Thread Info
  • State Verified Answer
  • Replies 5 replies
  • Subscribers 5 subscribers
  • Views 1927 views
  • Users 0 members are here
Options
Suggested

Multiple Dynamic IP WAN Interface does not work.

FoW

My ISP provides only dynamic IP.

After upgrading to v18, SNAT will only work with IPs assigned to the last-numbered WAN interface. All other interfaces does not work with SNAT.

outbound of the each interface is green

If you want see the device directly, Sophos access ID is here: 3445a410-a079-3f93-b6ef-75a9aba0ffeb@eu2.apu.sophos.com

 
Parents
  • 0

    Hi FoW,

    That's curious.

    What happens when you make a specific MASQ object using the currently known IP of the dynamic interface?

    Just to check you can masq using those interfaces.

    Emile

  • +1 in reply to Emile Belcourt

    A ping from the CLI is maybe the wrong approach to SNAT. 

    Because the Ping with -I will not use the SNAT Rules at all (as far as i know).

    You have a multi WAN Concept. Could you please revisit the SD-WAN Routing Tab (In Routing)? 

     

    XG will use this Configuration (since V18). You should check your configuration there. 

    The Load Balancing (Primary Gateway) configuration of Firewall Policy is gone and went to SD-WAN PBR (Policy Based Routing). 

    Maybe there is a mistake. 

    Or your WAN Interface does not work because of other reasons.

    Maybe try to use wget with the other WAN IPs and open another shell, check the tcpdump. 

    __________________________________________________________________________________________________________________

  • +1 in reply to LuCar Toni

    LuCar TOni is right

     

    To steer traffic via multiple uplinks you have to create a SD-WAN Policy ROute as that one below

    Attention: Routing behaviour has changed from 17.5 to 18. The PBR works packet based and not connection based. means if cnfigured "wrong" it even migt send reply packets from incoming connections back out via wrong interface. Rule is simlpe:

    - If you let "ANY" in the source networks, PBR also will match for reply traffic (and possibly breaking incoming connections as DNAT'ed traffic
    - If you enter your internal network(s) as source, it works as usually expected

    /Sascha

Reply
  • +1 in reply to LuCar Toni

    LuCar TOni is right

     

    To steer traffic via multiple uplinks you have to create a SD-WAN Policy ROute as that one below

    Attention: Routing behaviour has changed from 17.5 to 18. The PBR works packet based and not connection based. means if cnfigured "wrong" it even migt send reply packets from incoming connections back out via wrong interface. Rule is simlpe:

    - If you let "ANY" in the source networks, PBR also will match for reply traffic (and possibly breaking incoming connections as DNAT'ed traffic
    - If you enter your internal network(s) as source, it works as usually expected

    /Sascha

Children
No Data
Unfiltered HTML