This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

how to add another gateway address to use for WAN ip

hi all,

i want to add another wan ip so another lan subnet can go out a differernt wan ip and not on our main one

is this where you do it

obviously you create a new interface and put in the ip address the isp has given you and in the gateway ip, you put in there gateway ip

but this information only appears if you tick "IPv4 default gateway" obviously i dont want to make it tghe default gateway, just want to add another wan ip

can anyone please help me please

thanks,

rob



This thread was automatically locked due to age.
  • Hello,

    NO, that's just a metric number, example:

    you have a cable modem with 400 MBit and another provider with 100 Mbit, so the first is a "100" and the second a "25", hence it has only one quarter of the bandwidth for the calculation. Hope this clarifies a bit.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • ok so its bandwith priority then and not interface priority, i thought it was interface priority...my bad

    my problem is when i tick the box "default gateway" for WAN 2  and when i click masquerading i can see its all changed to "uplink interfaces" which is good

    but when i click on "uplink balancing" i want to get rid of WAN2 from the active and stanby boxes, but when i get rid of WAN 2 from both, when i then go back on "interfaces" its "unticked" the "default gateway" for WAN 2

  • what im trying to say is even if you specify in masquerading, i want this subnet to go out WAN2, it totally disregards this and goes by the "uplink balancing" rules and NOT the "masquerading"rules

  • If using more than one uplink, you have to use "multipath rules"  for this purpose. There you can completely "unbalance" your setup to your personal needs.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • this makes sense now...

    so once you make more than one "interface" with a "default gateway" it automatically puts them in the same group called "uplink interfaces" as when you go in "masquerading" they all change from "external wan" to "uplink interfaces"

    from there they automatically get put in "uplink balancing" but if you want to make a specific vlan/subnet go out a specific "uplink interface" all the time and not change all the time you do this in "multipath rules"

  • so am i right in thinking, correct me if im wrong once i have more than one WAN interface ie "uplink interfaces" the "masquerading" rules are defunct and the "multipath rules" take over if i want to unbalance the traffic ie make one vlan go out a certain ip?

  • Short Answer is YES.

    Long Answer is:

    Rule #2.1:

    What happens with outbound traffic?

    1. The connection tracker takes precedence over any other outbound rules so that response packets always leave from the IP and interface the request arrived on.
    2. Multipath is applied before SNAT/Masq.  Note that the UTM Proxies skip SNAT/Masq and assign a public IP as the source of packets each handles.  Unlike with the other UTM Proxies, HTTP/S Proxy traffic can still be identified by Multipath rules as to its private, internal source-IP.
    3. SNAT takes precedence over Masquerading, so it happens first, causing the packet to not qualify for any masquerading rule.

    Before the packet leaves, ATP will block it if the destination is on a list of malicious IPs.

    Have a look here https://community.sophos.com/utm-firewall/f/recommended-reads/22065/rulz

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • when you say SNAT/Masq it means the same thing as outbound NAT doesnt it? and DNAT is like port forward or NAT?

  • Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Haigh,

    You're making this too complicated - it's easier than you think - just follow Philipp's instructions.

    If you want all of the traffic to go out WAN1, simply make a Multipath rule 'Any -> Any -> Any' bound to the WAN1 interface.  You can then leave WAN2 in the 'Active' box and achieve instantaneous fail over if WAN1 goes down.  Putting WAN2 in 'Standby' means that you will have a minute or so before traffic can go out on WAN2.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA