Internet "crossed Failover" between two Branchs with Sophos UTM SG (over PtP Link Wireless)

I manage two Sophos UTM SG in two different Branchs of the Company.

CURRENT SITUATION

"BRANCH A" is connected to internet by "ISP A" on interface ETH1 of its UTM. ISP is the Internet Service Provider

"BRANCH B" is connected to internet by a different ISP named "ISP B" on interface ETH1 of a second/its UTM.

UTM of "BRANCH" A is also connected to UTM of "BRANCH B" by a IpSEC VPN (this is only an additional info but is not the focus of this case)

SITUATION TO BE EXPLORED IF FEASIBLE (see below picture)

I want to setup a wi-fi/wireless PtP link (Hyperlan 5ghz link using Ubiquity Hardware) and connect "BRANCH A" UTM (by its ETH2 interface) to the "BRANCH B" UTM (by its ETH2 interface). Distance between branchs is 3 km (see below picture/diagram).

Wi-fi PtP Link acts like a "Ethernet cable patch" between the two firewalls.

The Focus in to obtain an "crossed Internet Failover Service" between the two Branchs, I mean if one of the two ISP connections go down the branch in failure will use the ISP connection of the other Branch (and vice-versa).

Any suggestion to setup this interesting Scenario??

Many thank in advance for the support

FAB

  • In reply to FabItaly:

    Hello Fab,

    please try to solve your problem in small steps:

    1.) Can you ping from UTM in branch1 to the ip 10.2.2.2 ?  Use "Support/Tools/Ping Check" on the UTM in branch1.

    2.) Can you ping from UTM in branch2 to the ip 10.2.2.1 ? This time you got to do this from the UTM in branch2.

    3.) If both tests above were successful, your problem is not with the Wifi-link.

  • In reply to jprusch:

    Hello Philipp,

    of course my problem IS NOT the wifi link (I'm an Ham Radio Operator pioner with wifi links since 1996).

    Just to confirm that, today I configured PtP Interface in Branch1 as an additional LAN (LAN2) with DHCP server active and I went on Branch2 with a Laptop connected directly on the ethernet cable coming from the CPE on Branch2 (before connected to the Eth2 of UTM) and I can grant fully connection (DHCP address assigned on Laptop from UTM of Branch1) and navigated from Branch2 using Branch1 WAN connection. So Wireless link is 100% fully working. I performed also a internet speed test obtaining +/- 30 Mbps of troughput (WAN of Branch1 is 1Gbps FTTH connection and the bottleneck is the wireless link).

    I Perform yesterdey and this morning all kind of ping from Branch1 to Branch2 and reverse, always using the "Support/Tools/Ping Check" tool on PtP interfaces.

    On order of depht, these are the results of ping:

    Pinging from Branch 1 (10.2.2.1) to Branch1 PtP CPE 10.2.2.2 = RESULT OK

    Pinging from Branch 1 (10.2.2.1) to Branch1 PtP CPE 10.2.2.112 = RESULT OK

    Pinging from Branch 1 (10.2.2.1) to Branch2 PtP CPE 10.2.2.113 = RESULT OK

    Pinging from Branch 1 (10.2.2.1) to Branch2 UTM PtP interface 10.2.2.2 = RESULT OK

    Pinging from Branch 1 (10.2.2.1) to Branch2 UTM WAN interface IP address xxx.x.154.185 = RESULT OK

    Pinging from Branch 1 (10.2.2.1) to Branch2 UTM WAN interface IP address xxx.x.154.190 (the network is /29) = RESULT NEGATIVE

    Pinging from Branch 1 (10.2.2.1) to Branch2 UTM WAN interface host google.com = RESULT NEGATIVE

    Same results from Branch2

    So the problem (maybe since the beginning) are on UTM

    In order to keep the PtP interfaces Up on State and Up on Link, I must configurate the PtP interfaces without Gateway (and than not part of Uplink Interfaces).

    For my point of View this issue can be solved by some particular kind of Rules to permit that each Ptp Interface acts as LAN and WAN Interface in the same time.

    Thank for the support. I will stay tuned in this Forum, for any kindly suggestion.

    Regards

    FAB

     

     

  • In reply to FabItaly:

    Hello Fab,

    I stumble each time over your descirption "PtP CPE and some IP address"

    there is no such additional IP 10.2.2.2 on the branch1 side, what do you MEAN here?

    I begin to believe there is a complete misconception here...

    Let's collect our data for your physical layout again:

    branch1 utm port eth2(=10.2.2.1)---(LAN-cable) ---ethernet port of wifi antenna1(10.2.2.112) ------(wifi bridge over air) ----ethernet port of antenna2(=10.2.2.113) --- (LAN-cable) ----branch2 utm port eth2 (=10.2.2.2)

    So my questions/suggestions were to ping from utm in branch1 to utm in branch2, that is from 10.2.2.1 to 10.2.2.2 and vice versa. But you did not do that.

