This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Static route through another gateway

Apologies if this topic is covered here elsewhere.  A quick search did not find a solution.

We have the following equipment:

Endpoint

LAN:  10.0.0.40

GW:  10.0.0.1


Sophos UTM

LAN (eth0):  10.0.0.1 /24

WAN (eth1):  100.100.100.2

Private (eth2):  192.168.2.2

SDWAN Appliance

LAN:  (none)

WAN (eth1):  100.100.100.3

Private (eth2):  192.168.2.3

The SDWAN Appliance and the Sophos UTM are connected via a private network on a separate physical network from the LAN or WAN.  The SDWAN publishes routes via OSPF, and traffic to our other facilities routes through that equipment automagically.

There is the desire to begin using the SDWAN for some additional traffic shaping.  Rather than have one policy at our corporate headquarters where the Sophos UTM is and different policies for our SDWAN equipment at our child facilities, we'd like to begin pushing internet traffic for some of our headquarters equipment through the SDWAN.

So... we need to route traffic from the Endpoint through the Sophos, to the SDWAN Appliance...

I created a Static Route to tackle this:

  

With the route enabled, the Endpoint's traffic dies at the Sophos UTM.  It cannot even ping the Sophos UTM.

I have also tried a Policy Route with the same basic settings from above.  Service and Destination set to Any.  Traffic flows.. but continues to use the Sophos UTM for outbound traffic.

Any one able to point me in the correct direction?



This thread was automatically locked due to age.
  • To help visualize how traffic needs to flow...

    Endpoint (10.0.0.40) ----->  [Sophos LAN (10.0.0.1) -> Sophos Private (192.168.2.2)] -----> [SDWAN Private (192.168.2.3) -> SDWAN WAN (100.100.100.3)]

    Right now we appear stuck in the Sophos config.

  • Hi  ,

    Good day and Thank you for reaching out to Sophos Community and hope you are well. 

    What are the results of the trace route from end machine to destination? and what are the logs says on the Firewall side?

    May I confirm if my understanding is correct you want to route only endpoint 10.0.0.40 and not the whole 10.0.0.0/24 network? If yes, have you tried Multipath rule: https://support.sophos.com/support/s/article/KB-000034635?language=en_US and using ltf persistence by interface?

    Kindly let us know how it goes. Thanks for your time and patience and thank you for choosing Sophos 

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Raphael,

    Trace routes fail.  No hops successful.

    You are correct that I need to target specific endpoints (IP addresses) and not the entire subnet.

    I'll give the Multipath rules a try and update this thread.

    Thank you.

  • Reviewing the article, it is geared towards typical scenarios with multiple public connections.  We definitely do not want to inadvertently route any traffic from any other system through the Private network.  At this juncture, the Private network's interface is not even available in the Multipath Rules.

  • Hi David,

    I'm confused by the name of the "Private" network - is this just a direct connection between the UTM and the SDWAN device?  If so, then you could add the "Private" interface to 'Active Interfaces' in 'Uplink Balancing' and then use Multipath rules.  Note that the Rules are an ordered list, so once traffic qualifies for a rule, no further rules are processed.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • If you wish to route only dedicated hosts over SD-WAN-Device and the destination is the only parameter for routing decision, simple static routing should be enough. 

    You should do some diagnostics...

    Configure "Firewall ist traceroute visible" within firewall/ICMP.

    Traceroute to 8.8.8.8 ... you should see your firewall as hop now.

    Traceroute to Network behind WAN (??100.100.100.3??) i think here is your problem.

    The Network within Static Routing Definition is the Destination host/Network.

    ... or do i misunderstood? Possible you wish to route all traffic coming from a specific host over SD-WAN?

    So you need a policy route ... or "Multiple ISP/Uplink balancing with Multipath rules"


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hi Bob,

    The "Private" network is just between the Sophos UTM and the SDWAN appliances.  The SDWAN appliances are not on our LAN.  We have SDWAN appliances at our satellite branches as well as corporate, and they create tunnels between themselves.  The SDWAN appliance at corporate publish OSPF records, which are picked up by the Sophos on the Private network, and traffic between our satellites and corporate is seamlessly routed over the Private network between our corporate office's SDWAN and Sophos equipment.

    The Private network is an isolated network that only exists between the Sophos & SDWAN appliance.  It is not a LAN or a WAN network.  It is not currently available to add to a Multipath Rule or Uplink Balancing.

    We only want specific devices' internet traffic through the SDWAN, so I am hesitant to adjust Uplink Balancing or Multipath Rules.  

  • Dirk,

    I have been trying to get static routing to work, and failing.

  • In your reply to Bob you stated that a specific host should use the sd-wan for internet access.

    This means that routing must be carried out depending on the sender.

    That would then be possible with policy-routing.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • David, I meant to add 192.168.2.3 as a default gateway to eth2.  That lets you use the Multipath rules I suggested.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA