Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 22 replies
  • Subscribers 5 subscribers
  • Views 7488 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Internet "crossed Failover" between two Branchs with Sophos UTM SG (over PtP Link Wireless)

FabItaly

I manage two Sophos UTM SG in two different Branchs of the Company.

CURRENT SITUATION

"BRANCH A" is connected to internet by "ISP A" on interface ETH1 of its UTM. ISP is the Internet Service Provider

"BRANCH B" is connected to internet by a different ISP named "ISP B" on interface ETH1 of a second/its UTM.

UTM of "BRANCH" A is also connected to UTM of "BRANCH B" by a IpSEC VPN (this is only an additional info but is not the focus of this case)

SITUATION TO BE EXPLORED IF FEASIBLE (see below picture)

I want to setup a wi-fi/wireless PtP link (Hyperlan 5ghz link using Ubiquity Hardware) and connect "BRANCH A" UTM (by its ETH2 interface) to the "BRANCH B" UTM (by its ETH2 interface). Distance between branchs is 3 km (see below picture/diagram).

Wi-fi PtP Link acts like a "Ethernet cable patch" between the two firewalls.

The Focus in to obtain an "crossed Internet Failover Service" between the two Branchs, I mean if one of the two ISP connections go down the branch in failure will use the ISP connection of the other Branch (and vice-versa).

Any suggestion to setup this interesting Scenario??

Many thank in advance for the support

FAB



This thread was automatically locked due to age.
Parents
  • 0

    you can use the link between "BRANCH A" and "BRANCH b" with default gateway configured. So you have 2 links with default dateway.

    ISP-Balancing is active now.

    Configure the ISP-balancing as active/failover or active/active with weighting 100:0.

    So your other branch is the second ISP for you.

     

    Dont forget to deny access from other branch to local ressources within firewall-rule-set.

    Use other-branch-network -> some-services -> Internet (NOT ANY) within the rules.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Thanks for the answer but for me is not clear at all.

    There are two gateways (Gateway of ISP WAN of "BRANCH A" and Gateway of ISP of "BRANCH B".

    Anybody else want to suggest or comment this issue?

    Thanks in advance

    FAB

  • 0 in reply to FabItaly

    Hello Fab,

    you can treat both connections from/through eth1 and/or eth2 the same. The physical link doesn't matter, if it's a direct patchcable or a wifi connection over some distance.

    In case of the cable running from eth1 to your ISP-router that internal IP of the router is your gateway to "the internet", in case of the wifi connection going from eth2 to the other SG/UTM in branch B, that UTM's IP address is your second gateway to "the internet". If you enable a second gateway, the UTM tells you, that it enables "Uplink Balancing", where you can set a weight for the several interfaces depending on their line speed. Additionally you have to setup multipath rules to control the traffic over these lines, you find this under "Interfaces" in the UTM.

    The other site is exactly the same, but vice versa. So in the end you have two sites having two gateways each, which would be 4 gateways im sum.

    I have exactly the same setup running at two customer's sites with a Mikrotik 60Ghz Wifi pair of dishes between to buildings at a distance of 2 km approx. Both sites have a different ISP and can do a failover to each other.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    Hi , about the gatways now is much clear. About to create the proper multipath rules to control the traffic on the Interfaces I have some difficulties how to setup these rules.

    If I understood correctly, in normal condition ETH1 of "BRANCH A" UTM must to permit (or put at disposal) to ETH2 interface to share all the internet services available (Web surfing, SMTP, etc, etc,,,,) on ETH1. The same in the opposit side (UTM on "BRANCH B").

    If you can suggest me a link or a document where this kind of rules are documented, I will really appreciate.

    Many thanks in advance.

    FAB

  • 0 in reply to FabItaly

    it is not necessary to create multipath rules.

    Within "uplink-balancing" you can edit the "interface scheduler".

    If you set the Interface from other branch to 0, it is only used if local ISP-interface is unavailable.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Reply
  • 0 in reply to FabItaly

    it is not necessary to create multipath rules.

    Within "uplink-balancing" you can edit the "interface scheduler".

    If you set the Interface from other branch to 0, it is only used if local ISP-interface is unavailable.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Children
No Data
Unfiltered HTML