This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Internet "crossed Failover" between two Branchs with Sophos UTM SG (over PtP Link Wireless)

I manage two Sophos UTM SG in two different Branchs of the Company.

CURRENT SITUATION

"BRANCH A" is connected to internet by "ISP A" on interface ETH1 of its UTM. ISP is the Internet Service Provider

"BRANCH B" is connected to internet by a different ISP named "ISP B" on interface ETH1 of a second/its UTM.

UTM of "BRANCH" A is also connected to UTM of "BRANCH B" by a IpSEC VPN (this is only an additional info but is not the focus of this case)

SITUATION TO BE EXPLORED IF FEASIBLE (see below picture)

I want to setup a wi-fi/wireless PtP link (Hyperlan 5ghz link using Ubiquity Hardware) and connect "BRANCH A" UTM (by its ETH2 interface) to the "BRANCH B" UTM (by its ETH2 interface). Distance between branchs is 3 km (see below picture/diagram).

Wi-fi PtP Link acts like a "Ethernet cable patch" between the two firewalls.

The Focus in to obtain an "crossed Internet Failover Service" between the two Branchs, I mean if one of the two ISP connections go down the branch in failure will use the ISP connection of the other Branch (and vice-versa).

Any suggestion to setup this interesting Scenario??

Many thank in advance for the support

FAB



This thread was automatically locked due to age.
Parents
  • you can use the link between "BRANCH A" and "BRANCH b" with default gateway configured. So you have 2 links with default dateway.

    ISP-Balancing is active now.

    Configure the ISP-balancing as active/failover or active/active with weighting 100:0.

    So your other branch is the second ISP for you.

     

    Dont forget to deny access from other branch to local ressources within firewall-rule-set.

    Use other-branch-network -> some-services -> Internet (NOT ANY) within the rules.

    Dirk

  • Thanks for the answer but for me is not clear at all.

    There are two gateways (Gateway of ISP WAN of "BRANCH A" and Gateway of ISP of "BRANCH B".

    Anybody else want to suggest or comment this issue?

    Thanks in advance

    FAB

  • Hello Philipp,

    there are no interfaces in UTM using 192.168.1.x class of IPs, just because this network is only to create a link between PtP CPEs, in order that link appears as a "patch cable".

    I though that CPE are not involved in routing and their IP addresses must to be hidden.

    Let me know if you have other suggestion.

    Many thanks in advance, Regards,

    FAB

  • Hi Phillip,

    just only for congruence I changed the IP addresses of the PtP CPEs putting them in the 10.2.2.x class of IP (Class of UTM PtP interfaces), but nothing heppened. The UTMPtP  interfaces are always in error, as before.

    Regards

    FAB

  • Hello Fab,

    what you describe as "patch cable" is called a Bridge. I have a WORKING setup which I adopted to your IP-addresses in the diagram below:

     

    Please try this setup and see how the status of your interface is.

    Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

  • Hello Fab,

    please remove the checks at "IPv4 default GW" at ewth2 on both sides and see, if you can reach the other UTM over your bridge.

    Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

  • Hi,
    The interface error-state is from link-monitoring...mostly.
    You have to allow some special packets on the way to the internet for every external interface. (the bridge-link too)
    We had problems with ASA within the path, while asa was not set to "traceroute visible".
    SG monitors some special hop discovered by traceroute (sadly don't know if TCP/UDP/ICMP is used...)
    Sometimes it is fixed by disabling "automatic monitoring" and put some known IP's to the monitoring-list. (1.1.1.1 8.8.8.8 ...)

    Dirk

  • Good morning Philipp,

    yesterday night (as I wrote in my previous post) I put the wireless CPEs in the same subnet so now the situation is like this (I can not use 192.168.1.x subnet because I discovered it is already used on WLAN Interface):

    Branch1 PtP Interface: IP 10.2.2.1/24 GW 10.2.2.2

    Wireless CPE Branch1 side: IP IP 10.2.2.112/24

    Wireless CPE Branch2 side: IP IP 10.2.2.113/24

    Branch2 PtP Interface: IP 10.2.2.2/24 GW 10.2.2.1

    This is equivalent of your diagram.

    Result: the PtP interfaces both sides are still in ERROR

    This morning (as you suggested) I removed the gateways unchecking the "IPv4 default Gateway" on both side then:

    Branch1 PtP Interface: IP 10.2.2.1/24 (No Gateway)

    Wireless CPE Branch1 side: IP IP 10.2.2.112/24

    Wireless CPE Branch2 side: IP IP 10.2.2.113/24

    Branch2 PtP Interface: IP 10.2.2.2/24 (No Gateway)

    Result: the "PtP interfaces Branch1" and "PtP interfaces Branch2" side became in Up state.

    NOTE1: Removing the gateway in the PTP Interface caused the Intefaces were removed from uplink Balancing "Active interface list" (just because probably in this list can be only interfaces with gateway)

    NOTE2: In any case by Ping tool of the UTM, I'm not able to ping address 8.8.8.8 from both the "Ptp Interfaces"

    I think that is impossible to have Failover without having "Ptp Interfaces" in Active interface list on Uplink Balancing.

    Actually for my point of view, until I get to reach 8.8.8.8 address by ping UTM tool on Ptp Interfaces, and have those interfaces in Uplink Balance Active Interface list, the goal has not reached.

