Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 1853 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Traffic from and to one Host (or Network) over a specific Alias WAN IP

Daniel79

Hi,

we have a /28 public subnet. One IP is the default WAN IP, the others are added as Alias to the Interface.

How can I make a rule that every outgoing traffic from a specific host or network is going out over one specific of these alias IPs?

I've seen a few threads with a similar topics, but I've not seen a real solution.

Greets

Daniel



This thread was automatically locked due to age.
  • 0

    Hi,

    I expect you need to experiment with sd-wan configuration?
    ian

  • 0 in reply to rfcat_vk

    Hmm,

    thanks for your reply, but as I see it, with SD-WAN I can only route over different gateways, but not change the outgoing IP.

    All Aliases on the WAN IF have the same GW.

    As I see it it should be done with the NAT rules, but when I select MASQ I have no option for selecting the WAN IP that is used for the MASQ.

    Greets Daniel

  • 0 in reply to Daniel79

    Try a linked Nat you get better control.

  • FormerMember
    0 FormerMember in reply to Daniel79

    Just adding on what rfcat_vk said.

    You need to create an IP host of an Alias IP address and assign it under Translated source (SNAT) in the NAT rule.

    You may either create a NAT rule with required source networks or can also create a lined NAT in firewall rule and apply SNAT.

  • 0 in reply to FormerMember

    Sorry for the late reply. I tried a lot and I thought i got it working, but it doesn't look like...

    This is my NAT Rule with MASQ, working without any problems:

    As soon as I change to this, I cannot load any webpage from a client within the net, but ping to 8.8.8.8 is ok...:

    This is the definition of the WAN.101 entry: 

    wheres my mistake?

    Greets

    Daniel

  • FormerMember
    0 FormerMember in reply to Daniel79

    The configuration of NAT rule looks good.

    Assuming you only have one internet connection on XG.

    Request to share output of below commands after applying WAN.101 as SNAT in NAT rule.

    ==> Login to SSH > 4. Device Console

    console> system diagnostics utilities arp ping source <WAN.101 IP> interface <WAN interface> <Gateway IP of WAN interface>

    eg. console> system diagnostics utilities arp ping source 101.101.101.101 interface Port2 101.101.101.100

    =================================

    Run below command in console and try to browse https://www.msn.com on machine located in '3CX_NW' network.

    console> tcpdump 'host www.msn.com

    Share first 10-15 packets here or via PM.

    =================================

    Also, share output of below command and initiate a ping to 8.8.8.8 from machine located in '3CX_NW' network.

    console> tcpdump 'host 8.8.8.8 and proto ICMP