Hi guys, I have a doubt about how to achieve the same thing that could be done in the past with v17 and I'm struggling with v18 Scenario: Basically, I have 2 WANs, one for everything and the other one for X special thing and cannot be used for anything else, so bot have to be active and cannot be fail-over'd between them. Also,a MPLS which connects to a remote office and if that fails, a Policy-based VPN that provides connectivity. In v17 to achieve that, it would require Gateway for the MPLS with policy based routing. IPSec with the WAN1 and the remote WAN. Firewall rule1 to allow "LAN" to "Remote" office. Firewall rule2 to allow X special thing in the "LAN" through WAN2 by selecting the 2nd WAN in the firewall rule and no backup (hability to choose "main" WAN to use) Firewall rule3 to allow "LAN" to "WAN" any through WAN1 and no backup nor load balance. Having route precedence "static - policy - vpn" In v18 (from what I have seen) there's no option to only choose one WAN. What comes to my mind is: Creating a static route for WAN1 that takes priority last, but that breaks the MPLS/VPN backup scenario. Creating a PBR entry, which routes the special case through WAN2, MPLS traffic through the MPLS gateway and then another one that routes everything else through WAN1. The problem is that if the MPLS fails, the traffic won't go through the IPSec and the failover won't occur. Above scenario but I switch the route precedende to "static - vpn - policy" it will never match the MPLS, unless I create an static route and the I'll not be able to monitor the link to have automatic failover. Setting weight in the WANs will decrease the chances to use the 2nd WAN but it will eventualy use it (there's no 0 option). Following the PBR idea, replace the Policy-Based VPN with Route-Based and then create a GW for the IPSec below the MPLS PBR rule (realistic option but unsure how the remote company will say yes to changing the IPSEC). The last one is the only possible solution that I have come to realistically doing. But what if I NEED Policy-Based VPN? Any ideas how to achieve the same thing on v18 that could be done on v17? Any help is appreciated. Thanks!

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[Sophos XG] [Routing and multiple gateways] Replicate v17 scenario in v18

Hi guys,

I have a doubt about how to achieve the same thing that could be done in the past with v17 and I'm struggling with v18

Scenario:

Basically, I have 2 WANs, one for everything and the other one for X special thing and cannot be used for anything else, so bot have to be active and cannot be fail-over'd between them. Also,a MPLS which connects to a remote office and if that fails, a Policy-based VPN that provides connectivity.

In v17 to achieve that, it would require

Gateway for the MPLS with policy based routing.
IPSec with the WAN1 and the remote WAN.
Firewall rule1 to allow "LAN" to "Remote" office.
Firewall rule2 to allow X special thing in the "LAN" through WAN2 by selecting the 2nd WAN in the firewall rule and no backup (hability to choose "main" WAN to use)
Firewall rule3 to allow "LAN" to "WAN" any through WAN1 and no backup nor load balance.
Having route precedence "static - policy - vpn"

In v18 (from what I have seen) there's no option to only choose one WAN. What comes to my mind is:

Creating a static route for WAN1 that takes priority last, but that breaks the MPLS/VPN backup scenario.
Creating a PBR entry, which routes the special case through WAN2, MPLS traffic through the MPLS gateway and then another one that routes everything else through WAN1. The problem is that if the MPLS fails, the traffic won't go through the IPSec and the failover won't occur.
Above scenario but I switch the route precedende to "static - vpn - policy" it will never match the MPLS, unless I create an static route and the I'll not be able to monitor the link to have automatic failover.
Setting weight in the WANs will decrease the chances to use the 2nd WAN but it will eventualy use it (there's no 0 option).
Following the PBR idea, replace the Policy-Based VPN with Route-Based and then create a GW for the IPSec below the MPLS PBR rule (realistic option but unsure how the remote company will say yes to changing the IPSEC).

The last one is the only possible solution that I have come to realistically doing. But what if I NEED Policy-Based VPN?

Any ideas how to achieve the same thing on v18 that could be done on v17? Any help is appreciated.

Thanks!

This thread was automatically locked due to age.

0 FormerMember over 5 years ago

Hi

Thank you for reaching out to the Community!

I would request you to review the following recommended read: https://community.sophos.com/products/xg-firewall/f/recommended-reads/118888/sophos-xg-firewall-v18-how-to-choose-the-gateway-for-a-firewall-rule.

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
0 Antonio Cienfuegos S over 5 years ago in reply to FormerMember
Hi H_Patel,

Thanks for your answer, I just finished reading the article and according to it, It recommends the same thing that I stated in my points:

Creating a PBR entry, which routes the special case through WAN2, MPLS traffic through the MPLS gateway and then another one that routes everything else through WAN1.

The problem with that is that in case the MPLS goes down, all trafic will go to the GW and broke the VPN Failover. If I switch the route precedende to have VPN first, it will never go through the MPLS unless I create an static route that takes precedencce first, but loses the ability to monitor the MPLS through PBR.

And using Linked NATs brokes the idea to decouple NATs from rules and even Sophos recommends using them only for migrating purposes.

So, any ideas?
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 5 years ago
Setting weight in the WANs will decrease the chances to use the 2nd WAN but it will eventualy use it (there's no 0 option).

You can set the other Interface as Backup. This is actually "0" in terms of Load Balancing. Backup Interfaces will only be used in case of calling by some process. Like PBR, like Static Route.

There are certain scenario, which are not perfectly fine reproducible right now, as you will mix different scenarios.

As Sophos tries to push the VTI Technology, it will help in this case.

The Policy based VPN routing options are limited as the Static option.

Wrote some points about this here:

https://community.sophos.com/products/xg-firewall/f/recommended-reads/121408/routing-in-xgv18-with-sd-wan-pbr

As you could place the default route on Backup, you could actually rebuild most of this quite easily.
Cancel
Vote Up 0 Vote Down

Cancel
0 Antonio Cienfuegos S over 5 years ago in reply to LuCar Toni

Hi,

Sorry the late answer but yeah, putting the GW in Backup did the trick. Some PBR to the "backups" WAN to allow the specific scenario and everything worked just fine.
Cancel
Vote Up 0 Vote Down

Cancel