Thread Info
  • State Verified Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 25 replies
  • Subscribers 29 subscribers
  • Views 9628 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

V17 to V18 Migration - Specific Gateway

VikenNajarian

Hello,

 

I tested the V18 this weekend during hours, and I'm sure I'm missing something for my actual rules from V17 to be the same on V18...

 

I watched the videos of NAT explained in V18, and read the KB, but I must be dumb I don't know... and I can't figure out to have the same thing on V18...

Here are screenshots of my V17 rules

First, this is the rule #1, with specific VLANs to access the Internet with specific services from specific gateway " WAN link load balance"

Second, this is the rule #15 with VLAN100 accessing the internet with all ports and all destinations, with specific gateway "ADSL"

 

Then, we can see that the #15 rule is on the top and will be asked first by the firewall rules, and the #1 is bottom.

 

I tested to do the same on V18, and tried to tweak the SD-WAN thing to use specific gateway, but it routes all the traffic even if this is not internet ( Ie VLAN 1 to VLAN 10 RDP are routed to default internet gateway which is dumb because this is internal traffic...)

So can someone explain me the exact way to have the 2 same rules I had in v17 for V18?

Thank you.

Regards.



This thread was automatically locked due to age.
Parents
  • 0

    I tried that too, but then suddenly I couldn't reach many internal servers because he wanted to direct all (also internal) of the traffic to the outside.

    I think the problem is that new SD-WAN rules cannot be linked to a firewall rule, as it was the case with the migrated SD-WAN rules.

    I have to test even more next weekend, I am now back to 17.5.9 everything went as it should.

  • 0 in reply to TimFranken

    Yes this is the exact same problem I have !!!

     

    The migrated SD-WAN rules work well, because they are linked to firewall rules.

     

    And when we create new SD-WAN rules, we cannot link them to firewall rules, and when we try to reach internal servers the traffic is redirected to the outside instead of going on internal servers!!!

  • +2 in reply to VikenNajarian

    Change the Routing Precedence to Static - VPN - SD-WAN, will resolve your issues. 

    https://community.sophos.com/kb/en-us/123610

    console> system route_precedence set static vpn sdwan_policyroute
    console> system route_precedence show
    Routing Precedence:
    1. Static routes
    2. VPN routes
    3. SD-WAN policy routes

     

    Let me put some more context into this answer. 

    (The online help gets some updates about this as well).

     

    There are basically three different routing modules, which can take place. Static Routing (Static route, OSPF, BGP,), VPN Routing (Policy Based IPsec), SD-WAN Routing. 

    If you current settings are "PBR, Static, VPN", XG will use the matching PBR and route the traffic no matter what. 

    Because you are using ANY in certain scenarios, this could lead to issues. 

    For example, You want to route all Internet Traffic of Host A to Gateway 1. You will choose ANY for Destination. 

    This route will be applied for ANY Destination Traffic, even internal Traffic. 

     

    This can be resolved by using Static Routing as the first selector. Static Routing will cover the internal traffic and everything internal will be applied as usual. 

    If the Host A will now reach something, which cannot be resolved by static routing, PBR routing will be asked to look for a route. 

    Therefore PBR will be used for ANY. 

     

    This kind of information is currently in development for the Online Help to give a smooth transmission. 

     

    Hope it helps. 

Reply
  • +2 in reply to VikenNajarian

    Change the Routing Precedence to Static - VPN - SD-WAN, will resolve your issues. 

    https://community.sophos.com/kb/en-us/123610

    console> system route_precedence set static vpn sdwan_policyroute
    console> system route_precedence show
    Routing Precedence:
    1. Static routes
    2. VPN routes
    3. SD-WAN policy routes

     

    Let me put some more context into this answer. 

    (The online help gets some updates about this as well).

     

    There are basically three different routing modules, which can take place. Static Routing (Static route, OSPF, BGP,), VPN Routing (Policy Based IPsec), SD-WAN Routing. 

    If you current settings are "PBR, Static, VPN", XG will use the matching PBR and route the traffic no matter what. 

    Because you are using ANY in certain scenarios, this could lead to issues. 

    For example, You want to route all Internet Traffic of Host A to Gateway 1. You will choose ANY for Destination. 

    This route will be applied for ANY Destination Traffic, even internal Traffic. 

     

    This can be resolved by using Static Routing as the first selector. Static Routing will cover the internal traffic and everything internal will be applied as usual. 

    If the Host A will now reach something, which cannot be resolved by static routing, PBR routing will be asked to look for a route. 

    Therefore PBR will be used for ANY. 

     

    This kind of information is currently in development for the Online Help to give a smooth transmission. 

     

    Hope it helps. 

Children