Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 11 replies
  • Subscribers 26 subscribers
  • Views 2348 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Only use a second gateway (i.e. backup ISP) for a specific device?

shred

I'm looking to add a backup cellular ISP service to my home network such that in the event my primary ISP is down, Sophos XG will use the backup cellular ISP. However, I really only want to use the backup cellular ISP to maintain internet connectivity for certain devices and not everything on my network. Is there any way to do this with Sophos XG?



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    You need to set up 2 SD-WAN policies, one with source & destination as ANY, and select Primary gateway as 'Primary ISP' & Backup gateway as 'None'.

    On top of that, you need to add a new policy with required source machines and select Primary gateway as 'Primary ISP' & Backup gateway as 'cellular ISP'.

    Click here to know more information on "SD-WAN Policy Based Routing".

  • 0 in reply to FormerMember

    So I'm sure I'm screwing something up but when I setup one SD-WAN policy (I don't have my backup ISP yet, but just trying to set up the first SD-WAN policy routing rule) with the settings in the screenshot below, I'm having issue with traffic between my VLANs (subnets). Any ideas what might be the issue?

  • FormerMember
    0 FormerMember in reply to shred

    Have you added static routes to communicate with your VLAN networks or VLAN interfaces are configured on Sophos Firewall?

  • 0 in reply to FormerMember

    Yes, my VLAN interface and firewall rules are setup - I’ve been using this setup for a couple years now. It’s just once I added that SD-WAN policy, nothing seems to work across VLANs. Again, I’m sure I’m missing something with how SD-WAN policies work.

  • FormerMember
    0 FormerMember in reply to shred

    Can you please check the route precedence in CLI?

    Login to SSH > 4. Device Console

    console> system route_precedence show

  • 0 in reply to FormerMember

    This is what’s shown:

    1. SD-WAN policy routes

    2. VPN routes

    3. Static routes

  • FormerMember
    0 FormerMember in reply to shred

    Please change 'Static routes' precedence on top of 'SD-WAN policy routes' and check whether VLAN communication works with the SD-WAN policy route or not.

    console> system route_precedence set static sdwan_policyroute vpn

  • 0 in reply to FormerMember

    Thanks , everything seems to be working normally after that change. However, I guess I’m confused why that made a difference as I don’t have any static routes defined? Edit: I think this article explains why. Basically all I’m trying to achieve is:

    1) All devices on my networks on all VLANs/subsets can only use my primary ISP.

    2) Certain devices on my network can use my primary ISP, but also my backup ISP when the primary ISP is down.

    I’m hoping the SD-WAN policies can achieve this.

Reply
  • 0 in reply to FormerMember

    Thanks , everything seems to be working normally after that change. However, I guess I’m confused why that made a difference as I don’t have any static routes defined? Edit: I think this article explains why. Basically all I’m trying to achieve is:

    1) All devices on my networks on all VLANs/subsets can only use my primary ISP.

    2) Certain devices on my network can use my primary ISP, but also my backup ISP when the primary ISP is down.

    I’m hoping the SD-WAN policies can achieve this.

Children
No Data