    Morover I can not disconnect Internet Main connection during working time to test if the Failover works, so only checking the ping of 8.8.8.8 is the unique tool that I can use to make my trials.

    Many thanks in advance in case you will suggest me other trials to solve this issue.

    Regards

    FAB

  • Hello Fab,

    please try to solve your problem in small steps:

    1.) Can you ping from UTM in branch1 to the ip 10.2.2.2 ?  Use "Support/Tools/Ping Check" on the UTM in branch1.

    2.) Can you ping from UTM in branch2 to the ip 10.2.2.1 ? This time you got to do this from the UTM in branch2.

    3.) If both tests above were successful, your problem is not with the Wifi-link.

    Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

  • Hello Philipp,

    of course my problem IS NOT the wifi link (I'm an Ham Radio Operator pioner with wifi links since 1996).

    Just to confirm that, today I configured PtP Interface in Branch1 as an additional LAN (LAN2) with DHCP server active and I went on Branch2 with a Laptop connected directly on the ethernet cable coming from the CPE on Branch2 (before connected to the Eth2 of UTM) and I can grant fully connection (DHCP address assigned on Laptop from UTM of Branch1) and navigated from Branch2 using Branch1 WAN connection. So Wireless link is 100% fully working. I performed also a internet speed test obtaining +/- 30 Mbps of troughput (WAN of Branch1 is 1Gbps FTTH connection and the bottleneck is the wireless link).

    I Perform yesterdey and this morning all kind of ping from Branch1 to Branch2 and reverse, always using the "Support/Tools/Ping Check" tool on PtP interfaces.

    On order of depht, these are the results of ping:

    Pinging from Branch 1 (10.2.2.1) to Branch1 PtP CPE 10.2.2.2 = RESULT OK

    Pinging from Branch 1 (10.2.2.1) to Branch1 PtP CPE 10.2.2.112 = RESULT OK

    Pinging from Branch 1 (10.2.2.1) to Branch2 PtP CPE 10.2.2.113 = RESULT OK

    Pinging from Branch 1 (10.2.2.1) to Branch2 UTM PtP interface 10.2.2.2 = RESULT OK

    Pinging from Branch 1 (10.2.2.1) to Branch2 UTM WAN interface IP address xxx.x.154.185 = RESULT OK

    Pinging from Branch 1 (10.2.2.1) to Branch2 UTM WAN interface IP address xxx.x.154.190 (the network is /29) = RESULT NEGATIVE

    Pinging from Branch 1 (10.2.2.1) to Branch2 UTM WAN interface host google.com = RESULT NEGATIVE

    Same results from Branch2

    So the problem (maybe since the beginning) are on UTM

    In order to keep the PtP interfaces Up on State and Up on Link, I must configurate the PtP interfaces without Gateway (and than not part of Uplink Interfaces).

    For my point of View this issue can be solved by some particular kind of Rules to permit that each Ptp Interface acts as LAN and WAN Interface in the same time.

    Thank for the support. I will stay tuned in this Forum, for any kindly suggestion.

    Regards

    FAB

     

     

  • Hello Fab,

    I stumble each time over your descirption "PtP CPE and some IP address"

    there is no such additional IP 10.2.2.2 on the branch1 side, what do you MEAN here?

    I begin to believe there is a complete misconception here...

    Let's collect our data for your physical layout again:

    branch1 utm port eth2(=10.2.2.1)---(LAN-cable) ---ethernet port of wifi antenna1(10.2.2.112) ------(wifi bridge over air) ----ethernet port of antenna2(=10.2.2.113) --- (LAN-cable) ----branch2 utm port eth2 (=10.2.2.2)

    So my questions/suggestions were to ping from utm in branch1 to utm in branch2, that is from 10.2.2.1 to 10.2.2.2 and vice versa. But you did not do that.

    What you wrote up in your last post doesn't make any sense to me, sorry!

    Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

  • Hi FAB,

    if the primary link for branch B is up you can't ping WAN IP from branch A.

    Packet would use preferred default gateway (the direct way to internet) and so you try to ping the WAN-IP from external ... this is not allowed by default.

     

    i think there are problems understanding ISP balancing ...

    First you need to ensure boot IPS are "online/active" (your other branch is an ISP too)

    Next you may create a LB Rule for a single PC sending data over the second branch to the internet and check this via "http://myip.dk" or traceroute.

    Traceroute should show you the way over the other branch ...

    But there are a lot of other possible problems ... like masquerading the correct networks, firewall-rules within the other branch, ....

    Dirk

Reply
  • Hi FAB,

    if the primary link for branch B is up you can't ping WAN IP from branch A.

    Packet would use preferred default gateway (the direct way to internet) and so you try to ping the WAN-IP from external ... this is not allowed by default.

     

    i think there are problems understanding ISP balancing ...

    First you need to ensure boot IPS are "online/active" (your other branch is an ISP too)

    Next you may create a LB Rule for a single PC sending data over the second branch to the internet and check this via "http://myip.dk" or traceroute.

    Traceroute should show you the way over the other branch ...

    But there are a lot of other possible problems ... like masquerading the correct networks, firewall-rules within the other branch, ....

    Dirk

Children
No Data