Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 3 subscribers
  • Views 22578 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SNAT with Multiple ISPs

Aaron Badjay

My problem is very simple. I have two ISPs with 5 static IPs each. Under normal circumstances I send all inbound and outbound traffic out of my primary ISP. I have DNATs and SNATS configured to utilize my additional IPs for both ISPs. (specifically for my email server). My issue is I need to have the SNATs disabled when we are running on our primary ISP, otherwise I will send my traffic out my backup connection. If I enable the SNAT and bump the rule to the bottom, I don't think the rule ever works, even when the primary ISP is down (connection just times out). I am finding some information on this subject, but its either incomplete or not exactly what I am doing.

Basically, this whole thing manual process and I think there should be a way to automatically accomplish SNATs through a multipath rule. I found this post, but it didn't give any details on how to create the rule

I opened a support ticket with Sophos and they said what I am trying to do is not possible because the multipath rule only supports interfaces and not additional public IPs tied to an interface. I am a little suspicious that support is incorrect because I see this topic referenced several times on the forum. I just want to validate with the community what I am trying to do is not possible through an automatic process.

Thank You!



This thread was automatically locked due to age.
Parents
  • 0

    Hi, Aaron, and welcome to the UTM Community!

    It's not possible to use a Multipath rule to send traffic out a specific IP on an interface.

    You shouldn't need to manually enable or disable anything if I understand your scenario.  What you want is to bind specific traffic primarily to an interface and then use SNAT or Masquerading to send from a specific IP.

    If you'd like more help, please be more specific with one example of specific traffic and DNAT/SNAT rules.  Pictures work!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    OK great! Here is one simple example of my NAT configuration for a separate VPN appliance.

    So basically, I have my backup ISP rules on the top, but disabled. If I have a failure of my primary ISP, I enable them so everything works fine.  I cant have the rule on, because if its at the top of the list, my outbound traffic would get sent out the backup connection every time. If the rule is on, but at the bottom of the list, I don't think the rule would ever catch, even if my primary ISP was down (there is no option in the NAT rule to skip if interface is down, like in the multipath rules.

    Masquerading I have not messed with except for my original rule that was created when we installed the firewall. Basically all my internal networks are routed out uplink interfaces

     

    What am I missing? That would be fantastic if I can make this process automated.

  • +1 in reply to Aaron Badjay

    That's what I expected, Aaron.  You can indeed accomplish your goal automatically.

    Replace the two SNATs with Masq rules at the top of the rule list:

    1. PVS-VPN01 -> ISP-Verizon [          ]
    2. PVS-VPN01 -> ISP-Comcast [          ]

    You only use SNATs with multiple ISPs when dealing with traffic that goes through a Proxy.  Say you're using Web Filtering.  You would have a Masq rule like '3. Internal (Network) -> Uplink Interfaces'.  The Proxy automatically assigns the primary address of an Interface as the source of a packet, so you would need NAT rules like:

    1. SNAT : ISP-Verizon (Address) -> Web Surfing -> Internet : from ISP-Verizon [           ] (Address)
    2. SNAT : ISP-Comcast (Address) -> Web Surfing -> Internet : from ISP-Comcast [           ] (Address)

    I'm confused about the need for the DNATs.  Either you can leave both activated or you don't need either one.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Aaron Badjay

    Some other observations about this...

    I like to use UDP instead of TCP for the SSL VPN.  It should speed up the tunnel and leaves TCP 443 available for web access by the target device.

    I like to keep my configurations compact and tidy, so I use Automatic firewall rules wherever I can.  Rather than use the "Any" service in a DNAT and then regulate access with a firewall rule that only allows the port used by the SSL VPN, I would restrict the DNAT to just that service needed and select auto rules.

