This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Internet "crossed Failover" between two Branchs with Sophos UTM SG (over PtP Link Wireless)

I manage two Sophos UTM SG in two different Branchs of the Company.

CURRENT SITUATION

"BRANCH A" is connected to internet by "ISP A" on interface ETH1 of its UTM. ISP is the Internet Service Provider

"BRANCH B" is connected to internet by a different ISP named "ISP B" on interface ETH1 of a second/its UTM.

UTM of "BRANCH" A is also connected to UTM of "BRANCH B" by a IpSEC VPN (this is only an additional info but is not the focus of this case)

SITUATION TO BE EXPLORED IF FEASIBLE (see below picture)

I want to setup a wi-fi/wireless PtP link (Hyperlan 5ghz link using Ubiquity Hardware) and connect "BRANCH A" UTM (by its ETH2 interface) to the "BRANCH B" UTM (by its ETH2 interface). Distance between branchs is 3 km (see below picture/diagram).

Wi-fi PtP Link acts like a "Ethernet cable patch" between the two firewalls.

The Focus in to obtain an "crossed Internet Failover Service" between the two Branchs, I mean if one of the two ISP connections go down the branch in failure will use the ISP connection of the other Branch (and vice-versa).

Any suggestion to setup this interesting Scenario??

Many thank in advance for the support

FAB



This thread was automatically locked due to age.
Parents
  • you can use the link between "BRANCH A" and "BRANCH b" with default gateway configured. So you have 2 links with default dateway.

    ISP-Balancing is active now.

    Configure the ISP-balancing as active/failover or active/active with weighting 100:0.

    So your other branch is the second ISP for you.

     

    Dont forget to deny access from other branch to local ressources within firewall-rule-set.

    Use other-branch-network -> some-services -> Internet (NOT ANY) within the rules.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Thanks for the answer but for me is not clear at all.

    There are two gateways (Gateway of ISP WAN of "BRANCH A" and Gateway of ISP of "BRANCH B".

    Anybody else want to suggest or comment this issue?

    Thanks in advance

    FAB

  • Hello Fab,

    what you describe as "patch cable" is called a Bridge. I have a WORKING setup which I adopted to your IP-addresses in the diagram below:

     

    Please try this setup and see how the status of your interface is.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hello Fab,

    please remove the checks at "IPv4 default GW" at ewth2 on both sides and see, if you can reach the other UTM over your bridge.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hi,
    The interface error-state is from link-monitoring...mostly.
    You have to allow some special packets on the way to the internet for every external interface. (the bridge-link too)
    We had problems with ASA within the path, while asa was not set to "traceroute visible".
    SG monitors some special hop discovered by traceroute (sadly don't know if TCP/UDP/ICMP is used...)
    Sometimes it is fixed by disabling "automatic monitoring" and put some known IP's to the monitoring-list. (1.1.1.1 8.8.8.8 ...)


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Good morning Philipp,

    yesterday night (as I wrote in my previous post) I put the wireless CPEs in the same subnet so now the situation is like this (I can not use 192.168.1.x subnet because I discovered it is already used on WLAN Interface):

    Branch1 PtP Interface: IP 10.2.2.1/24 GW 10.2.2.2

    Wireless CPE Branch1 side: IP IP 10.2.2.112/24

    Wireless CPE Branch2 side: IP IP 10.2.2.113/24

    Branch2 PtP Interface: IP 10.2.2.2/24 GW 10.2.2.1

    This is equivalent of your diagram.

    Result: the PtP interfaces both sides are still in ERROR

    This morning (as you suggested) I removed the gateways unchecking the "IPv4 default Gateway" on both side then:

    Branch1 PtP Interface: IP 10.2.2.1/24 (No Gateway)

    Wireless CPE Branch1 side: IP IP 10.2.2.112/24

    Wireless CPE Branch2 side: IP IP 10.2.2.113/24

    Branch2 PtP Interface: IP 10.2.2.2/24 (No Gateway)

    Result: the "PtP interfaces Branch1" and "PtP interfaces Branch2" side became in Up state.

    NOTE1: Removing the gateway in the PTP Interface caused the Intefaces were removed from uplink Balancing "Active interface list" (just because probably in this list can be only interfaces with gateway)

    NOTE2: In any case by Ping tool of the UTM, I'm not able to ping address 8.8.8.8 from both the "Ptp Interfaces"

    I think that is impossible to have Failover without having "Ptp Interfaces" in Active interface list on Uplink Balancing.

