Does Orbi Support routing out NAT interface networks forwarded from down stream routers?

Network tests

What a fascinating setup.  The static route example in the Orbi User Manual, beginning on page 74 appears to assume that packets coming from the "other side" are intended only for the Orbi LAN subnet.  (There being no reason why anyone at the other end would want to access the Orbi to reach the internet.)  There could be a filter inside the Orbi blocking packets for any other subnet.  One way to test that hypothesis would be to capture the LAN traffic on the Orbi (from the debug screen) and look for packets coming from 192.168.111.2 to anywhere besides 192.168.111.x.  No packets means "blocked".

It's a bit of a puzzle to me why the Sophos is not the primary ISP interface, with the Orbi behind it.  Perhaps even in AP mode.  If the goal is to protect critical resources behind the Sophos from the Orbi LAN as well as the internet, could the same thing be accomplished using multiple ports on the Sophos?

This might be a good question to pose on a Sophos forum as well.

Thanks for the hypothesis thought.  So looking at the lan.pcap with a ip.src==192.168.111.2 I see a ton of packets with public destinations address.  Essentially my lab environment screaming to get out.  So does that mean it’s not getting blacked? 

Great question; why.  Before I started experimenting w/ Sophos I had a pfSence router as my 1 any only router managing all my networks and masquerading at the edge.  Due to my desire to play with tech toys I recently caused a site wide outage resulting  in excessive banging on my home office door by a bunch of kids who couldn’t get to their game servers & a wife who’s favorite video streaming service discontinue to function.  This setup you so gracefully commented on is my idea to hang my entire lab off the house backbone LAN.  Lab including a router bgp’ing into a NSX-T infrastructure.  My real experimental goal.

The results of your capture suggestion has me scratching my head a bit.  When I look on the wan.pcap w/ a filter ip.dst==8.8.8.8 (google DNS server) all I see is DNS queries not any ICMP traffic which is what my test case should be generating….

Maybe my idea is pushing Orbi’s original design.  I just figured it was a fairly simple ask. 

The only solution I could come up with was to remove the Orbi as the router & promote my sophos router. Sophos has no problem routing traffic between all my network and managing internet communication (NAT masquerading). I opened a case with netgear support. Absolutely no help. I don't think I ever got past a bot. Disappointed on the netgear support front.