how to add another gateway address to use for WAN ip

Hi Rob,

you certainly define it like that! As soon as you start to fill in correct values and then tick "IPv4 Default GW" it will will ask you if this intended and then activate "Uplink Balancing" and "MultiPath Rules" for those interfaces. My setup is like this:

Then you have:

If you go to that "tool"-sign you are able to apply a metric:

Additionally, you don't need to use multipath rules, but I encourage you to try this out.

Don't forget to do a MASQ for "uplink interfaces"now that you have two uplinks.

so for the additional wan interface even if i dont want it to be my default gateway i still need to tick the default gateway?

No, that will not happen, if you use Multipath rules. What is your concern? I don‘t understand yor reluctance.

You could even define the second interface as a „standby“ interface, if that is what you want.

thanks jprusch, now i understand you, i might aswell have the wan2 as a standby just incase my default wan1 falls over

and i persume after that in "network protection > NAT > masquesrading" i make every network go out either using wan1 or wan2?

You are welcome.

Yes, that's why you can use an object "uplink interfaces" in masquerading, this includes both WAN1 and WAN2.

Or, in other words, "uplimk interfaces" are all links with an assigned "Default GW", this could be more than two.

thanks jprusch!!!!!!!!!!

im guessing for the weight number, the lower number you give it the higher priority it has?

Hello,

NO, that's just a metric number, example:

you have a cable modem with 400 MBit and another provider with 100 Mbit, so the first is a "100" and the second a "25", hence it has only one quarter of the bandwidth for the calculation. Hope this clarifies a bit.

ok so its bandwith priority then and not interface priority, i thought it was interface priority...my bad

my problem is when i tick the box "default gateway" for WAN 2  and when i click masquerading i can see its all changed to "uplink interfaces" which is good

but when i click on "uplink balancing" i want to get rid of WAN2 from the active and stanby boxes, but when i get rid of WAN 2 from both, when i then go back on "interfaces" its "unticked" the "default gateway" for WAN 2

what im trying to say is even if you specify in masquerading, i want this subnet to go out WAN2, it totally disregards this and goes by the "uplink balancing" rules and NOT the "masquerading"rules

If using more than one uplink, you have to use "multipath rules"  for this purpose. There you can completely "unbalance" your setup to your personal needs.

this makes sense now...

so once you make more than one "interface" with a "default gateway" it automatically puts them in the same group called "uplink interfaces" as when you go in "masquerading" they all change from "external wan" to "uplink interfaces"

from there they automatically get put in "uplink balancing" but if you want to make a specific vlan/subnet go out a specific "uplink interface" all the time and not change all the time you do this in "multipath rules"

this makes sense now...

so once you make more than one "interface" with a "default gateway" it automatically puts them in the same group called "uplink interfaces" as when you go in "masquerading" they all change from "external wan" to "uplink interfaces"

from there they automatically get put in "uplink balancing" but if you want to make a specific vlan/subnet go out a specific "uplink interface" all the time and not change all the time you do this in "multipath rules"

so am i right in thinking, correct me if im wrong once i have more than one WAN interface ie "uplink interfaces" the "masquerading" rules are defunct and the "multipath rules" take over if i want to unbalance the traffic ie make one vlan go out a certain ip?

Short Answer is YES.

Long Answer is:

Rule #2.1:

What happens with outbound traffic?

1. The connection tracker takes precedence over any other outbound rules so that response packets always leave from the IP and interface the request arrived on.
2. Multipath is applied before SNAT/Masq.  Note that the UTM Proxies skip SNAT/Masq and assign a public IP as the source of packets each handles.  Unlike with the other UTM Proxies, HTTP/S Proxy traffic can still be identified by Multipath rules as to its private, internal source-IP.
3. SNAT takes precedence over Masquerading, so it happens first, causing the packet to not qualify for any masquerading rule.

Before the packet leaves, ATP will block it if the destination is on a list of malicious IPs.

Have a look here https://community.sophos.com/utm-firewall/f/recommended-reads/22065/rulz

when you say SNAT/Masq it means the same thing as outbound NAT doesnt it? and DNAT is like port forward or NAT?

Have a look here: https://en.wikipedia.org/wiki/Network_address_translation

Haigh,

You're making this too complicated - it's easier than you think - just follow Philipp's instructions.

If you want all of the traffic to go out WAN1, simply make a Multipath rule 'Any -> Any -> Any' bound to the WAN1 interface.  You can then leave WAN2 in the 'Active' box and achieve instantaneous fail over if WAN1 goes down.  Putting WAN2 in 'Standby' means that you will have a minute or so before traffic can go out on WAN2.

Cheers - Bob

ok...

its working now ie in "multipath rules" i can specify what network goes out what uplink interfaces, ie wan1 or wan2

but in some masquerading rules i have some hosts go out a different ip address associated to wan1 ie "interfaces > additional addresses"

can i do the same for multipath rules

 Not sure what you're asking, but a generic answer should help you more...

Masq rules are in an ordered list.  In every case of an ordered list in WebAdmin, the rules are considered in order.  Once the traffic qualifies for a rule, no further rules are considered.  For traffic leaving via a particular interface, place the specific masq rule(s) above the one that applies to traffic from every other internal IP.

Say you have WAN1 and WAN2 and you have an Additional address on each named "Server A" and a Host named "Server A.".  You might have masq rules like:

1. Server A -> WAN1 (Server A)
2. Server A -> WAN2 (Server A)
3. Internal (Network) -> Uplink Interfaces

Note that traffic passing through a Proxy such as the FTP Proxy always appears to Multipath and masq rules as coming from the UTM itself.  The only Proxy that retains the requestor's IP for multipathing and masq'ing is the Web Proxy.

Cheers - Bob