    Actually for my point of view, until I get to reach 8.8.8.8 address by ping UTM tool on Ptp Interfaces, and have those interfaces in Uplink Balance Active Interface list, the goal has not reached.

    Morover I can not disconnect Internet Main connection during working time to test if the Failover works, so only checking the ping of 8.8.8.8 is the unique tool that I can use to make my trials.

    Many thanks in advance in case you will suggest me other trials to solve this issue.

    Regards

    FAB

  • Hello Fab,

    please try to solve your problem in small steps:

    1.) Can you ping from UTM in branch1 to the ip 10.2.2.2 ?  Use "Support/Tools/Ping Check" on the UTM in branch1.

    2.) Can you ping from UTM in branch2 to the ip 10.2.2.1 ? This time you got to do this from the UTM in branch2.

    3.) If both tests above were successful, your problem is not with the Wifi-link.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hello Philipp,

    of course my problem IS NOT the wifi link (I'm an Ham Radio Operator pioner with wifi links since 1996).

    Just to confirm that, today I configured PtP Interface in Branch1 as an additional LAN (LAN2) with DHCP server active and I went on Branch2 with a Laptop connected directly on the ethernet cable coming from the CPE on Branch2 (before connected to the Eth2 of UTM) and I can grant fully connection (DHCP address assigned on Laptop from UTM of Branch1) and navigated from Branch2 using Branch1 WAN connection. So Wireless link is 100% fully working. I performed also a internet speed test obtaining +/- 30 Mbps of troughput (WAN of Branch1 is 1Gbps FTTH connection and the bottleneck is the wireless link).

    I Perform yesterdey and this morning all kind of ping from Branch1 to Branch2 and reverse, always using the "Support/Tools/Ping Check" tool on PtP interfaces.

    On order of depht, these are the results of ping:

    Pinging from Branch 1 (10.2.2.1) to Branch1 PtP CPE 10.2.2.2 = RESULT OK

    Pinging from Branch 1 (10.2.2.1) to Branch1 PtP CPE 10.2.2.112 = RESULT OK

    Pinging from Branch 1 (10.2.2.1) to Branch2 PtP CPE 10.2.2.113 = RESULT OK

    Pinging from Branch 1 (10.2.2.1) to Branch2 UTM PtP interface 10.2.2.2 = RESULT OK

    Pinging from Branch 1 (10.2.2.1) to Branch2 UTM WAN interface IP address xxx.x.154.185 = RESULT OK

    Pinging from Branch 1 (10.2.2.1) to Branch2 UTM WAN interface IP address xxx.x.154.190 (the network is /29) = RESULT NEGATIVE

    Pinging from Branch 1 (10.2.2.1) to Branch2 UTM WAN interface host google.com = RESULT NEGATIVE

    Same results from Branch2

    So the problem (maybe since the beginning) are on UTM

    In order to keep the PtP interfaces Up on State and Up on Link, I must configurate the PtP interfaces without Gateway (and than not part of Uplink Interfaces).

    For my point of View this issue can be solved by some particular kind of Rules to permit that each Ptp Interface acts as LAN and WAN Interface in the same time.

    Thank for the support. I will stay tuned in this Forum, for any kindly suggestion.

    Regards

    FAB

     

     

  • Hello Fab,

    I stumble each time over your descirption "PtP CPE and some IP address"

    there is no such additional IP 10.2.2.2 on the branch1 side, what do you MEAN here?

    I begin to believe there is a complete misconception here...

    Let's collect our data for your physical layout again:

    branch1 utm port eth2(=10.2.2.1)---(LAN-cable) ---ethernet port of wifi antenna1(10.2.2.112) ------(wifi bridge over air) ----ethernet port of antenna2(=10.2.2.113) --- (LAN-cable) ----branch2 utm port eth2 (=10.2.2.2)

    So my questions/suggestions were to ping from utm in branch1 to utm in branch2, that is from 10.2.2.1 to 10.2.2.2 and vice versa. But you did not do that.

    What you wrote up in your last post doesn't make any sense to me, sorry!

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hi FAB,

    if the primary link for branch B is up you can't ping WAN IP from branch A.

    Packet would use preferred default gateway (the direct way to internet) and so you try to ping the WAN-IP from external ... this is not allowed by default.

     

    i think there are problems understanding ISP balancing ...

    First you need to ensure boot IPS are "online/active" (your other branch is an ISP too)

    Next you may create a LB Rule for a single PC sending data over the second branch to the internet and check this via "http://myip.dk" or traceroute.

    Traceroute should show you the way over the other branch ...

    But there are a lot of other possible problems ... like masquerading the correct networks, firewall-rules within the other branch, ....


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Good Morning Philipp,

    There were some error in my previous post (copy/paste error).Sorry about that. I review the tests and I give you the complete reviewed and correct list about the ping tests I made:

    Pinging from Branch 1 (10.2.2.1) to Branch1 PtP CPE 10.2.2.112 = RESULT OK

    Pinging from Branch 1 (10.2.2.1) to Branch2 PtP CPE 10.2.2.113 = RESULT OK

    Pinging from Branch 1 (10.2.2.1) to Branch2 UTM PtP interface 10.2.2.2 = RESULT OK

    Pinging from Branch 1 (10.2.2.1) to Branch2 UTM WAN interface IP pubblic address xxx.xxx.197.2 = RESULT OK

    Pinging from Branch 1 (10.2.2.1) to Branch2 UTM WAN interface IP pubblic address gateway xxx.xxx.197.1 (the network is /30) = RESULT NEGATIVE

    Pinging from Branch 1 (10.2.2.1) to Branch2 UTM WAN interface host google.com = RESULT NEGATIVE

    AND OPPOSITE SITE:

    Pinging from Branch 2 (10.2.2.2) to Branch2 PtP CPE 10.2.2.113 = RESULT OK

    Pinging from Branch 2 (10.2.2.2) to Branch1 PtP CPE 10.2.2.112 = RESULT OK

    Pinging from Branch 2 (10.2.2.2) to Branch1 UTM PtP interface 10.2.2.1 = RESULT OK

    Pinging from Branch 2 (10.2.2.2) to Branch1 UTM WAN interface IP pubblic address  xxx.x.154.185 = RESULT OK

    Pinging from Branch 2 (10.2.2.2) to Branch1 UTM WAN interface IP address gateway xxx.x.154.190 (the network is /29) = RESULT NEGATIVE

    Pinging from Branch 2 (10.2.2.2) to Branch1 UTM WAN interface host google.com = RESULT NEGATIVE

     

    The layout is exactely what you wrote:

    branch1 utm port eth2(=10.2.2.1)---(LAN-cable) ---ethernet port of wifi antenna1(10.2.2.112) ------(wifi bridge over air) ----ethernet port of antenna2(=10.2.2.113) --- (LAN-cable) ----branch2 utm port eth2 (=10.2.2.2) OK

    So, as confirmed in my previos post (after the test navigating from the temporary test made configurating eth2 as LAN2), there are no problems in the comunication between the 2 Branchs PtP Interfaces. The problem is in the UTMs due the incorrect or missing of proper configuration/routing.

    Just to reply to Dirk, there are no rules or particular routing configurations made just for this scope, till now. All the ping test are performed only from the UTM Service Ping Tool from PtP intefaces, just because I consider this matter as an internal (Between UTMs) issue, just because each UTM works proply since a long time with its ISP and its LAN Network.

    Waiting for suggestion.

    Many thanks in advance,

    Regards

    FAB

  • Hello Fab,

    next steps: do you have a masquerading rule for your wifi-network in place? (wifi-net-segment is called "Richtfunk" in my screenshot below)

    Of course you need a firewall rule to allow access from your wifi-network to the internet as well.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hello Fab,

    next steps: do you have a masquerading rule for your wifi-network in place? (wifi-net-segment is called "Richtfunk" in my screenshot below)

    Of course you need a firewall rule to allow access from your wifi-network to the internet as well.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Children
  • Dear Philippe, and dear Community,

     

    happy to comunicate (after 4 days of trials) that the goal has been reached (99%) by adding a configuration as in the picture Below attached.

    Crucial has been to apply the Firewall rule (PtP Interface>any>Internet IPv4), maybe because the Internet traffic (LANs to WANs) pass by the activated web filtering. Really I don't know if masquerading rule is really need.

    Now remain to fix the existing IPsec VPN (between Branch1 and Branch2) in order to pass by PtP Link (as preferencial) and only in case of failure of Ptp link will pass trough WAN .

    Many thank for the pacience of all the readers and support (expecially from Philipp).

    Some suggestion about the VPN is really wellcome.

    If I would like to add other indications for the Community I will upgrade this post or place an additional reply to this discussion.

    Regards,

    FAB

    FAB