Hi,
We are in a migration traject from barracuda firewalls to a Sophos 2300 A/P cluster. Our cluster is running: SFOS 18.5.2 MR-2-Build380.
Yesterday evenening we tried to implement our new firewalls but we have hit a issue where we were not able use our IP alias addresses on the WAN interface.
Our setup:
Router from the ISP has the following config on the side connecting to our firewall: (IP's are fictieve)
interface Vlan1
vrf forwarding internet:1
ip address 81.246.117.138 255.255.255.248
ip access-group 111 in
no ip proxy-arp
ip accounting output-packets
standby 2 ip 81.246.117.137
standby 2 priority 130
standby 2 preempt
standby 2 track 4 decrement 40
no autostate
!
ip route vrf internet:1 194.78.121.216 255.255.255.248 81.246.117.142
ip route vrf internet:1 194.78.150.112 255.255.255.248 81.246.117.142
Our wan port config on the firewall:
IP: 81.246.117.142/29
GW: 81.246.117.137
The adresses from both the IP packs (marked in red) are configured as /32 adresses as alias on the wan interface. Those are routed adresses from the WAN router.
Yesterday, when we tried to shutdown the barracuda's and implement our sophos cluster, we dident receive any traffic on the Alias IP's.
The only IP that i received traffic on was the WAN interface IP. I dident see any log entry for either of the ALIAS IP. We have around 100 DNAT rules that make use of those ALIAS ip's. For testing purposes, i changed a DNAT rule to use the wan interface and traffic was going to the backend server. So i am pretty sure my nat config is oke.
I am wondering if i need to enable something like source based routing on the WAN interface to make this work?
Any help would be apriciated as we wanna swap asap and decom our old firewalls.
Thanks in advance
Reinhart
This thread was automatically locked due to age.
