Sophos AP/APX users may experience issues registering to Sophos Central. More info available here: Central Wireless
We'd love to hear about it! Click here to go to the product suggestion community
Afternoon all. I'm a Sophos noob and have a question!
I have been tasked with using an SG210 as a WAN selector.
From e0 I'll have a connection to my core switch which hosts some VLAN's.
The Link from the core to the Sophos is routed so my default route on the switch is 0.0.0.0 0.0.0.0 192.168.199.1, the core switch IP address is 192.168.199.2 and this link is on VLAN 199
The core switch is the D/G for all the LAN's so LAN to Sophos should be a straightforward routing path.
I have created the appropriate routes on the e0 interface that point to 192.168.199.2
On e1, e2 and e4 I have different WAN routers.
e1 ip is 10.1.1.2 with the router connected being 10.1.1.1. Traffic is then NAT'd by this router to the outside world. e2 and e4 follow the same pattern except e2 is a DHCP addressing scheme.
The use case is this: The Sophos is on a ship. Sometimes it will be at sea using a VSAT internet service connected to e1. Sometimes it will be docked using a harbour supplied shore-lie on e2 and sometimes it will be close to shore and using a 3g/4g router on e4. The crew (who will be trained) need to be able to log in to the Sophos, choose the appropriate WAN connection and have traffic flow. They will not want to load balance at all, they just need to be able to get internet down whatever link is most appropriate at the time.
I am having trouble making this work. I am more used to Kerio devices which make this a breeze (because they are designed as WAN selectors) and I am fairly handy with Cisco CLI too. I've spent a good while at this searching the internet and the forum for answers to no avail. I'm looking for as minimal configuration as possible to keep complication down and to try to make any fault-finding easier should there be issues arising in use.
I am hoping the attached diagram helps with the explanation.
Hi Mark,The simplest way to do this would configure all 3 WAN interfaces and select the working one in Active Interfaces under Interfaces & Routing > Interfaces > Uplink Balancing You can change the active interface easily and keep the working one in the Active and others in the Standby. This would be the easiest way to configure and select the working interface.
In reply to Jaydeep:
That was the bit I was missing. Even though at this stage I don't want/need load-balancing, it still has to be enabled and interfaces selected.
Next challenge is knowing how to make load-balancing work in future.
Lets say I need 2 VLAN's to use VSAT and 2 to use 3g/4g. What rules do I need to add to ensure this happens? Presumably I need more routing rules to join sources to destinations and to ensure that both external interfaces are enabled in load-balancing?
Would I be right in thinking that I would need to make a rule for each load balancing scenario that might be required? That could be a lot of rules...
Hi Mark and welcome to the UTM Community!
Jaydeep's suggestion is a good one, but I would put all thee Interfaces in 'Active'. Then, all the crew has to do is power down the less desirable routers and the UTM will automatically pick the one that's live.
Instead you could use a Multipath rule bound to each Interface with them in the order of throughput speed - I would guess e2, e1 and then e4. Then, the UTM would choose the fastest connection available and no one would have to touch anything!
Cheers - BobPS It sounds like you've strong networking skills, but little experience configuring UTMs with WebAdmin. WebAdmin is a GUI that manipulates databases of objects and settings. A single change there can cause the Configuration Daemon to rewrite hundreds of lines of the code used to run the UTM. I've seen experienced CCIEs create really ugly WebAdmin configurations. I would urge you to have a strong, experienced UTM consultant review the current configuration and make suggestions on how to simplify it and make it easier to manage and modify.
In reply to BAlfson:
Busted! I'm a Cisco guy. Not quite CCIE but I'm fairly handy and yes I don't get my hands that dirty with UTM's in my normal day job.
I have put all three (now four) interfaces in Active. Great tip and definitely makes life easier.
I'm having an issue with another piece of kit but a search on here suggests changing from auto-negotiation to fixed so that's next. If that doesn't work there will be another question!
With regards to multipath, what happens if there is only a single connection available? Presumably the Sophos doesn't care it will just use what it can see as up and interfaces not assigned to use that one up interface are simply cut off? I am again imagining quote a lot of rules to cover every eventuality. Final config will have 6 VLAN's that all need internet and 4 external connections to choose from. To be honest I don't think I want to be that adventurous with this deployment right now.
I'll pitch getting a UTM consultant in but as the job is costed and sold, any money spent comes off the bottom line and for the most part, it's working well right now. But I'll make the point using your words. Thanks.
In reply to Mark Mark:
Assuming that you want all VLANs to be able to access the Internet at any time, you would just one Multipath rule for each WAN connection like the following:
You could have a single masquerading rule like 'Any -> Uplink Interfaces' instead of one for each VLAN and each interface (6x4=24!).
Cheers - BobPS Check #7.7 in Rulz (last updated 2019-04-17).
Starting to not like this experience at all. I am having a lot of problems deciphering what the hell it's doing with my traffic and in all honesty what I want is 5 minutes on the phone with someone who knows these things properly so I can make it work. I can't believe I'm that far away from making it work but I just can't find it.
And my latest screw up was to set the VLAN on my internal interfcae. That cut me off good and proper despite the next hop switch interface being configured for the same VLAN. What's that about? Layer 2 configs match but traffic doesn't pass. I know UTM's are "anti-routers" but to me that makes no sense at all and yes I have matching Layer 3 IP's to go with the matching Layer 2. Can't seem to connect to it all all now so it's getting factory reset and I'm starting again.