Sophos XG: Using a backup ISP for specific devices/applications

I recently purchased a Netgear 4G LTE Modem (LB1120) that I’m using with a T-Mobile Pre-Paid cellular data plan as a backup ISP. The data plan is only $5/month for 500GB of data at 4G/5G speeds and once the 500GB allotment is used, the speeds are reduced to 2G (~128kbps). For my use case, I only want the backup ISP to be used for my mini home server, which runs my security system, if my primary ISP is down. Fortunately, Sophos XG has a feature called SD-WAN policy routing which allows me to do just this. The steps provided are for Sophos XG v18.

1) From the Sophos XG web UI, open the ‘Network’ page and select the interface you plugged the backup ISP into and configure it as required. In my case, I set the ‘Name’ to ‘Backup ISP’, ‘Network zone’ to ‘WAN’, ‘IP assignment’ to ‘DHCP’ and ‘Gateway name’ to ‘T-Mobile’. My backup ISP does not support IPv6 but that can be setup as required. Click ‘Save’ at the bottom of the page.

2) Select the ‘WAN link manager’ tab and you should now see your backup ISP listed under ‘IPv4 gateway’ (and ‘IPv6 gateway’ if you set that up). Select your backup ISP and set the ‘Type’ to ‘Backup’ and ‘Activate this gateway’ to ‘Manually’. This will prevent your backup ISP gateway from being used unless specified which we will do in the next step. Click ‘Save’.

3) Open the ‘Routing’ page and select the ‘SD-WAN policy routing’ tab. Double check the ‘Current precedence for routing’ in the information dialog at the top. The order should be ‘Static route, SD-WAN policy route, VPN route’ as pictured below.

If you upgraded from Sophos XG v17 to v18, the order will be different (i.e. SD-WAN policy route, Static route, VPN route) and must be changed. It’s important the order is changed to prevent routing traffic that was intended for only the internal network to the WAN gateway. You can read more about this on the Sophos XG SD-WAN policy routing page, but the steps are fairly straight forward:

  • Access the Sophos XG device console from your computer terminal or via the Sophos XG web UI by clicking ‘admin’ at the top right corner and selecting ‘Console’. Select option ‘4’ for the ‘Device Console’.
  • Type ‘system route_precedence show’ and press enter to view the routing precedence which should match what you saw in the Sophos XG web UI.
  • Type ‘system route_precedence set static sdwan_policyroute vpn’ and press enter to change the routing precedence order and close the console.

4) We’ll now create an SD-WAN policy route for the network(s), application(s), or device(s) that can use both the primary and backup gateway. From the ‘SD-WAN policy routing’ tab, click ‘Add’ under ‘IPv4 SD-WAN policy route” and specify which source network, services, application object, etc. you want to apply this SD-WAN policy route to. For example, I created a IP host for my mini home server called ‘Home Server’ which has a static IP address. Click ‘Save’ at the bottom.

5) Everything should now be set up where all traffic on your network will use the primary gateway only but the items you specified in the SD-WAN policy route that was created will use the backup gateway when the primary gateway is down.

Netgear LB1120 users: By default, this device is configured in Router mode which will result in a double NAT situation. You can change the device to ‘Bridge’ mode in the device settings but you will no longer be able to access the devices web UI. You can resolve this by adding an alias to the interface you plugged the Netgear LB1120 into on the Sophos XG device. To do this, open the ‘Network’ page in the Sophos XG web UI and click ‘Add interface’ -> ‘Add alias’. From there, specify an IP address that’s in the same subnet as your Netgear LB1120 such as ‘’. and click ‘Save’. You should now be able to access your Negear LB1120 web UI again at

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s