This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Wrong WAN interface and IP address being used for outbound connection


Hi,

I'm facing a challenge with configuring my XG firewall (XG125 v18). I hope someone can provide me with some tips & trick.

I have two WAN interfaces. One set to active and one to backup. Both WAN interfaces have a /29 network. The usage of the IP addresses is as follows:

WAN 1
xxx.xxx.xxx.56 - Subnet ID
xxx.xxx.xxx.57 - Gateway
xxx.xxx.xxx.58 - WAN 1 Interface XG
xxx.xxx.xxx.59 - Webserver
xxx.xxx.xxx.60 - Webserver
xxx.xxx.xxx.61 - Webserver
xxx.xxx.xxx.62 - SMTP Server 1

yyy.yyy.yyy.112 - Subnet ID
yyy.yyy.yyy.113 - Gateway
yyy.yyy.yyy.114 - WAN 2 Interface XG
yyy.yyy.yyy.115 - Webserver
yyy.yyy.yyy.116 - SMTP Server 2
yyy.yyy.yyy.117 - Webserver
yyy.yyy.yyy.118 - Webserver

All the servers above are located in one DMZ zone (private range /24 network). Inbound traffic works great. Outbound traffic works great as well. But the SMTP servers need to use the IP addresses as recorded in DNS to properly work; in the current setup, some outbound mails are not delivered because the IP address of the WAN interface of WAN 1 is being used for outbound connections. That differs from the one that has been registered in DNS (spf doesn't help preventing this either). So I need to translate the private range addresses to the public address used in the MX record (in my case of the SMTP servers, 172.16.x.14 to xxx.xxx.xxx.62 and 172.16.x.64 to yyy.yyy.yyy.116). I also need them to use the WAN interface they also receive traffic through. In my case SMTP server 1 to use WAN 1 for outbound traffic and SMTP server 2 to use WAN 2 for outbound traffic).

I've tried to configure this with SD-WAN for a specific host and SNAT to translate the private address to the correct ext. IP address, but I've failed in doing so. I see the correct SNAT and FW rule are being hit, but it keeps on breaking out through the WAN 1 interface. I need it to break out through the WAN 2 interface. I've searched for many hours on the discussion groups and documentation, but none of the proposed solutions work, or I am missing bits of information to set it correctly.

My questions are:
- How do I force an outbound connection to use a different WAN interface as the default one for outbound traffic for a specific host, and how should I configure this?
- How do I make sure the correct external IP address (not the address of the WAN interface) is being used for outbound connectivity of a specific host?

PS! Routing presendence is set at default: SD-WAN policy route, VPN route, Static route.
Policy route doesn’t apply to system-generated and reply traffic.

I want to keep usig my on MTA's as they include custom built spam and phishing detection.

Thanks

Regards
Guy



This thread was automatically locked due to age.
Parents Reply Children
No Data