Sophos UTM 9 - Apply Policy Route before local interface route

Hello guys,

I have a weird routing problem and don't know how to configure routing probably to solve it.

First of all, I'm the administrator of a company which uses a Sophos SG 135 with Sophos UTM 9.707-5 firmware. The firmware is up to date.

To explain the problem, I've create a simplified schema of our current network setup:

For accessing the internet, we have two interfaces defined in the UTM. "Interface1" (Default GW enabled) which points to a transfer network between the firewall and the router which is placed before the firewall and nat/routes all traffic from the public ip via "Exposed Host" configuration to the UTM (destination

For legacy purposes, there is a second interface "Interface2" which gets his public ip directly from the ISP. Default GW is also enabled. We have configured an Uplink Group to manage the outgoing traffic, but thats not relevant for the problem. This gateway gets his IP and network directly from the ISP (Dynamic IP).

We host some websites on the server "Webserver" behind the UTM and forward all the traffic from "Uplink Primary Addresses" to our webserver. The target IP of all hosted websites is always "". (aka "Interface1").

If a packet recieves the public ip of the "FritzBox", the target address will be nat'ed to the ip of the UTM ( and the packet will be forwarded. This works perfectly since a few years for all users expect some users which gets an ip from the network of interface2.

In some rare cases, a user from outside receives a public ip from the same ISP as "Interface2" within the same network as "Interface2", in this example ""

I've debugged the issue with tcpdump and realised, that the incoming traffic from "" will be forwarded from the "FritzBox" to the firewall and then forwarded again to the webserver. So far so good.

Then, the backwards traffic won't be routed back via Interface1 instead it will be routed via Interface2. This prevents the connection to be established correctly and the user won't get the website displayed.

The automatically created route for Interface2 looks like: dev eth2  proto kernel  scope link  src

I've tried to add a policy route to prevent this issue:
  Route Type: interface
  Source Interface: Interface1
  Source Network: Network of Interface2
  Service: Any
  Destination Network: Any
  Target Interface: Interface1

This should match exactly the described situation, but it won't work. The traffic will be still routed via Interface2 instead Interface1 which was the source of the packet.
My intention is, that the local interface route for Interface2(eth2) is higher prioritized as the added policy route. Am I right?

So now, hopefully somebody here can help me with this issue.
If you need more information or screenshots, please let me know.

Thanks a lot!

Typing corrected. IPS -> ISP
[edited by: mobimagic at 8:13 AM (GMT -7) on 28 Sep 2021]
  • As I know, a "directly connected" subnet beats all other routes

    I would ask the ISP to assign a small subnet instead of an IP in a large one.

    This is not a good practice. But I've already seen that.


    Sophos Solution Partner since 2003
    If a post solves your question click the 'Verify Answer' link.