Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 27 subscribers
  • Views 1358 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG RED through specific gateway

Oliver Martin

We have the following scenario:

Sophos XG135 (SFOS 18.5.2 MR-2-Build380)
Port 1 gateway to fibre internet
Port 2 Gateway to VDSL
Port 3 Gateway to LTE
Port 4 LAN Clients
Port 5 LAN Server
Port 6 DMZ

The XG connects multible IPSEC tunnels via Port 1 (configured in VPN connection settings)
We also have a RED tunnel generated on this XG to a datacenter. And here lies the problem. The RED tunnel connect somtimes through Port 1 and other times through Port 2 or 3.

There seems to be no gateway setting for RED.

In my research of this problem i found this help entry:

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/SDWANPolicyRouting/index.html#system-generated-traffic-and-reply-packets

It says:
System-generated RED traffic on UDP port 3410 is layer 2 traffic. So, SD-WAN routes don't apply to this traffic.


If i cannot set the gateway of a red tunnel in its config or in SD-Wan policy how can it be done?


We would like to set a specific gateway if possible with a backup gateway.



This thread was automatically locked due to age.
Parents
  • 0

    Hello,

    Greeting from Sophos!

    At the client end, you have an option to specify on which IP address would you like to establish the red tunnel. I think that would do in your case!

    Currently, we don't have option to set backup gateway. However, you may create A records for all your ISP IP's and use FQDN in client end. Hence based on the domain resolution weight. It will try connecting it! 

    Regards,

    Mayur Makvana

    Mayur Makvana
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to MayurMakvana

    Thank you for your reply. Which IP setting do you mean?

    In my understanding The "Firewall IP/hostname" is the datacenter and The RED IP is for the transfer-network which is established over the tunnel.

  • 0 in reply to Oliver Martin

    Hello,

    At client end, you can specify the IP of server side on which you wants to make a connection to.

    Below snap shot is from the client end, wherein you may add one from the following:

    Port 1 gateway to fibre internet
    Port 2 Gateway to VDSL
    Port 3 Gateway to LTE

    Happy to help!

    Regards,

    Mayur Makvana

    Mayur Makvana
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to MayurMakvana

    I think i have done a poor job on discribing... So here i channel my inner Davinci:

    We are the XG (which is the "client") on the left and have no possebility to config the datacenter (which is the "server") on the right.

    The XG connect to the puplic ip of the datacenter on the right.

    We try to enstablish the Connection always over GW1 on our (the left) side.

    The following edited screenshot is from our XG (on the left)

    imho i can only enter the ip or DNS name of the Datacenter in the "Firewall IP/hostname" field.

    Maybe you thought that the XG would do the "server-job", but that is not the case.

Reply
  • 0 in reply to MayurMakvana

    I think i have done a poor job on discribing... So here i channel my inner Davinci:

    We are the XG (which is the "client") on the left and have no possebility to config the datacenter (which is the "server") on the right.

    The XG connect to the puplic ip of the datacenter on the right.

    We try to enstablish the Connection always over GW1 on our (the left) side.

    The following edited screenshot is from our XG (on the left)

    imho i can only enter the ip or DNS name of the Datacenter in the "Firewall IP/hostname" field.

    Maybe you thought that the XG would do the "server-job", but that is not the case.

Children
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?