This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

how to add another gateway address to use for WAN ip

hi all,

i want to add another wan ip so another lan subnet can go out a differernt wan ip and not on our main one

is this where you do it

obviously you create a new interface and put in the ip address the isp has given you and in the gateway ip, you put in there gateway ip

but this information only appears if you tick "IPv4 default gateway" obviously i dont want to make it tghe default gateway, just want to add another wan ip

can anyone please help me please

thanks,

rob



This thread was automatically locked due to age.
Parents
  • Hi Rob,

    you certainly define it like that! As soon as you start to fill in correct values and then tick "IPv4 Default GW" it will will ask you if this intended and then activate "Uplink Balancing" and "MultiPath Rules" for those interfaces. My setup is like this:

    Then you have:

    If you go to that "tool"-sign you are able to apply a metric:

    Additionally, you don't need to use multipath rules, but I encourage you to try this out.

    Don't forget to do a MASQ for "uplink interfaces"now that you have two uplinks.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • so for the additional wan interface even if i dont want it to be my default gateway i still need to tick the default gateway?

  • OK , I admit that this label is a bit misleading: with this you define the default GW for THIS INTERFACE.

    So with my company, for example, it's WAN1 going to ISP "MK" and WAN2 going to ISP "Unitymedia".

    Since both ISP have their own infrastructure, the IP network of interface WAN1 has a (default) gateway from the MK IP-nets

    and WAN2 has a (default) gateway from the Unitymedia IP nets.

    Default GW  in this case means "where to send the packet, if no other network I know directly matches?"

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • so when I make the other wan2 will all my traffic automatically go out of wan2 instead of wan1, as I don't want this to happen at all

    for this not to happen do I need to do the "uplink balancing"

  • No, that will not happen, if you use Multipath rules. What is your concern? I don‘t understand yor reluctance.

    You could even define the second interface as a „standby“ interface, if that is what you want.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • thanks jprusch, now i understand you, i might aswell have the wan2 as a standby just incase my default wan1 falls over

    and i persume after that in "network protection > NAT > masquesrading" i make every network go out either using wan1 or wan2?

  • You are welcome.

    Yes, that's why you can use an object "uplink interfaces" in masquerading, this includes both WAN1 and WAN2.

    Or, in other words, "uplimk interfaces" are all links with an assigned "Default GW", this could be more than two.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • im guessing for the weight number, the lower number you give it the higher priority it has?

  • Hello,

    NO, that's just a metric number, example:

    you have a cable modem with 400 MBit and another provider with 100 Mbit, so the first is a "100" and the second a "25", hence it has only one quarter of the bandwidth for the calculation. Hope this clarifies a bit.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hello,

    NO, that's just a metric number, example:

    you have a cable modem with 400 MBit and another provider with 100 Mbit, so the first is a "100" and the second a "25", hence it has only one quarter of the bandwidth for the calculation. Hope this clarifies a bit.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Children
  • ok so its bandwith priority then and not interface priority, i thought it was interface priority...my bad

    my problem is when i tick the box "default gateway" for WAN 2  and when i click masquerading i can see its all changed to "uplink interfaces" which is good

    but when i click on "uplink balancing" i want to get rid of WAN2 from the active and stanby boxes, but when i get rid of WAN 2 from both, when i then go back on "interfaces" its "unticked" the "default gateway" for WAN 2

  • what im trying to say is even if you specify in masquerading, i want this subnet to go out WAN2, it totally disregards this and goes by the "uplink balancing" rules and NOT the "masquerading"rules

  • If using more than one uplink, you have to use "multipath rules"  for this purpose. There you can completely "unbalance" your setup to your personal needs.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • this makes sense now...

    so once you make more than one "interface" with a "default gateway" it automatically puts them in the same group called "uplink interfaces" as when you go in "masquerading" they all change from "external wan" to "uplink interfaces"

    from there they automatically get put in "uplink balancing" but if you want to make a specific vlan/subnet go out a specific "uplink interface" all the time and not change all the time you do this in "multipath rules"

  • so am i right in thinking, correct me if im wrong once i have more than one WAN interface ie "uplink interfaces" the "masquerading" rules are defunct and the "multipath rules" take over if i want to unbalance the traffic ie make one vlan go out a certain ip?

  • Short Answer is YES.

    Long Answer is:

    Rule #2.1:

    What happens with outbound traffic?

    1. The connection tracker takes precedence over any other outbound rules so that response packets always leave from the IP and interface the request arrived on.
    2. Multipath is applied before SNAT/Masq.  Note that the UTM Proxies skip SNAT/Masq and assign a public IP as the source of packets each handles.  Unlike with the other UTM Proxies, HTTP/S Proxy traffic can still be identified by Multipath rules as to its private, internal source-IP.
    3. SNAT takes precedence over Masquerading, so it happens first, causing the packet to not qualify for any masquerading rule.

    Before the packet leaves, ATP will block it if the destination is on a list of malicious IPs.

    Have a look here https://community.sophos.com/utm-firewall/f/recommended-reads/22065/rulz

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • when you say SNAT/Masq it means the same thing as outbound NAT doesnt it? and DNAT is like port forward or NAT?

  • Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Haigh,

    You're making this too complicated - it's easier than you think - just follow Philipp's instructions.

    If you want all of the traffic to go out WAN1, simply make a Multipath rule 'Any -> Any -> Any' bound to the WAN1 interface.  You can then leave WAN2 in the 'Active' box and achieve instantaneous fail over if WAN1 goes down.  Putting WAN2 in 'Standby' means that you will have a minute or so before traffic can go out on WAN2.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • ok...

    its working now ie in "multipath rules" i can specify what network goes out what uplink interfaces, ie wan1 or wan2

    but in some masquerading rules i have some hosts go out a different ip address associated to wan1 ie "interfaces > additional addresses"

    can i do the same for multipath rules