This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Two internet connections - how to route traffic from a specific network out a specific internet interface

Hi Guys,

Need some help configuring routing on a Sophos SG210 UTM9 – latest firmware (9.605-1).

I don’t work on firewalls often and my network knowledge is basic so I apologise in advance if some of the terms are incorrect.

Current state:

Existing 100Mb fibre internet on interface eth3 and the internal network interface on eth0 (10.206.0.1). This is the production network and internet breakout for the 10.206.0.x network – gateway: 10.206.0.1. There is a second network (10.208.1.X) with a Windows 2012 R2 server (10.208.1.1) acting as a proxy between the 10.208.1.x and 10.206.0.x network. The 10.208.1.x network use the same 100Mb internet service as the 10.206.0.x network – gateway 10.206.0.1.

New configuration:

A second 50Mb internet service has been added. The 10.208.1.x network needs to use the new 50MB internet service exclusively. On the UTM interface eth1 is the new 50Mb internet and interface eth5 the 10.208.1.1 gateway address. The 50Mb internet works when I connect my laptop directly.

I have done some checks but cannot get to the internet from the 10.208.1.x network.  The Windows proxy server has been disconnected and workstations on the 10.208.1.x network can successfully ping the firewall interface 10.208.1.1.

I have tried the following:

  • adding a policy route
  • adding a standard static route
  • adding a firewall rule
  • Do I need to add a masquerade rule?

I think the issue is also with the order of the steps above.

Uplink balancing has been enabled for the two internet connections.

Any guidance will be much appreciated.

Regards

Jacque.



This thread was automatically locked due to age.
Parents
  • Every private network that needs a connection to the internet using a public resolvable IP address must use NAT or masquerading.

    There should exist a masquerading rule for your 10.206.0.0 network, you need one for the 10.208.1.0 network, too.

     

    You could set one "any" to "uplink interfaces", if you want to make sure, that every local network can only use it's own internet uplink you can set one rule for network 1 using WAN interface and one rule for network2 using WAN2.

    But what defines, where the traffic flows are two things:

    1) if the web proxy ist enabled for both local networks you have to:

    • enable the possibility to select an outgoing interface for proxy traffic (https://community.sophos.com/kb/en-us/126892)
    • set up two different web filter profiles where each one is only responsible for one local network and the outgoing interface is set to the right WAN interface

    Otherwise the whole proxied internet traffic will use the WAN interface that is the first in "Active Interfaces" under "Uplink Balancing", non proxied traffic is balanced between the interfaces, depending on the "weight" of the two connections.

    2) if no web proxy is used and/or for any other traffic you have to set a Multipath Rule for each network.

    • Source: "local network 1", Service: Any, Destination: "Internet IPv4" (if the WAN is IPv6 you will have to use "Internet IPv6), Itf. Persistence: "by Interface", Bind interface: "WAN1".
    • same rule for the 2nd local network and WAN2.

    Eventually you have to pay an extra attention to ressources used by both local networks (e.g. a mail server) that this one is routed over the right interface.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • Hi Kevin,

    many thanks for your detailed explanation and instructions.

    I managed to get it working.

    Thanks again.

    Jacque.

Reply Children