Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 3 subscribers
  • Views 6102 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Dual WAN, VPN Listening on WAN1, WAF listening on WAN2

Chris Schnobb

Hello,

 

I hope someone can help me with this issue as I am completely confused with this. I have configured 2 WAN interfaces both with there own external IP's. Both WAN can ping out to 8.8.8.8 so i know the internet connectivity is there. However here comes the confusing part. VPN listening on Wan1 works perfect and is accessible on the internet. WAF listening on WAN2 dosnt work properly. When i browse to the external IP of wan2 within my network WAF provides me with my website. When I browse to WAN2 external IP on the internet i get network unreachable. The weird part is i see the traffic coming in on the FW logs but it seems Sophos just dose nothing with the traffic. I have attached a SS of the relevant configs and fw log.

 

 

 



This thread was automatically locked due to age.
  • 0

    the first i see, there is no deault gateway at WAN2.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Why would you need to have a default gateway on wan2? The waf service is listening on wan2 and also you can't have two wan interfaces with default gateway set

  • 0 in reply to Chris Schnobb

    you need a gateway at this second WAN interface.

    an ip packet from an external host1 arrives WAF at WAN2.
    WAF will send the answer packet to host1. But what host is responsible to take the packet from WAF and forward it.
    What is the next hop on this connection..?

    to add a second WAN interface you need "ISP Uplink Balancing".

    With this feature activated, you can have more than 1 def-GW.

    If you try to add a second def-GW within interface-configuration, the GUI ask you to activate uplink-balancing and do this job for you.

    with interface weighting (interface / uplink balancing) you can prohibit "normal" traffic using this interface.

    With multipath rules you select which traffice should take which link.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Hello,

     

    I tried your advice and i configured uplink balancing, Both have Default gateways now. I tested that traffic works going out the nic, I ran a speed test from and internal pc and could see the data was being balanced between both links. Now the WAF still dosnt work as expected. I can still browse to the external ip internally and it works but when i try to access the ip on the external internet i still get ERR_CONNECTION_TIMED_OUT in browser.

  • 0 in reply to Chris Schnobb

    Hi, Chris, and welcome to the UTM Community!

    I've moved this thread to the Webserver Protection forum.

    The test we need to see is one from outside your network.  Depending on the results of that, the next step is different.  If an access from outside your LAN is not successful, please show us the relevant line from the Webserver Protection log file.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML