Multi-site Fail-over

That's pretty simple to achieve using multipath rules (under interfaces) so have a look around there and you will get the idea.

You will need toadd interfaces to UTM's so SITE A 2nd WAN > SITE B 2nd LAN & vice versa

We use that for our organisation. The two core sites have 100mb wans and are connected via a 1gb link. We vlan traffic down the 1 gb link for various things but 2 of those vlans are dedicated to the UTM's.

Vlan 200 = SITE A UTM > SITE B UTM
Vlan 300 = SITE B UTM > SITE A UTM

SITE A web traffic hits SITE A web proxy > 50% SITE A WAN / 50% SITE B WAN (no proxy just direct as traffic has already hit SITE A proxy)
SITE B web traffic hits SITE B web proxy > 50% SITE B WAN / 50% SITE A WAN (no proxy just direct as traffic has already hit SITE B proxy)

We also have 50 remote sites that are connected to the above 2 via MPLS using BGP routing which allows all sites to select the best path so traffic may decide to go to SITE A or B and if one fails, the network will automatically route to the best site & UTM

I played around with the Multipath Rules a bit but I got the impression that I would need another interface with a specified GW, which I did not have available.  I guess that's where the new interfaces you mentioned I'd need to create on each UTM come into play.  Did you just add Ethernet VLAN interfaces or regular interfaces?  And do the VLAN tags need to go beyond each UTM (down to the switch level) or is that just for the benefit of the Multipath Rules?   Sorry, new to the Sophos world.

I created another vlan interface (eg WAN2) on the eth0 which was on the same interface as the LAN (vlan interface too). **not on the same interface as the WAN**

eg
eth1 = WAN1 (ISP)
eth0 = LAN (goes to SITE A LAN) & WAN2 (goes to LAN2 at SITE B)

So the physical cable cable coming off the UTM on eth0 only used vlans eg vlan LAN & WAN2 which went into a managed switch. WAN2 vlan then connected to the link between both sites via vlan and connected to a seperate vlan LAN2 on SITE B. That LAN2 then went out direct ie no proxy as it was proxied at SITE A. FW Rules were to allow all and nothing there is nothing else on that subnet as it's purely used for this purpose.

You are basically extending a 2nd WAN from SITE A to a seperate LAN on site B and then natting it out.

Hi Chris and welcome to the UTM Community!

Louis' solution is a good one.  Another is to use Uplink Monitoring to establish a site-to-site IPsec VPN.

Cheers - Bob

Thanks for that suggestion Bob.  I'll look into that option.  Can a IPSec tunnel be built over an EPL though?  As the whole goal is to have Web services traffic reroute over the already established EPL should that site's WAN connection go out.  The EPL is essentially a long Ethernet cable plugged from eth2 in one firewall into eth2 of the other.  I really just wish the models matched so we could have looked into HA as a option.  But sadly, no.

HA would not be an option in any case, Chris.  Yes, an IPsec tunnel over an EPL is possible.

Cheers - Bob

Is there any point is using IPSEC here? You would be using overhead and complication for no gain.

Ok so playing with the idea of creating an IPSec tunnel over the EPL line but it will not establish.  Currently the EPL endpoints are 10.0.0.1 (Main) and 10.0.0.2 (Branch).  I also tried having the endpoints on different subnets.  (10.0.0.1/30 and 10.0.0.10/30)  That did not seem to work.  Double checked Policy matching, and Preshared Keys on both ends.   Live logs have the following:

Main Office: