RED device - Change metric

Hello !

I'm using a RED device and I would like to change the metric value (0 by default and by design I guess ?).
If I type "route -n", I can see 2 routes :
192.168.178.0 * 255.255.255.0 U 0 0 0 reds1 (metric value is 0)
192.168.178.0 10.100.230.254 255.255.255.0 UG 5 0 0 eth4 (metric value is 5)
I need that paquets go through 10.100.230.254 but metric value 5 is higher that 0...
If I change to 0 in the "static routing" tab, routing table only show interface reds1 ! I expect the opposite...

Any advice ?

Thanks !

Olivier

  • Salut Olivier and welcome to the UTM Community!

    Please show a picture of the Edit of the RED server for reds1.

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob !

    Thanks for your answer, you know, I'm an old user of the "astaro.org" forum ;)

    Below a printscreen :

    I tried to change the operation mode to "transparent/split" and put "Internet ipV4" as network but it doesn't help :(

    Regards,

    Olivier

  • In reply to openfield:

    You can PM ruckus with your old and new email addresses and he can get your old and new "identities" merged.

    Now, this is just a WAG - instead of having a separate Interface using reds1, why not bridge reds1 with eth4 since they use the same subnet?

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

    Thanks for the tips for my account but it's not so important...

    For the RED, it's for "historical" reason : my customer share a MPLS line and default route is pointing to another firewall that I don't manage. It seems Internet is blocked for a weird reason :(

    Remote site is working with Remote App (so, they can work) but without Internet access, I can't support them remotly (Teamviewer...). So, my idea was to install a RED and it works, they have Internet access.

    MPLS line have to be used for "critical" applications but I discovered that if I disconnect the modem in front of the RED, applications through Remote App become unavailable !

    Finally, I found that paquets flows through MPLS in one way but returns through RED...

    That's why I need to change metric :)

    Olivier

  • In reply to openfield:

    I bet WebAdmin won't let you fix the misconfiguration in the way you're trying.  Perhaps you could present a simple diagram with IPs and subnets noted.

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

    You're right, AFAIK there's no settings in Webadmin for that.

    Below, a schema with some details :

    Default route on Cisco L3 on remote site is configured to send packets to RED (Internet).

    A specific route is configured on the same Cisco to reach Datacenter for "critical" applications.

    Thank you !

    Olivier

  • In reply to openfield:

    Unless I'm missing something, Olivier, there's no way to make this work with this topology.

    Au fait, je n'ai pas pigé pourquoi le RED serait nécessaire.

    Cheers - Bob

  • In reply to openfield:

    Sometimes, you need to replace a RED with a small Desktop appliance (SG/XG). 

     

    SG with network protection.

    XG with Base Protection and two IPsec Tunnel or network protection and RED Tunnel. 

     

    XG would be best case because no subscription needed. 

  • In reply to LuCar Toni:

    Toni, you can make a site-to-site tunnel in XG without any paid subscription? - No kidding?!?  Don't you need to purchase a Support subscription?

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

    Take a look at this KBA: 

    https://community.sophos.com/kb/en-us/131806

     

    Base License includes VPN: IPsec RAS / S2S, SSL VPN RAS / S2S. 

    RED, HTML5 is in network protection.

     

    You can purchase a enhanced subscription - but you do not have to. The KBA explains the warranty status. 

  • In reply to BAlfson:

    Hi Bob,

    Je vais continuer en anglais pour la communauté, je ne savais pas que tu étais parfaitement bilingue :)

    Actually, with this topology, it works but in case of Internet or box failure (in front of the RED), users lose access to the datacenter...

    As I tried to explain, default route of the entire MPLS network is pointing to another firewall with no Internet access for this remote network.

     

    @Toni, correct me if I'm wrong but with a SG/XG box with IPSEC tunel, it will be the same ? Tunel have the highest priority in terms of metric and it's by design

    Olivier

  • In reply to openfield:

    You would have to configure some kind of backup.

    https://community.sophos.com/kb/en-us/123323

    This should be the same setup in XG, isnt it? 

  • In reply to openfield:

    With IPsec in the UTM, you can bind the IPsec Connection to a specific interface, Olivier, and then make Static Interface Routes with the metrics you want.  I don't think that can be done with the XG, but maybe Toni will correct me.

    Cheers - Bob

  • In reply to BAlfson:

    XG cannot do it as simple as bind it to the Interface, but you can also build such setups in XG aswell. 

    Like mentioned in the KBA. 

  • In reply to LuCar Toni:

    So, the only way to do it in XG is with changes at the command line.  Will those changes survive a reboot?  All upgrades?  Is there a document I could have read to answer my own question?

    Cheers - Bob