Sophos Firewall: How to setup MTA mode when you have multiple WAN ports or alias IP addresses

Disclaimer: This information is posted as-is and the content should be referenced at your own risk

---

When using MTA mode for email delivery, if you have multiple WAN interfaces or public IP addresses, it’s necessary to create an outbound rule to forward mail via one interface or IP address.

Depending on your WAN and alias IP configuration, you must do the following:

• If you have a single WAN interface with multiple alias IP addresses. Configure a NAT rule for SMTP with the specific public IP traffic that traffic will be sent from.
• If you have multiple WAN interfaces and no alias IP addresses. Configure a SD-WAN rule for SMTP and the Destination ANY.
• If you have multiple WAN addresses and multiple alias IP addresses. Configure both the NAT and the SD-WAN rule.
• For all scenarios, change the route precedence to: Static, VPN, SD-WAN.

To configure these options, do as follows:

Create a NAT Rule for SMTP with the specific IP traffic will be sent from

1. Go to Rules and policies > NAT rules. Select IPv4or IPv6 and then select Add NAT rule.
2. The rule is turned on by default.
3. Enter the rule details.

Name	Description
Rule name	Enter a name.
Rule group	Select a rule group or create one. The firewall rule will belong to this group. If you select Automatic, the firewall rule is added to an existing group based on the first match with rule type and source-destination zones.

4. Specify the translation settings for source, destination, services, and interfaces to match traffic.

Name	Description
Original source	Specify ANY.
Translated source (SNAT)	Specify MASQ.
Original destination	Specify ANY.
Translated destination (DNAT)	Select Original.
Original service	Select SMTP.
Translated service (PAT)	Select Original.
Inbound interface	Select Any.
Outbound interface	Select the WAN interface or alias IP address from which traffic specified in this rule exits Sophos Firewall.

5. Optional Select Create loopback rule to allow internal hosts to access other internal hosts, for example, servers.
6. Optional Select Create reflexive rule to create a mirror rule that reverses the matching criteria of the rule from which it’s created.

Note: You can create loopback and reflexive rules for destination NAT rules. They are created using the original NAT rule ID and name. Changing the original NAT rule settings later doesn’t change loopback and reflexive rule settings.

7. Click Save.

The following screenshot shows an example NAT rule.

 

Create a SD-WAN Rule with Destination ANY and Service SMTP 

1. 1. Go to Routing > SD-WAN policy routing.  Scroll down to IPv4 or IPv6 SD-WAN policy route and select Add.
   2. Enter a name.
   3. Select the traffic selector settings.

Name	Description
Incoming interface	Select the interface through which SMTP traffic Sophos Firewall. Deleting the interface also deletes the policy route.
DSCP marking	Select the level of DSCP marking to match incoming packets for priority. For details, see DSCP Value. Expedited forwarding (EF): Priority queuing that ensures low delay and packet loss. Suitable for real-time services. Assured forwarding (AF): Assured delivery, but with packet drop if congestion occurs. Assigns packets a higher priority than best-effort. Class selector (CS): Backward compatibility with network devices that use IP precedence in type of service.
Source networks and Destination networks	Select ANY as both source and destination networks.
Services	Select SMTP.
Application object	Leave blank.
Users or groups	Select ANY.

4. Specify the routing settings.

Name	Description
Primary gateway	Select the primary gateway to route traffic. If you delete the selected gateway, Sophos Firewall will delete the policy route and implement WAN link load balance to route traffic. If the primary gateway goes down, Sophos Firewall routes traffic through the backup gateway. When the primary gateway comes back up, XG Firewall routes traffic through it.
Backup gateway	If you've configured more than one gateway, select the backup gateway. If you delete the selected gateway, Sophos Firewall sets the backup gateway to None.
Override gateway monitoring decision	Select if you want to route traffic through the selected gateway, even if the gateway is down.

5. Click Save.

The following screenshot shows an example SD-WAN policy route.

 

 

6. Sign in to the Sophos Firewall command line console as admin.
7. Select option 4. Device Console.
8. Type the following command:

• set routing sd-wan-policy-route system-generate-traffic enable

Change the Route Precedence to Static - VPN - SD-WAN

1. Sign in to the Sophos Firewall command line console as admin.
2. Select option 4. Device Console.
3. Type the following command and press enter: system route_precedence set static vpn sdwan_policyroute
4. Confirm the change using the following command: system route_precedence show

Edited TAGs, Title, and edited text (XG)
[edited by: emmosophos at 7:50 PM (GMT -8) on 8 Nov 2022]