Reflexion will be End-of-life on March 31,2023. See Sophos Reflexion EoL FAQs to learn more.
Disclaimer: This information is posted as-is and the content should be referenced at your own risk
When using MTA mode for email delivery, if you have multiple WAN interfaces or public IP addresses, it’s necessary to create an outbound rule to forward mail via one interface or IP address.
Depending on your WAN and alias IP configuration, you must do the following:
To configure these options, do as follows:
Create a NAT Rule for SMTP with the specific IP traffic will be sent from
Name
Description
Rule name
Enter a name.
Rule group
Select a rule group or create one. The firewall rule will belong to this group.
If you select Automatic, the firewall rule is added to an existing group based on the first match with rule type and source-destination zones.
Original source
Specify ANY.
Translated source (SNAT)
Specify MASQ.
Original destination
Translated destination (DNAT)
Select Original.
Original service
Select SMTP.
Translated service (PAT)
Inbound interface
Select Any.
Outbound interface
Select the WAN interface or alias IP address from which traffic specified in this rule exits Sophos Firewall.
Note: You can create loopback and reflexive rules for destination NAT rules. They are created using the original NAT rule ID and name. Changing the original NAT rule settings later doesn’t change loopback and reflexive rule settings.
The following screenshot shows an example NAT rule.
Create a SD-WAN Rule with Destination ANY and Service SMTP
Incoming interface
Select the interface through which SMTP traffic Sophos Firewall.
Deleting the interface also deletes the policy route.
DSCP marking
Select the level of DSCP marking to match incoming packets for priority. For details, see DSCP Value.
Expedited forwarding (EF): Priority queuing that ensures low delay and packet loss. Suitable for real-time services.
Assured forwarding (AF): Assured delivery, but with packet drop if congestion occurs. Assigns packets a higher priority than best-effort.
Class selector (CS): Backward compatibility with network devices that use IP precedence in type of service.
Source networks and Destination networks
Select ANY as both source and destination networks.
Services
Application object
Leave blank.
Users or groups
Select ANY.
Primary gateway
Select the primary gateway to route traffic.
If you delete the selected gateway, Sophos Firewall will delete the policy route and implement WAN link load balance to route traffic.
If the primary gateway goes down, Sophos Firewall routes traffic through the backup gateway. When the primary gateway comes back up, XG Firewall routes traffic through it.
Backup gateway
If you've configured more than one gateway, select the backup gateway.
If you delete the selected gateway, Sophos Firewall sets the backup gateway to None.
Override gateway monitoring decision
Select if you want to route traffic through the selected gateway, even if the gateway is down.
The following screenshot shows an example SD-WAN policy route.
Change the Route Precedence to Static - VPN - SD-WAN
multiple ports open for port forward
in the case that i have two email servers in my lan. servmail1 with ip 10.53.21.1 and servmail2 with ip 10.53.21.2.
i have one wan interface with multiple aliases ip adresses.
I receive emails from public ip 88.23.24.163 to servmail1
i receive emails from public ip 88.23.24.164 to servmail2
i have sophos xg 18 in mta mode
i have two policys to scan an route emails to each email server, and it works.
both servers are allowed for relay in sophos xg MTA.
servmail1 and servmail2 send emails to sophos xg as smarthost. so sophos xg deliver these emails to internet.
how to define that emails that comes from servmail1 to internet (via sophos mta relay ) are sended by ip 88.23.24.163, and emails from servmail2 are sended by 88.23.24.164?
Thanks alot. Only one thing, a restart of the sophos is imperative.
Hello Jose,
do you get an idea how to solve the problem?
Best regards