Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 0 replies
  • Subscribers 26 subscribers
  • Views 145 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SNAT behaviour on XG 550 with multiple internet providers

BeEf

Hello,

I have a bunch of questions / problems with the SNAT on a XG 550 with multiple internet providers

1) Users are complaining that they can not access the internet sometimes. We have two different providers that can be used for internet access. That makes 2 IPs / Gateways. Yesterday we had approximately 45000 connections in the conntrack when the issue occurred. I have configured masq on the default SNAT rule.

a) How big is the (S)NAT table for each of these IPs. Which ports can / are used for this purpose?

b) How is the outgoing gateway selected?

c) How does the weight factor influence this

d) What happens if one gateway / internet connection goes down? Everything routed through the other one?

e) What exaclty happens if there are not enough slots in the NAT table for this (for example if one of the gateway go down and we need double # of connections)

f) What are the prerequisites for being able to configure the advanced settings in the SNAT rule. What can I configure there?



i'd like to configure more IPs in each outgoing Subnet to be able to handle more connections.

For this I could split up the clients in different rules and use linked NAT like in 17.5. Are there other possibilities? I also tried policy based routing which seems not to be possible because i don't know how to address internet addresses..

Using a list of IPs for outgoing traffic from each provider or even one pvovider seems not to work / is not selectable. Also defining groups of outgoing adresses in central seems not to be possible at all or these are not selectable. What is the deeper reason for this?

The only thing that seems to work is using an address range. But this can consist of only one provider and there seems to be no possibility to configure failover.

Finally this is what i really want to achieve:

- General SNAT roule for communication LAN -> WAN (all rules except the one with linked NAT)

- Multiple (2) providers and the possibility of defining a list of iPs for each provider.

- If one provider fails the communication should shift to the other automatically.

Regards,
Bernd



This thread was automatically locked due to age.
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?