Wrong WAN interface and IP address being used for outbound connection


I'm facing a challenge with configuring my XG firewall (XG125 v18). I hope someone can provide me with some tips & trick.

I have two WAN interfaces. One set to active and one to backup. Both WAN interfaces have a /29 network. The usage of the IP addresses is as follows:

xxx.xxx.xxx.56 - Subnet ID
xxx.xxx.xxx.57 - Gateway
xxx.xxx.xxx.58 - WAN 1 Interface XG
xxx.xxx.xxx.59 - Webserver
xxx.xxx.xxx.60 - Webserver
xxx.xxx.xxx.61 - Webserver
xxx.xxx.xxx.62 - SMTP Server 1

yyy.yyy.yyy.112 - Subnet ID
yyy.yyy.yyy.113 - Gateway
yyy.yyy.yyy.114 - WAN 2 Interface XG
yyy.yyy.yyy.115 - Webserver
yyy.yyy.yyy.116 - SMTP Server 2
yyy.yyy.yyy.117 - Webserver
yyy.yyy.yyy.118 - Webserver

All the servers above are located in one DMZ zone (private range /24 network). Inbound traffic works great. Outbound traffic works great as well. But the SMTP servers need to use the IP addresses as recorded in DNS to properly work; in the current setup, some outbound mails are not delivered because the IP address of the WAN interface of WAN 1 is being used for outbound connections. That differs from the one that has been registered in DNS (spf doesn't help preventing this either). So I need to translate the private range addresses to the public address used in the MX record (in my case of the SMTP servers, 172.16.x.14 to xxx.xxx.xxx.62 and 172.16.x.64 to yyy.yyy.yyy.116). I also need them to use the WAN interface they also receive traffic through. In my case SMTP server 1 to use WAN 1 for outbound traffic and SMTP server 2 to use WAN 2 for outbound traffic).

I've tried to configure this with SD-WAN for a specific host and SNAT to translate the private address to the correct ext. IP address, but I've failed in doing so. I see the correct SNAT and FW rule are being hit, but it keeps on breaking out through the WAN 1 interface. I need it to break out through the WAN 2 interface. I've searched for many hours on the discussion groups and documentation, but none of the proposed solutions work, or I am missing bits of information to set it correctly.

My questions are:
- How do I force an outbound connection to use a different WAN interface as the default one for outbound traffic for a specific host, and how should I configure this?
- How do I make sure the correct external IP address (not the address of the WAN interface) is being used for outbound connectivity of a specific host?

PS! Routing presendence is set at default: SD-WAN policy route, VPN route, Static route.
Policy route doesn’t apply to system-generated and reply traffic.

I want to keep usig my on MTA's as they include custom built spam and phishing detection.



Added TAGs
[edited by: emmosophos at 6:56 PM (GMT -8) on 23 Feb 2021]

Top Replies

  • Hi ,

    Thank you for reaching out to the Community! 

    First of all, ensure that the alias IP addresses are configured with /32 netmask. 

    You need to define the outbound interface or alias IP address…