    What you wrote up in your last post doesn't make any sense to me, sorry!

  • In reply to FabItaly:

    Hi FAB,

    if the primary link for branch B is up you can't ping WAN IP from branch A.

    Packet would use preferred default gateway (the direct way to internet) and so you try to ping the WAN-IP from external ... this is not allowed by default.

     

    i think there are problems understanding ISP balancing ...

    First you need to ensure boot IPS are "online/active" (your other branch is an ISP too)

    Next you may create a LB Rule for a single PC sending data over the second branch to the internet and check this via "http://myip.dk" or traceroute.

    Traceroute should show you the way over the other branch ...

    But there are a lot of other possible problems ... like masquerading the correct networks, firewall-rules within the other branch, ....

  • In reply to jprusch:

    Good Morning Philipp,

    There were some error in my previous post (copy/paste error).Sorry about that. I review the tests and I give you the complete reviewed and correct list about the ping tests I made:

    Pinging from Branch 1 (10.2.2.1) to Branch1 PtP CPE 10.2.2.112 = RESULT OK

    Pinging from Branch 1 (10.2.2.1) to Branch2 PtP CPE 10.2.2.113 = RESULT OK

    Pinging from Branch 1 (10.2.2.1) to Branch2 UTM PtP interface 10.2.2.2 = RESULT OK

    Pinging from Branch 1 (10.2.2.1) to Branch2 UTM WAN interface IP pubblic address xxx.xxx.197.2 = RESULT OK

    Pinging from Branch 1 (10.2.2.1) to Branch2 UTM WAN interface IP pubblic address gateway xxx.xxx.197.1 (the network is /30) = RESULT NEGATIVE

    Pinging from Branch 1 (10.2.2.1) to Branch2 UTM WAN interface host google.com = RESULT NEGATIVE

    AND OPPOSITE SITE:

    Pinging from Branch 2 (10.2.2.2) to Branch2 PtP CPE 10.2.2.113 = RESULT OK

    Pinging from Branch 2 (10.2.2.2) to Branch1 PtP CPE 10.2.2.112 = RESULT OK

    Pinging from Branch 2 (10.2.2.2) to Branch1 UTM PtP interface 10.2.2.1 = RESULT OK

    Pinging from Branch 2 (10.2.2.2) to Branch1 UTM WAN interface IP pubblic address  xxx.x.154.185 = RESULT OK

    Pinging from Branch 2 (10.2.2.2) to Branch1 UTM WAN interface IP address gateway xxx.x.154.190 (the network is /29) = RESULT NEGATIVE

    Pinging from Branch 2 (10.2.2.2) to Branch1 UTM WAN interface host google.com = RESULT NEGATIVE

     

    The layout is exactely what you wrote:

    branch1 utm port eth2(=10.2.2.1)---(LAN-cable) ---ethernet port of wifi antenna1(10.2.2.112) ------(wifi bridge over air) ----ethernet port of antenna2(=10.2.2.113) --- (LAN-cable) ----branch2 utm port eth2 (=10.2.2.2) OK

    So, as confirmed in my previos post (after the test navigating from the temporary test made configurating eth2 as LAN2), there are no problems in the comunication between the 2 Branchs PtP Interfaces. The problem is in the UTMs due the incorrect or missing of proper configuration/routing.

    Just to reply to Dirk, there are no rules or particular routing configurations made just for this scope, till now. All the ping test are performed only from the UTM Service Ping Tool from PtP intefaces, just because I consider this matter as an internal (Between UTMs) issue, just because each UTM works proply since a long time with its ISP and its LAN Network.

    Waiting for suggestion.

    Many thanks in advance,

    Regards

    FAB

  • In reply to FabItaly:

    Hello Fab,

    next steps: do you have a masquerading rule for your wifi-network in place? (wifi-net-segment is called "Richtfunk" in my screenshot below)

    Of course you need a firewall rule to allow access from your wifi-network to the internet as well.

  • In reply to jprusch:

    Dear Philippe, and dear Community,

     

    happy to comunicate (after 4 days of trials) that the goal has been reached (99%) by adding a configuration as in the picture Below attached.

    Crucial has been to apply the Firewall rule (PtP Interface>any>Internet IPv4), maybe because the Internet traffic (LANs to WANs) pass by the activated web filtering. Really I don't know if masquerading rule is really need.

    Now remain to fix the existing IPsec VPN (between Branch1 and Branch2) in order to pass by PtP Link (as preferencial) and only in case of failure of Ptp link will pass trough WAN .

    Many thank for the pacience of all the readers and support (expecially from Philipp).

    Some suggestion about the VPN is really wellcome.

    If I would like to add other indications for the Community I will upgrade this post or place an additional reply to this discussion.

    Regards,

    FAB

    FAB