This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

need help to understand gateways in XG

I have an existing Sophos that have two interfaces with a public ip set as a wan and gateway and there is no default static route in the routing section where a next hope is set to reach the internet. I don't understand how setting an interface as wan and it becoming a gateway can route the traffic to the internet without specifying a default route to the next-hop? like let us say i have two wan gateway interfaces 11.11.11.1 12.12.12.1 and they are connected to a router with 11.11.11.2 12.12.12.2 , how does the Sophos knows when they receive traffic destined for the internet to route it to the next hop 11.11.11.2 and 12.12.12.2?



This thread was automatically locked due to age.
  • Hi,

    because the firewall rule says any network on your destination in your firewall rules. If you want traffic to go elsewhere you will need rules before your internet access rules.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • Basically, when you configure an interface with zone "WAN", it will automagically create a 0.0.0.0 route with the IP to entered as next hop (Gateway IP):

    This automatic default-gw will be used last. It will try first to use static, pbr(sd-wan) and vpn routing. It will also try dynamic routing protocols and if there's nothing that helps, it will use that 0.0.0.0 gateway create by the "WAN" interface.

    Now, if you have 2 WAN interfaces, Sophos will create 2 default gateways in "Active" mode and use both "load balancing" them. If you want to use 1 more than the other, you can adjust a value called "Weight". And if you want to use 1 only as the default gateway, to can put the other as "Backup" and Sophos won't use it for last result gateway, but you will be able to use that 2nd nexthop by putting and static route, pbr, etc.

    Hope that clarifies alittle bit.

    Bye!

  • thx a lot , but please I noticed that even if I set a rule LAN>>WAN and disable address masquerading in the rule, it will still get natted with the wan ip when it goes to the internet?

  • That depends if you're in v17 or v18, since they behave different. If you tell us what version you're using we can help more