XG | BGP multihomed (WAN) | DNAT & SNAT

Here my question:

1. How can I set up SNAT if my public Subnet (3.3.3.0/24) it´s not configure in any interface? It´s possible? Can I create a Loopback interface on XG?

2. Publish my website (DNAT)!

Any idea?

Notes:

- I push my network (3.3.3.0/24) to ISP 1 and 2.

- I receive a default route from ISP 1 and 2.

- No interface configure on XG with my public network (3.3.3.0/24).



Added TAGs
[edited by: emmosophos at 7:02 PM (GMT -8) on 22 Feb 2021]
Parents
  • This is should as far as i know. So simply create the SNAT as you can select a custom address, which does not require to be on your XG. 

    Also die DNAT should be possible, as you can do the same for DNAT. The requirements of NAT does not need anything actual on the appliance. Simply create the needed hosts and verify, the traffic gets correct as expected to the XG. 

    __________________________________________________________________________________________________________________

  • OMG Disappointed

    IPSec can only be done over an interface that is in the WAN zone, so the subnet published in the BGP cannot be used.

    I will have to change the remote IPSec tunnels to point to the IP of each of the WAN interfaces and create the failover group.

    IPSec sólo se puede hacer sobre una interfaz que esté en la zona WAN, por lo que no podrá utilizarce la subred publicada en el BGP.

    Tendré que cambiar los túneles IPSec remotos para que apunten al IP de cada una de las interfaces WAN y crear el failover Group.

  • Yes, this is a limitation, currently looked into. As you cannot configure a WAN Interface on your setup, as the Default Gateway is not existing, this is not possible right now. For some customers, RED site to site could be a workaround (Connecting XG/SG). 

    __________________________________________________________________________________________________________________

  • There are a lot of limitations with BGP on the XG. Save yourself the trouble and use a true router for your BGP then hand off to your XG. I fought with Sophos for months on their poor implementation. Ended up using Juniper router to handle BGP.

    What is suggesting by using a RED tunnel won't work either for failover since your /24 is not on an interface. You have to create 2 RED tunnels and use OSPF. One tunnel tied to each WAN interface. More work than is needed if they just handled BGP properly.

    This biggest issue is you are using a firewall that is looking at the state of the connection. BGP always has some form of asymmetric routing and the XG cannot handle it. This is with any firewall vendor. The XG will just drop the packet if it comes in the wrong WAN interface. You will notice this anytime you lose one of your ISP's, depending on how you are setup with them. Even if you make one ISP the primary, you can't always control the return routes upstream.

Reply
  • There are a lot of limitations with BGP on the XG. Save yourself the trouble and use a true router for your BGP then hand off to your XG. I fought with Sophos for months on their poor implementation. Ended up using Juniper router to handle BGP.

    What is suggesting by using a RED tunnel won't work either for failover since your /24 is not on an interface. You have to create 2 RED tunnels and use OSPF. One tunnel tied to each WAN interface. More work than is needed if they just handled BGP properly.

    This biggest issue is you are using a firewall that is looking at the state of the connection. BGP always has some form of asymmetric routing and the XG cannot handle it. This is with any firewall vendor. The XG will just drop the packet if it comes in the wrong WAN interface. You will notice this anytime you lose one of your ISP's, depending on how you are setup with them. Even if you make one ISP the primary, you can't always control the return routes upstream.

Children
  • Based on what I've read on the issue (asymmetric routing), you should be able to solve this by removing the stateful connection check for the published subnet (3.3.3.0/24) - (DNAT destination or SNAT subnet)

    It should be something like:
    set advanced-firewall bypass-stateful-firewall-config add source_network 0.0.0.0 source_netmask 0.0.0.0.0 dest_network 3.3.3.3.0 dest_netmask 255.255.255.0

    Tomorrow night I will make the changes and next week I will give you my conclusions and results.

  • You can certainly add stateful bypass rules to get around asymmetric routing, but doing so for your entire subnet from any connection (0.0.0.0) means the firewall is no longer doing its full job. All of your inbound traffic to 3.3.3.0/24 will bypass the sateful firewall and is a security risk that is not recommended.