Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

Sophos XG: How to setup MTA mode when you have multiple WAN ports or alias IP addresses

Disclaimer: This information is posted as-is and the content should be referenced at your own risk


When using MTA mode for email delivery, if you have multiple WAN interfaces or public IP addresses, it’s necessary to create an outbound rule to forward mail via one interface or IP address.

Depending on your WAN and alias IP configuration, you must do the following:

  • If you have a single WAN interface with multiple alias IP addresses. Configure a NAT rule for SMTP with the specific public IP traffic that traffic will be sent from.
  • If you have multiple WAN interfaces and no alias IP addresses. Configure a SD-WAN rule for SMTP and the Destination ANY.
  • If you have multiple WAN addresses and multiple alias IP addresses. Configure both the NAT and the SD-WAN rule.
  • For all scenarios, change the route precedence to: Static, VPN, SD-WAN.

To configure these options, do as follows:

Create a NAT Rule for SMTP with the specific IP traffic will be sent from

  1. Go to Rules and policies > NAT rules. Select IPv4or IPv6 and then select Add NAT rule.
  2. The rule is turned on by default.
  3. Enter the rule details.

Name

Description

Rule name

Enter a name.

Rule group

Select a rule group or create one. The firewall rule will belong to this group.

If you select Automatic, the firewall rule is added to an existing group based on the first match with rule type and source-destination zones.

  1. Specify the translation settings for source, destination, services, and interfaces to match traffic.

Name

Description

Original source

Specify ANY.

Translated source (SNAT)

Specify MASQ.

Original destination

Specify ANY.

Translated destination (DNAT)

Select Original.

Original service

Select SMTP.

Translated service (PAT)

Select Original.

Inbound interface

Select Any.

Outbound interface

Select the WAN interface or alias IP address from which traffic specified in this rule exits XG Firewall.

  1. Optional Select Create loopback rule to allow internal hosts to access other internal hosts, for example, servers.
  2. Optional Select Create reflexive rule to create a mirror rule that reverses the matching criteria of the rule from which it’s created.

Note: You can create loopback and reflexive rules for destination NAT rules. They are created using the original NAT rule ID and name. Changing the original NAT rule settings later doesn’t change loopback and reflexive rule settings.

  1. Click Save.

The following screenshot shows an example NAT rule.

 

Create a SD-WAN Rule with Destination ANY and Service SMTP 

    1. Go to Routing > SD-WAN policy routing.  Scroll down to IPv4 or IPv6 SD-WAN policy route and select Add.
    2. Enter a name.
    3. Select the traffic selector settings.

Name

Description

Incoming interface

Select the interface through which SMTP traffic XG Firewall.

Deleting the interface also deletes the policy route.

DSCP marking

Select the level of DSCP marking to match incoming packets for priority. For details, see DSCP Value.

Expedited forwarding (EF): Priority queuing that ensures low delay and packet loss. Suitable for real-time services.

Assured forwarding (AF): Assured delivery, but with packet drop if congestion occurs. Assigns packets a higher priority than best-effort.

Class selector (CS): Backward compatibility with network devices that use IP precedence in type of service.

Source networks and Destination networks

Select ANY as both source and destination networks.

Services

Select SMTP.

Application object

Leave blank.

Users or groups

Select ANY.

  1. Specify the routing settings.

Name

Description

Primary gateway

Select the primary gateway to route traffic.

If you delete the selected gateway, XG Firewall will delete the policy route and implement WAN link load balance to route traffic.

If the primary gateway goes down, XG Firewall routes traffic through the backup gateway. When the primary gateway comes back up, XG Firewall routes traffic through it.

Backup gateway

If you've configured more than one gateway, select the backup gateway.

If you delete the selected gateway, XG Firewall sets the backup gateway to None.

Override gateway monitoring decision

Select if you want to route traffic through the selected gateway, even if the gateway is down.

  1. Click Save.

The following screenshot shows an example SD-WAN policy route.

 

 

  1. Sign in to the XG firewall command line console as admin.
  2. Select option 4. Device Console.
  3. Type the following command:
  • set routing sd-wan-policy-route system-generate-traffic enable

Change the Route Precedence to Static - VPN - SD-WAN

  1. Sign in to the XG firewall command line console as admin.
  2. Select option 4. Device Console.
  3. Type the following command and press enter: system route_precedence set static vpn sdwan_policyroute
  4. Confirm the change using the following command: system route_precedence show
Parents Reply Children
No Data