how to add another gateway address to use for WAN ip

Hi Rob,

you certainly define it like that! As soon as you start to fill in correct values and then tick "IPv4 Default GW" it will will ask you if this intended and then activate "Uplink Balancing" and "MultiPath Rules" for those interfaces. My setup is like this:

Then you have:

If you go to that "tool"-sign you are able to apply a metric:

Additionally, you don't need to use multipath rules, but I encourage you to try this out.

Don't forget to do a MASQ for "uplink interfaces"now that you have two uplinks.

so for the additional wan interface even if i dont want it to be my default gateway i still need to tick the default gateway?

what im trying to say is even if you specify in masquerading, i want this subnet to go out WAN2, it totally disregards this and goes by the "uplink balancing" rules and NOT the "masquerading"rules

If using more than one uplink, you have to use "multipath rules"  for this purpose. There you can completely "unbalance" your setup to your personal needs.

this makes sense now...

so once you make more than one "interface" with a "default gateway" it automatically puts them in the same group called "uplink interfaces" as when you go in "masquerading" they all change from "external wan" to "uplink interfaces"

from there they automatically get put in "uplink balancing" but if you want to make a specific vlan/subnet go out a specific "uplink interface" all the time and not change all the time you do this in "multipath rules"

so am i right in thinking, correct me if im wrong once i have more than one WAN interface ie "uplink interfaces" the "masquerading" rules are defunct and the "multipath rules" take over if i want to unbalance the traffic ie make one vlan go out a certain ip?

Short Answer is YES.

Long Answer is:

Rule #2.1:

What happens with outbound traffic?

1. The connection tracker takes precedence over any other outbound rules so that response packets always leave from the IP and interface the request arrived on.
2. Multipath is applied before SNAT/Masq.  Note that the UTM Proxies skip SNAT/Masq and assign a public IP as the source of packets each handles.  Unlike with the other UTM Proxies, HTTP/S Proxy traffic can still be identified by Multipath rules as to its private, internal source-IP.
3. SNAT takes precedence over Masquerading, so it happens first, causing the packet to not qualify for any masquerading rule.

Before the packet leaves, ATP will block it if the destination is on a list of malicious IPs.

Have a look here https://community.sophos.com/utm-firewall/f/recommended-reads/22065/rulz

when you say SNAT/Masq it means the same thing as outbound NAT doesnt it? and DNAT is like port forward or NAT?

Have a look here: https://en.wikipedia.org/wiki/Network_address_translation

Haigh,

You're making this too complicated - it's easier than you think - just follow Philipp's instructions.

If you want all of the traffic to go out WAN1, simply make a Multipath rule 'Any -> Any -> Any' bound to the WAN1 interface.  You can then leave WAN2 in the 'Active' box and achieve instantaneous fail over if WAN1 goes down.  Putting WAN2 in 'Standby' means that you will have a minute or so before traffic can go out on WAN2.

Cheers - Bob

ok...

its working now ie in "multipath rules" i can specify what network goes out what uplink interfaces, ie wan1 or wan2

but in some masquerading rules i have some hosts go out a different ip address associated to wan1 ie "interfaces > additional addresses"

can i do the same for multipath rules

 Not sure what you're asking, but a generic answer should help you more...

Masq rules are in an ordered list.  In every case of an ordered list in WebAdmin, the rules are considered in order.  Once the traffic qualifies for a rule, no further rules are considered.  For traffic leaving via a particular interface, place the specific masq rule(s) above the one that applies to traffic from every other internal IP.

Say you have WAN1 and WAN2 and you have an Additional address on each named "Server A" and a Host named "Server A.".  You might have masq rules like:

1. Server A -> WAN1 (Server A)
2. Server A -> WAN2 (Server A)
3. Internal (Network) -> Uplink Interfaces

Note that traffic passing through a Proxy such as the FTP Proxy always appears to Multipath and masq rules as coming from the UTM itself.  The only Proxy that retains the requestor's IP for multipathing and masq'ing is the Web Proxy.

Cheers - Bob

 Not sure what you're asking, but a generic answer should help you more...

Masq rules are in an ordered list.  In every case of an ordered list in WebAdmin, the rules are considered in order.  Once the traffic qualifies for a rule, no further rules are considered.  For traffic leaving via a particular interface, place the specific masq rule(s) above the one that applies to traffic from every other internal IP.

Say you have WAN1 and WAN2 and you have an Additional address on each named "Server A" and a Host named "Server A.".  You might have masq rules like:

1. Server A -> WAN1 (Server A)
2. Server A -> WAN2 (Server A)
3. Internal (Network) -> Uplink Interfaces

Note that traffic passing through a Proxy such as the FTP Proxy always appears to Multipath and masq rules as coming from the UTM itself.  The only Proxy that retains the requestor's IP for multipathing and masq'ing is the Web Proxy.

Cheers - Bob