Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
I'm using a RED device and I would like to change the metric value (0 by default and by design I guess ?).If I type "route -n", I can see 2 routes : 192.168.178.0 * 255.255.255.0 U 0 0 0 reds1 (metric value is 0) 192.168.178.0 10.100.230.254 255.255.255.0 UG 5 0 0 eth4 (metric value is 5) I need that paquets go through 10.100.230.254 but metric value 5 is higher that 0... If I change to 0 in the "static routing" tab, routing table only show interface reds1 ! I expect the opposite...
Any advice ?
Salut Olivier and welcome to the UTM Community!
Please show a picture of the Edit of the RED server for reds1.
Cheers - Bob
In reply to BAlfson:
Hi Bob !
Thanks for your answer, you know, I'm an old user of the "astaro.org" forum ;)
Below a printscreen :
I tried to change the operation mode to "transparent/split" and put "Internet ipV4" as network but it doesn't help :(
In reply to openfield:
You can PM ruckus with your old and new email addresses and he can get your old and new "identities" merged.
Now, this is just a WAG - instead of having a separate Interface using reds1, why not bridge reds1 with eth4 since they use the same subnet?
Thanks for the tips for my account but it's not so important...
For the RED, it's for "historical" reason : my customer share a MPLS line and default route is pointing to another firewall that I don't manage. It seems Internet is blocked for a weird reason :(
Remote site is working with Remote App (so, they can work) but without Internet access, I can't support them remotly (Teamviewer...). So, my idea was to install a RED and it works, they have Internet access.
MPLS line have to be used for "critical" applications but I discovered that if I disconnect the modem in front of the RED, applications through Remote App become unavailable !
Finally, I found that paquets flows through MPLS in one way but returns through RED...
That's why I need to change metric :)
I bet WebAdmin won't let you fix the misconfiguration in the way you're trying. Perhaps you could present a simple diagram with IPs and subnets noted.
You're right, AFAIK there's no settings in Webadmin for that.
Below, a schema with some details :
Default route on Cisco L3 on remote site is configured to send packets to RED (Internet).
A specific route is configured on the same Cisco to reach Datacenter for "critical" applications.
Thank you !
Unless I'm missing something, Olivier, there's no way to make this work with this topology.
Au fait, je n'ai pas pigé pourquoi le RED serait nécessaire.
Sometimes, you need to replace a RED with a small Desktop appliance (SG/XG).
SG with network protection.
XG with Base Protection and two IPsec Tunnel or network protection and RED Tunnel.
XG would be best case because no subscription needed.
In reply to LuCar Toni:
Toni, you can make a site-to-site tunnel in XG without any paid subscription? - No kidding?!? Don't you need to purchase a Support subscription?
Take a look at this KBA:
Base License includes VPN: IPsec RAS / S2S, SSL VPN RAS / S2S.
RED, HTML5 is in network protection.
You can purchase a enhanced subscription - but you do not have to. The KBA explains the warranty status.
Je vais continuer en anglais pour la communauté, je ne savais pas que tu étais parfaitement bilingue :)
Actually, with this topology, it works but in case of Internet or box failure (in front of the RED), users lose access to the datacenter...
As I tried to explain, default route of the entire MPLS network is pointing to another firewall with no Internet access for this remote network.
@Toni, correct me if I'm wrong but with a SG/XG box with IPSEC tunel, it will be the same ? Tunel have the highest priority in terms of metric and it's by design
You would have to configure some kind of backup.
This should be the same setup in XG, isnt it?
With IPsec in the UTM, you can bind the IPsec Connection to a specific interface, Olivier, and then make Static Interface Routes with the metrics you want. I don't think that can be done with the XG, but maybe Toni will correct me.
XG cannot do it as simple as bind it to the Interface, but you can also build such setups in XG aswell.
Like mentioned in the KBA.
So, the only way to do it in XG is with changes at the command line. Will those changes survive a reboot? All upgrades? Is there a document I could have read to answer my own question?