Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 8035 views
  • Users 0 members are here
Options
Suggested

snat multiple gateways

midnightSun

SNAT with multiple WAN gateways isn't working..

WAN Gateway 1 = Port3 - its public with /27 worth of aliases

WAN Gateway 2 = Port5 - its public with /28 worth of aliases 

(IP Host) SNAT with Port3 aliases work for all of the rules I've created.

(IP Host) SNAT rules for Port5 don't work at all. They use the main Port3 address no matter what I do.

Anyone know how to fix this? I'm not doing any thing exotic. Not using SD-Wan or failover...Just simple rules for in and simple rules for out.



Added TAGs
[edited by: Raphael Alganes at 9:57 AM (GMT -7) on 16 Oct 2024]
  • 0 in reply to midnightSun

    You have a default SNAT, which will use the SNAT IP of the interface.

    If you want to specify the alias of the port, you need an own SNAT Rule, matching the traffic you want to SNAT. 

    Your use case is here: https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/Email/HowToArticles/EmailSetupMTAModeWithMultipleWANPortsOrAliasIPAddresses/index.html 

    __________________________________________________________________________________________________________________

  • +1

    Sophos support call recap.

    Support verified SNAT was working for #Port3 aliases but wasn't working for #Port5 aliases. 

    All #Port5 traffic was trying to exit #Port3 using the Default SNAT rule instead of the SNAT rule it should have used.

    The work around was to create SD-WAN routes for #Port5 "ONLY" . Once this was done the original #Port5 SNAT rules work as expected.

    After hanging up the crazy thing "to me" is #Port3 SD-WAN routes don't work. The system sees my #Port3 as the primary WAN and requires SNAT rules as normal only for #Port3. As a software dev, IMOP if the end user isn't using SD-WAN routes it should be off. Remove the layer at minimum. If SD-WAN routes are enabled then enable the layer.. Not intuitive at all. I assume since "Load-Balancing" is on by default with multiple WANs this is what's breaking SNAT.

    Example of a SD-WAN rule to trigger .

    . In closing SFOS support was going to send me to the "configuration team" . I'm glad I talked them into figuring out why SNAT wasn't working as all the docs said it should have. Hope I never need to contact support again but its good to know if I do it will get solved. Thanks ! 

    echo "           __     __         __         __     __    _______               ";
echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • 0 in reply to LuCar Toni

    This wasn't really the answer. So it shouldn't be marked as the answer. Thanks for your input as always though.

    echo "           __     __         __         __     __    _______               ";
echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

Unfiltered HTML