Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 27 subscribers
  • Views 1359 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG RED through specific gateway

Oliver Martin

We have the following scenario:

Sophos XG135 (SFOS 18.5.2 MR-2-Build380)
Port 1 gateway to fibre internet
Port 2 Gateway to VDSL
Port 3 Gateway to LTE
Port 4 LAN Clients
Port 5 LAN Server
Port 6 DMZ

The XG connects multible IPSEC tunnels via Port 1 (configured in VPN connection settings)
We also have a RED tunnel generated on this XG to a datacenter. And here lies the problem. The RED tunnel connect somtimes through Port 1 and other times through Port 2 or 3.

There seems to be no gateway setting for RED.

In my research of this problem i found this help entry:

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/SDWANPolicyRouting/index.html#system-generated-traffic-and-reply-packets

It says:
System-generated RED traffic on UDP port 3410 is layer 2 traffic. So, SD-WAN routes don't apply to this traffic.


If i cannot set the gateway of a red tunnel in its config or in SD-Wan policy how can it be done?


We would like to set a specific gateway if possible with a backup gateway.



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to MayurMakvana

    I think i have done a poor job on discribing... So here i channel my inner Davinci:

    We are the XG (which is the "client") on the left and have no possebility to config the datacenter (which is the "server") on the right.

    The XG connect to the puplic ip of the datacenter on the right.

    We try to enstablish the Connection always over GW1 on our (the left) side.

    The following edited screenshot is from our XG (on the left)

    imho i can only enter the ip or DNS name of the Datacenter in the "Firewall IP/hostname" field.

    Maybe you thought that the XG would do the "server-job", but that is not the case.

  • +1 in reply to Oliver Martin

    Hello,

    Thank you for sharing more insight on setup!

    Add static route for Datacenter public IP in your XG135 via any of below gateway and choose interface as well in that static route:

    Port 1 gateway to fibre internet
    Port 2 Gateway to VDSL
    Port 3 Gateway to LTE

    I have tested in lab and it worked for me! Below is the route precedence setting in my lab.

    console> system route_precedence show
    Routing Precedence:
    1. Static routes
    2. VPN routes
    3. SD-WAN policy routes

    Hope this would help!

    Regards,

    Mayur Makvana

    Mayur Makvana
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?