This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

how to add another gateway address to use for WAN ip

hi all,

i want to add another wan ip so another lan subnet can go out a differernt wan ip and not on our main one

is this where you do it

obviously you create a new interface and put in the ip address the isp has given you and in the gateway ip, you put in there gateway ip

but this information only appears if you tick "IPv4 default gateway" obviously i dont want to make it tghe default gateway, just want to add another wan ip

can anyone please help me please

thanks,

rob



This thread was automatically locked due to age.
Parents
  • Hi Rob,

    you certainly define it like that! As soon as you start to fill in correct values and then tick "IPv4 Default GW" it will will ask you if this intended and then activate "Uplink Balancing" and "MultiPath Rules" for those interfaces. My setup is like this:

    Then you have:

    If you go to that "tool"-sign you are able to apply a metric:

    Additionally, you don't need to use multipath rules, but I encourage you to try this out.

    Don't forget to do a MASQ for "uplink interfaces"now that you have two uplinks.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • so for the additional wan interface even if i dont want it to be my default gateway i still need to tick the default gateway?

  • what im trying to say is even if you specify in masquerading, i want this subnet to go out WAN2, it totally disregards this and goes by the "uplink balancing" rules and NOT the "masquerading"rules

  • If using more than one uplink, you have to use "multipath rules"  for this purpose. There you can completely "unbalance" your setup to your personal needs.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • this makes sense now...

    so once you make more than one "interface" with a "default gateway" it automatically puts them in the same group called "uplink interfaces" as when you go in "masquerading" they all change from "external wan" to "uplink interfaces"

    from there they automatically get put in "uplink balancing" but if you want to make a specific vlan/subnet go out a specific "uplink interface" all the time and not change all the time you do this in "multipath rules"

  • so am i right in thinking, correct me if im wrong once i have more than one WAN interface ie "uplink interfaces" the "masquerading" rules are defunct and the "multipath rules" take over if i want to unbalance the traffic ie make one vlan go out a certain ip?

  • Short Answer is YES.

    Long Answer is:

    Rule #2.1:

    What happens with outbound traffic?

    1. The connection tracker takes precedence over any other outbound rules so that response packets always leave from the IP and interface the request arrived on.
    2. Multipath is applied before SNAT/Masq.  Note that the UTM Proxies skip SNAT/Masq and assign a public IP as the source of packets each handles.  Unlike with the other UTM Proxies, HTTP/S Proxy traffic can still be identified by Multipath rules as to its private, internal source-IP.
    3. SNAT takes precedence over Masquerading, so it happens first, causing the packet to not qualify for any masquerading rule.

    Before the packet leaves, ATP will block it if the destination is on a list of malicious IPs.

    Have a look here https://community.sophos.com/utm-firewall/f/recommended-reads/22065/rulz

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • when you say SNAT/Masq it means the same thing as outbound NAT doesnt it? and DNAT is like port forward or NAT?

  • Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Haigh,

    You're making this too complicated - it's easier than you think - just follow Philipp's instructions.

    If you want all of the traffic to go out WAN1, simply make a Multipath rule 'Any -> Any -> Any' bound to the WAN1 interface.  You can then leave WAN2 in the 'Active' box and achieve instantaneous fail over if WAN1 goes down.  Putting WAN2 in 'Standby' means that you will have a minute or so before traffic can go out on WAN2.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • ok...

    its working now ie in "multipath rules" i can specify what network goes out what uplink interfaces, ie wan1 or wan2

    but in some masquerading rules i have some hosts go out a different ip address associated to wan1 ie "interfaces > additional addresses"

    can i do the same for multipath rules

  •  Not sure what you're asking, but a generic answer should help you more...

    Masq rules are in an ordered list.  In every case of an ordered list in WebAdmin, the rules are considered in order.  Once the traffic qualifies for a rule, no further rules are considered.  For traffic leaving via a particular interface, place the specific masq rule(s) above the one that applies to traffic from every other internal IP.

    Say you have WAN1 and WAN2 and you have an Additional address on each named "Server A" and a Host named "Server A.".  You might have masq rules like:

    1. Server A -> WAN1 (Server A)
    2. Server A -> WAN2 (Server A)
    3. Internal (Network) -> Uplink Interfaces

    Note that traffic passing through a Proxy such as the FTP Proxy always appears to Multipath and masq rules as coming from the UTM itself.  The only Proxy that retains the requestor's IP for multipathing and masq'ing is the Web Proxy.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  •  Not sure what you're asking, but a generic answer should help you more...

    Masq rules are in an ordered list.  In every case of an ordered list in WebAdmin, the rules are considered in order.  Once the traffic qualifies for a rule, no further rules are considered.  For traffic leaving via a particular interface, place the specific masq rule(s) above the one that applies to traffic from every other internal IP.

    Say you have WAN1 and WAN2 and you have an Additional address on each named "Server A" and a Host named "Server A.".  You might have masq rules like:

    1. Server A -> WAN1 (Server A)
    2. Server A -> WAN2 (Server A)
    3. Internal (Network) -> Uplink Interfaces

    Note that traffic passing through a Proxy such as the FTP Proxy always appears to Multipath and masq rules as coming from the UTM itself.  The only Proxy that retains the requestor's IP for multipathing and masq'ing is the Web Proxy.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data