Wrong WAN interface and IP address being used for outbound connection


I'm facing a challenge with configuring my XG firewall (XG125 v18). I hope someone can provide me with some tips & trick.

I have two WAN interfaces. One set to active and one to backup. Both WAN interfaces have a /29 network. The usage of the IP addresses is as follows:

xxx.xxx.xxx.56 - Subnet ID
xxx.xxx.xxx.57 - Gateway
xxx.xxx.xxx.58 - WAN 1 Interface XG
xxx.xxx.xxx.59 - Webserver
xxx.xxx.xxx.60 - Webserver
xxx.xxx.xxx.61 - Webserver
xxx.xxx.xxx.62 - SMTP Server 1

yyy.yyy.yyy.112 - Subnet ID
yyy.yyy.yyy.113 - Gateway
yyy.yyy.yyy.114 - WAN 2 Interface XG
yyy.yyy.yyy.115 - Webserver
yyy.yyy.yyy.116 - SMTP Server 2
yyy.yyy.yyy.117 - Webserver
yyy.yyy.yyy.118 - Webserver

All the servers above are located in one DMZ zone (private range /24 network). Inbound traffic works great. Outbound traffic works great as well. But the SMTP servers need to use the IP addresses as recorded in DNS to properly work; in the current setup, some outbound mails are not delivered because the IP address of the WAN interface of WAN 1 is being used for outbound connections. That differs from the one that has been registered in DNS (spf doesn't help preventing this either). So I need to translate the private range addresses to the public address used in the MX record (in my case of the SMTP servers, 172.16.x.14 to xxx.xxx.xxx.62 and 172.16.x.64 to yyy.yyy.yyy.116). I also need them to use the WAN interface they also receive traffic through. In my case SMTP server 1 to use WAN 1 for outbound traffic and SMTP server 2 to use WAN 2 for outbound traffic).

I've tried to configure this with SD-WAN for a specific host and SNAT to translate the private address to the correct ext. IP address, but I've failed in doing so. I see the correct SNAT and FW rule are being hit, but it keeps on breaking out through the WAN 1 interface. I need it to break out through the WAN 2 interface. I've searched for many hours on the discussion groups and documentation, but none of the proposed solutions work, or I am missing bits of information to set it correctly.

My questions are:
- How do I force an outbound connection to use a different WAN interface as the default one for outbound traffic for a specific host, and how should I configure this?
- How do I make sure the correct external IP address (not the address of the WAN interface) is being used for outbound connectivity of a specific host?

PS! Routing presendence is set at default: SD-WAN policy route, VPN route, Static route.
Policy route doesn’t apply to system-generated and reply traffic.

I want to keep usig my on MTA's as they include custom built spam and phishing detection.



Added TAGs
[edited by: emmosophos at 6:56 PM (GMT -8) on 23 Feb 2021]

Top Replies

  • Hi ,

    Thank you for reaching out to the Community! 

    First of all, ensure that the alias IP addresses are configured with /32 netmask. 

    You need to define the outbound interface or alias IP address…

  • Hi ,

    Thank you for reaching out to Sophos Community.

    Please ensure that you've selected WAN 2 as a primary gateway in the SD-WAN policy configured for 'SMTP server 2'. Verify that the SNAT rule is placed on top with the correct inbound and outbound interfaces.

    Also, could you please share snapshots of SD-WAN policy, SNAT rule, and firewall rule configuration of 'SMTP server 2'?

    You may check the packet flow on email communication ports to see from which interface and with which public IP the traffic is being forwarded.

    You can use below BPF string under packet capture.

    BPF string: port 25 or port 465 or port 587


    You can check the packet frow in the console.

    ==> Login to SSH > 4. Device console

    console> tcpdump 'port 25 or port 465 or port 587

    Yash Kothari
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.
  • Hi,

    I've created some screenshots on the config. I tried to adjust the config according to the documentation that was referenced in the first reply, but that doesn't work as all SMTP traffic for all interfaces will be sent out over the indicated gateway. I want to only send it for a specific host.

    If I set the inbound and outbound ports to Port 7 (DMZ) and Port 6 (WAN2), then there is no match anymore in ports and this SNAT rule isn't hit anymore. The generic default SNAT then takes over. The logging shows that traffic traverses over Port 7 (in) and Port 5 (out).




  • In SNAT_ NAT rule please apply SNAT policy as 'yyy.yyy.yyy.116' IP address. Ensure to keep its position on top.

    As you want to forward all internet traffic of 'SMTP server 2' from WAN 2, change destination networks to ANY in SD-WAN policy.

    Yash Kothari
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.
  • Brilliant! That worked. Thanks a million for the help.



Reply Children
No Data