.

Anyone know how to fix this? I'm not doing any thing exotic. Not using SD-Wan or failover...Just simple rules for in and simple rules for out.



Added TAGs
[edited by: Raphael Alganes at 9:57 AM (GMT -7) on 16 Oct 2024]
Parents
  • Hello,

    Can you paste snapshot of firewall rules and NAT policies you created?

    Mayur Makvana
    Technical Account Manager | Global Customer Experience

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

  • Working SNAT Out

    Source: Data g68
    Service: Any service
    Destination: Any host
    Source: R199_4 -Port3:6
    Service: Original
    Destination: Original
    Inbound: Any interface
    Outbound: Any interface
    Last used: 2024-10-16 02:56:24

    Working Firewall rule Out 

      LAN, g68 
    WAN, Any host
    DNS, NTP, PING, 71..

    So I have 12 rules like the above all working using port3 aliases.

    As a simple test ... If I take the above working rule and change it to Source: Port5:6 the traffic fails.

    I've also tried 

    Source: Data g68
    Service: Any service
    Destination: Any host
    Source: R199_4 -Port3:6
    Service: Original
    Destination: Original
    Inbound: Port1
    Outbound: Port5
    Last used: 2024-10-16 02:56:24

    Even tried Masq with "Override source translation (SNAT) for specific outbound interfaces" 

     

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

Reply
  • Working SNAT Out

    Source: Data g68
    Service: Any service
    Destination: Any host
    Source: R199_4 -Port3:6
    Service: Original
    Destination: Original
    Inbound: Any interface
    Outbound: Any interface
    Last used: 2024-10-16 02:56:24

    Working Firewall rule Out 

      LAN, g68 
    WAN, Any host
    DNS, NTP, PING, 71..

    So I have 12 rules like the above all working using port3 aliases.

    As a simple test ... If I take the above working rule and change it to Source: Port5:6 the traffic fails.

    I've also tried 

    Source: Data g68
    Service: Any service
    Destination: Any host
    Source: R199_4 -Port3:6
    Service: Original
    Destination: Original
    Inbound: Port1
    Outbound: Port5
    Last used: 2024-10-16 02:56:24

    Even tried Masq with "Override source translation (SNAT) for specific outbound interfaces" 

     

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

Children