Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Subscribers 27 subscribers
  • Views 709 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Static Routing How To

Ian Coan

I am very confused why this isn't working on the Sophos XG but is working if I make a static route on a Windows 10 PC. The below is what I'm trying to accomplish and what the IP and subnets are that are involved. Any assistance in how to accomplish this on the XG would be greatly appreciated. I have tried creating static routes both in the advanced firewall console and in the GUI. Both do not work. However, the exact same methodology of creating static routes works in Windows.

Network 1

10.10.10.0/24

Sophos XG 10.10.10.254

FYI - PORT 1 and PORT4 are in a bridge for the LAN called br0

Wireguard VPN Running on 10.10.10.240

Wireguard Tunnel on Network 1 10.252.252.101

Network 2

192.168.50.0/24

Router 192.168.50.1

Wireguard VPN Running on 192.168.50.114

Wireguard Tunnel on Network 2 10.252.252.102

Using a Windows 10 PC I made two static routes as below and they allow me to communicate from that PC to both the tunnel network and the LAN network of Network 2. So the Wireguard tunnel works just fine and passes traffic properly. I just want this configured on the Sophos XG so it will work on ALL the network devices on Network 1.

route add 192.168.50.0 MASK 255.255.255.0 10.10.10.240

route add 10.252.252.0 MASK 255.255.255.0 10.10.10.240



This thread was automatically locked due to age.
Parents
  • 0

    Hello there,

    Thanks for reaching out to Sophos Community 

    If you remove the static route configured on PC what does tracert shows when you are trying to reach Network 2? 

    Further, could you verify if the your configured static routes are in the routing table entry in Advanced Shell? kindly type in route -n

    Also, to confirm, does this worked before? and if yes, what changes occured in the FW prior this issue?

    Cheers,

  • 0 in reply to Raphael Alganes

    If I remove the static route on the PC and I try adding the routes into sophos xg there is no traffic passing. Running tracert shows the first hop as 10.10.10.254 then the 2nd and all subsequent hops has all asterisks.

    When I did have the routes in the sophos xg the routes did show by running route -n.

    This never worked before as this is something new I'm trying to setup and it is just simply not working as expected.

  • 0 in reply to Ian Coan

    Hello,

    Thanks for the information. Could you also run trace route and ping on Firewall under Diagnostics>Traceroute/ping to the destination address?

    Also could you verify if Static routes is on top of routing precedence: https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/index.html

    Thanks for your time and patience and thank you for choosing Sophos

    Cheers,

  • 0 in reply to Raphael Alganes

    Just so you know I have a Sophos XG 85 which is only on SFOS 17.5.17 MR-17-Build837 so I don't believe I can do this step of your request. Also could you verify if Static routes is on top of routing precedence: https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/index.html

  • 0 in reply to Ian Coan

    Here is the commands that I entered on the XG to add the routes and the output of the route -n command with my public IP redacted.

    Output of traceroute from Sophos XG works fine and so does a ping. But unless I add the routes on the windows PCs no traffic routes on network devices on the LAN to these IPs.

  • 0 in reply to Ian Coan

    My apologies I guess I can run that command I just don't have SD_WAN. Here is the result of that command.

  • 0 in reply to Ian Coan

    I have changed the route precedence to look like this now. Even with doing this though devices on my LAN still cannot ping 192.168.50.0 devices or 10.252.252.0 devices unless I add static routes on those devices.

  • +1 in reply to Ian Coan

    Hello there,

    Thanks for these details. I would suspect you are facing Asymmetric routing issues,Asymmetric routing is when a packet takes a certain path from source host A across the network to destination host B but then a return packet takes a separate path from the source host B to destination host A.

    I may recommend adding a bypass configuration from Stateful inspection on your XG device. 

    set advanced-firewall bypass-stateful-firewall-config add source_network 10.10.10.0 source_netmask 255.255.255.0 dest_network 192.168.50.0 dest_netmask 255.255.255.0

    and add other remaining networks using the same command.

    In case you wish to revert the connection entry , if it does not work.

    set advanced-firewall bypass-stateful-firewall-config del source_network 10.10.10.0 source_netmask 255.255.255.0 dest_network 192.168.50.0 dest_netmask 255.255.255.0

    Then Verify:

    View the Bypass Stateful Firewall configuration by executing the following command: show advanced-firewall

    Kindly let us know how it goes. Thanks for your time and patience and thank you for choosing Sophos

    Cheers,

Reply
  • +1 in reply to Ian Coan

    Hello there,

    Thanks for these details. I would suspect you are facing Asymmetric routing issues,Asymmetric routing is when a packet takes a certain path from source host A across the network to destination host B but then a return packet takes a separate path from the source host B to destination host A.

    I may recommend adding a bypass configuration from Stateful inspection on your XG device. 

    set advanced-firewall bypass-stateful-firewall-config add source_network 10.10.10.0 source_netmask 255.255.255.0 dest_network 192.168.50.0 dest_netmask 255.255.255.0

    and add other remaining networks using the same command.

    In case you wish to revert the connection entry , if it does not work.

    set advanced-firewall bypass-stateful-firewall-config del source_network 10.10.10.0 source_netmask 255.255.255.0 dest_network 192.168.50.0 dest_netmask 255.255.255.0

    Then Verify:

    View the Bypass Stateful Firewall configuration by executing the following command: show advanced-firewall

    Kindly let us know how it goes. Thanks for your time and patience and thank you for choosing Sophos

    Cheers,

Children