Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 6 subscribers
  • Views 1909 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multi-site Fail-over

Chris Wood

So we have a client with a main office and a branch office. The offices each have an SG firewall. Main has an SG125, branch has an SG135. They have an Ethernet Private Line from their ISP and want the offices to communicate over this line for local traffic but have each location use it's own WAN connection for Internet traffic.  We have successfully taken care of the LAN traffic between the sites over the EPL using eth2 on each firewall, static routes and firewall policies.  
The kicker is that they also want each location's WAN to be a fail-over for each other. So that if the WAN goes out at the main office, user's HTTP and HTTPS traffic goes through the EPL connection and then out the WAN of the branch office firewall.
We have the task of trying to set this up but have never ran into this situation and may need some guidance of how best to approach this. Thank you!



This thread was automatically locked due to age.
Parents
  • 0

    That's pretty simple to achieve using multipath rules (under interfaces) so have a look around there and you will get the idea.

    You will need toadd interfaces to UTM's so SITE A 2nd WAN > SITE B 2nd LAN & vice versa

    We use that for our organisation. The two core sites have 100mb wans and are connected via a 1gb link. We vlan traffic down the 1 gb link for various things but 2 of those vlans are dedicated to the UTM's.

    Vlan 200 = SITE A UTM > SITE B UTM
    Vlan 300 = SITE B UTM > SITE A UTM

    SITE A web traffic hits SITE A web proxy > 50% SITE A WAN / 50% SITE B WAN (no proxy just direct as traffic has already hit SITE A proxy)
    SITE B web traffic hits SITE B web proxy > 50% SITE B WAN / 50% SITE A WAN (no proxy just direct as traffic has already hit SITE B proxy)

    We also have 50 remote sites that are connected to the above 2 via MPLS using BGP routing which allows all sites to select the best path so traffic may decide to go to SITE A or B and if one fails, the network will automatically route to the best site & UTM

Reply
  • 0

    That's pretty simple to achieve using multipath rules (under interfaces) so have a look around there and you will get the idea.

    You will need toadd interfaces to UTM's so SITE A 2nd WAN > SITE B 2nd LAN & vice versa

    We use that for our organisation. The two core sites have 100mb wans and are connected via a 1gb link. We vlan traffic down the 1 gb link for various things but 2 of those vlans are dedicated to the UTM's.

    Vlan 200 = SITE A UTM > SITE B UTM
    Vlan 300 = SITE B UTM > SITE A UTM

    SITE A web traffic hits SITE A web proxy > 50% SITE A WAN / 50% SITE B WAN (no proxy just direct as traffic has already hit SITE A proxy)
    SITE B web traffic hits SITE B web proxy > 50% SITE B WAN / 50% SITE A WAN (no proxy just direct as traffic has already hit SITE B proxy)

    We also have 50 remote sites that are connected to the above 2 via MPLS using BGP routing which allows all sites to select the best path so traffic may decide to go to SITE A or B and if one fails, the network will automatically route to the best site & UTM

Children
  • 0 in reply to Louis-M

    I played around with the Multipath Rules a bit but I got the impression that I would need another interface with a specified GW, which I did not have available.  I guess that's where the new interfaces you mentioned I'd need to create on each UTM come into play.  Did you just add Ethernet VLAN interfaces or regular interfaces?  And do the VLAN tags need to go beyond each UTM (down to the switch level) or is that just for the benefit of the Multipath Rules?   Sorry, new to the Sophos world.

  • 0 in reply to Chris Wood

    I created another vlan interface (eg WAN2) on the eth0 which was on the same interface as the LAN (vlan interface too). **not on the same interface as the WAN**

    eg
    eth1 = WAN1 (ISP)
    eth0 = LAN (goes to SITE A LAN) & WAN2 (goes to LAN2 at SITE B)

    So the physical cable cable coming off the UTM on eth0 only used vlans eg vlan LAN & WAN2 which went into a managed switch. WAN2 vlan then connected to the link between both sites via vlan and connected to a seperate vlan LAN2 on SITE B. That LAN2 then went out direct ie no proxy as it was proxied at SITE A. FW Rules were to allow all and nothing there is nothing else on that subnet as it's purely used for this purpose.

    You are basically extending a 2nd WAN from SITE A to a seperate LAN on site B and then natting it out.

Unfiltered HTML