Multiple Dynamic IP WAN Interface does not work.

My ISP provides only dynamic IP.

After upgrading to v18, SNAT will only work with IPs assigned to the last-numbered WAN interface. All other interfaces does not work with SNAT.

outbound of the each interface is green

If you want see the device directly, Sophos access ID is here: 3445a410-a079-3f93-b6ef-75a9aba0ffeb@eu2.apu.sophos.com

 
Parents
  • Hi FoW,

    That's curious.

    What happens when you make a specific MASQ object using the currently known IP of the dynamic interface?

    Just to check you can masq using those interfaces.

    Emile

  • A ping from the CLI is maybe the wrong approach to SNAT. 

    Because the Ping with -I will not use the SNAT Rules at all (as far as i know).

    You have a multi WAN Concept. Could you please revisit the SD-WAN Routing Tab (In Routing)? 

     

    XG will use this Configuration (since V18). You should check your configuration there. 

    The Load Balancing (Primary Gateway) configuration of Firewall Policy is gone and went to SD-WAN PBR (Policy Based Routing). 

    Maybe there is a mistake. 

    Or your WAN Interface does not work because of other reasons.

    Maybe try to use wget with the other WAN IPs and open another shell, check the tcpdump. 

    __________________________________________________________________________________________________________________

  • LuCar TOni is right

     

    To steer traffic via multiple uplinks you have to create a SD-WAN Policy ROute as that one below

    Attention: Routing behaviour has changed from 17.5 to 18. The PBR works packet based and not connection based. means if cnfigured "wrong" it even migt send reply packets from incoming connections back out via wrong interface. Rule is simlpe:

    - If you let "ANY" in the source networks, PBR also will match for reply traffic (and possibly breaking incoming connections as DNAT'ed traffic
    - If you enter your internal network(s) as source, it works as usually expected

    /Sascha

  • LuCar Toni said:

    A ping from the CLI is maybe the wrong approach to SNAT. 
    Because the Ping with -I will not use the SNAT Rules at all (as far as i know).

    You have a multi WAN Concept. Could you please revisit the SD-WAN Routing Tab (In Routing)? 
    XG will use this Configuration (since V18). You should check your configuration there. 
    The Load Balancing (Primary Gateway) configuration of Firewall Policy is gone and went to SD-WAN PBR (Policy Based Routing). 
    Maybe there is a mistake.

    Or your WAN Interface does not work because of other reasons.
    Maybe try to use wget with the other WAN IPs and open another shell, check the tcpdump. 

    Of course not related to SNAT. The CLI screen simply proves that the external interface is alive. I thought someone would ask me if the interface works.

    Okay. I'm a migration user. I just visited the SD-WAN Routing Tab for the first time. I see a familiar feature. Sophos spreads the features all over the menu. It's just like going back to SG UTM instead of NGFW.

    Where the spreaded SD-WAN feature went is not specified in the migrated firewall rules. This is a challenge to human instincts. It would be nice to advertise the link like NAT. Otherwise the old customers are very confusing, like me.

    I still have more questions. In the migrated SD-WAN policy, the backup gateway is load balanced. Why then do I not communicate except Port4? I wonder about the principle.

    Thank you.

Reply
  • LuCar Toni said:

    A ping from the CLI is maybe the wrong approach to SNAT. 
    Because the Ping with -I will not use the SNAT Rules at all (as far as i know).

    You have a multi WAN Concept. Could you please revisit the SD-WAN Routing Tab (In Routing)? 
    XG will use this Configuration (since V18). You should check your configuration there. 
    The Load Balancing (Primary Gateway) configuration of Firewall Policy is gone and went to SD-WAN PBR (Policy Based Routing). 
    Maybe there is a mistake.

    Or your WAN Interface does not work because of other reasons.
    Maybe try to use wget with the other WAN IPs and open another shell, check the tcpdump. 

    Of course not related to SNAT. The CLI screen simply proves that the external interface is alive. I thought someone would ask me if the interface works.

    Okay. I'm a migration user. I just visited the SD-WAN Routing Tab for the first time. I see a familiar feature. Sophos spreads the features all over the menu. It's just like going back to SG UTM instead of NGFW.

    Where the spreaded SD-WAN feature went is not specified in the migrated firewall rules. This is a challenge to human instincts. It would be nice to advertise the link like NAT. Otherwise the old customers are very confusing, like me.

    I still have more questions. In the migrated SD-WAN policy, the backup gateway is load balanced. Why then do I not communicate except Port4? I wonder about the principle.

    Thank you.

Children