Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 27 subscribers
  • Views 7809 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAN to WAN routing issue

SimoneMontagnani

Hi all,

 

Since my XG first installation and even after my last upgrade to v16, I have an issue with WAN to WAN routing .

This is a particular configuration , so I will try to explain it as clearly as possibile.

I have 2 WANs , WAN1 is the main with normal routing and public servers with DNS public names, WAN2 is a secondary/backup WAN connection: one IP only. No problem there for routing from us to external WAN interfaces, we can do anything we want with no problems. 

XG WAN2 interfaces got his public single IP but it's in a large subnet ( /24 ) , so XG it's not the only one.

 The problem is that if another device ( that is out of my control , I can manage only the single IP of my XG Firewall) in the same WAN2 subnet try to access to my "official" server name in the WAN1 subnet , it cannot ... it's like XG it's refusing to reply to the correct originating IP/Interface because he thinks it's his own ( subnet )...

I've tried to add some routing table, or policy to "force" the reply to the correct interface but no luck...

 

anyone with any idea on this?

 

Simone



This thread was automatically locked due to age.
  • 0

    Hi Simone,

    I am not able to understand your requirement. Can you please elaborate once more along with a network diagram?

    Thanks

  • +1

    Hi Simone,
    I knew the issue, but I am not sure if add the "host route" can fix it.


    The server send the response come from WAN2 back to WAN1, because the source IP is in WAN1's subnet.
    (Both Customer and WAN1's gateway are 111.111.111.254, and WAN2's gateway is 123.123.123.254)

    So you may add the "host route" to route the traffic to Port 3, and make the traffic back to customer with correct path.

    I don't have the environment, please test if the "host route" can work, thanks~

  • 0 in reply to ShunzeLee

    Thank you ShunzeLee , this route helped me a lot, it doesn't solve the problem totally because in this mode I need to add manually every Customer IP address in (following your example) WAN 111.111.111.X network to route back in the right way. If I put 111.111.111.0/24 instead of 111.111.111.10/32 it doesn't work.

    I think it's correct that /24 destination IP address it's not working, because inside that subnet there is the Firewall Port2 gateway too so this could cut out all traffic on that interface or strange loops...or behavior...I guess...

     

    So I don't think there is a 100% solution for my problem, i think...did I?

     

    Simone

     

  • 0 in reply to SimoneMontagnani

    Yes, you are right.

    Since /32 has higher priority than /24, it can route from the correct WAN port to customer.

    If /32's subnet is too much (totally 253), maybe you can add the following subnet on static route to subtitute them.

    1 /25
    1 /26
    1 /27
    1 /28
    1 /29
    1 /30
    1 /31
    1 /32

    But this solution has another problem.
    When you create Virtual IP on WIN1, customer with the same subnet will not able to connect.
    Because all the traffic from the same subnet (WIN1) will route to WIN2, and can't get response.
    Same as your situation before...

    So you can only choice one side to do it.