    Finally, I've seen very talented CCIEs make a mess of a UTM configuration because they'd never done one before. ("How hard can it be?")  The answer is that WebAdmin is a GUI that manipulates databases of objects and settings.  A single change there can cause the Configuration Daemon to rewrite hundreds of lines of the code used to run the UTM.  It's difficult to get a healthy design to start with and difficult to change any design in the future.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thank you Bob! I didn't have time to check this out today, but I will soon. I will post my results.

  • 0 in reply to BAlfson

    BAlfson said:

    That's what I expected, Aaron.  You can indeed accomplish your goal automatically.

    Replace the two SNATs with Masq rules at the top of the rule list:

    1. PVS-VPN01 -> ISP-Verizon [          ]
    2. PVS-VPN01 -> ISP-Comcast [          ]

    You only use SNATs with multiple ISPs when dealing with traffic that goes through a Proxy.  Say you're using Web Filtering.  You would have a Masq rule like '3. Internal (Network) -> Uplink Interfaces'.  The Proxy automatically assigns the primary address of an Interface as the source of a packet, so you would need NAT rules like:

    1. SNAT : ISP-Verizon (Address) -> Web Surfing -> Internet : from ISP-Verizon [           ] (Address)
    2. SNAT : ISP-Comcast (Address) -> Web Surfing -> Internet : from ISP-Comcast [           ] (Address)

    I'm confused about the need for the DNATs.  Either you can leave both activated or you don't need either one.

    Cheers - Bob

     

     

    I finally had some time to test your configuration out. It looks like it is working! I disabled the SNAT and replaced with two masquerading rules (one for my primary ISP and one for the secondary).

    The DNATS are for inbound. I suppose I could have left those on for the secondary connection. It just felt wrong having the DNATS on and the SNATS off :-) They are on now.

    My only thing I want to confirm is that if my primary ISP fails, the second masquerading rule will automatically be used? My fear would be the UTM will timeout on the first rule and never get to the second rule.

    I also took a look at your cleanup tips. Good stuff! There always a ton of different ways to accomplish the same result. Some ways are better than others. It is rather elegant to lock down the NAT, and use an automatic firewall rule vs. leaving the NAT wide open and creating a manual firewall rule. That way you only have one place to look when you are troubleshooting/making changes.

Reply
  • 0 in reply to BAlfson

    BAlfson said:

    That's what I expected, Aaron.  You can indeed accomplish your goal automatically.

    Replace the two SNATs with Masq rules at the top of the rule list:

    1. PVS-VPN01 -> ISP-Verizon [          ]
    2. PVS-VPN01 -> ISP-Comcast [          ]

    You only use SNATs with multiple ISPs when dealing with traffic that goes through a Proxy.  Say you're using Web Filtering.  You would have a Masq rule like '3. Internal (Network) -> Uplink Interfaces'.  The Proxy automatically assigns the primary address of an Interface as the source of a packet, so you would need NAT rules like:

    1. SNAT : ISP-Verizon (Address) -> Web Surfing -> Internet : from ISP-Verizon [           ] (Address)
    2. SNAT : ISP-Comcast (Address) -> Web Surfing -> Internet : from ISP-Comcast [           ] (Address)

    I'm confused about the need for the DNATs.  Either you can leave both activated or you don't need either one.

    Cheers - Bob

     

     

    I finally had some time to test your configuration out. It looks like it is working! I disabled the SNAT and replaced with two masquerading rules (one for my primary ISP and one for the secondary).

    The DNATS are for inbound. I suppose I could have left those on for the secondary connection. It just felt wrong having the DNATS on and the SNATS off :-) They are on now.

    My only thing I want to confirm is that if my primary ISP fails, the second masquerading rule will automatically be used? My fear would be the UTM will timeout on the first rule and never get to the second rule.

    I also took a look at your cleanup tips. Good stuff! There always a ton of different ways to accomplish the same result. Some ways are better than others. It is rather elegant to lock down the NAT, and use an automatic firewall rule vs. leaving the NAT wide open and creating a manual firewall rule. That way you only have one place to look when you are troubleshooting/making changes.

Children
Unfiltered HTML