Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 22 replies
  • Subscribers 6 subscribers
  • Views 8046 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Internet "crossed Failover" between two Branchs with Sophos UTM SG (over PtP Link Wireless)

FabItaly

I manage two Sophos UTM SG in two different Branchs of the Company.

CURRENT SITUATION

"BRANCH A" is connected to internet by "ISP A" on interface ETH1 of its UTM. ISP is the Internet Service Provider

"BRANCH B" is connected to internet by a different ISP named "ISP B" on interface ETH1 of a second/its UTM.

UTM of "BRANCH" A is also connected to UTM of "BRANCH B" by a IpSEC VPN (this is only an additional info but is not the focus of this case)

SITUATION TO BE EXPLORED IF FEASIBLE (see below picture)

I want to setup a wi-fi/wireless PtP link (Hyperlan 5ghz link using Ubiquity Hardware) and connect "BRANCH A" UTM (by its ETH2 interface) to the "BRANCH B" UTM (by its ETH2 interface). Distance between branchs is 3 km (see below picture/diagram).

Wi-fi PtP Link acts like a "Ethernet cable patch" between the two firewalls.

The Focus in to obtain an "crossed Internet Failover Service" between the two Branchs, I mean if one of the two ISP connections go down the branch in failure will use the ISP connection of the other Branch (and vice-versa).

Any suggestion to setup this interesting Scenario??

Many thank in advance for the support

FAB



This thread was automatically locked due to age.
  • +1 in reply to FabItaly

    Hello Fab,

    next steps: do you have a masquerading rule for your wifi-network in place? (wifi-net-segment is called "Richtfunk" in my screenshot below)

    Of course you need a firewall rule to allow access from your wifi-network to the internet as well.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    Dear Philippe, and dear Community,

     

    happy to comunicate (after 4 days of trials) that the goal has been reached (99%) by adding a configuration as in the picture Below attached.

    Crucial has been to apply the Firewall rule (PtP Interface>any>Internet IPv4), maybe because the Internet traffic (LANs to WANs) pass by the activated web filtering. Really I don't know if masquerading rule is really need.

    Now remain to fix the existing IPsec VPN (between Branch1 and Branch2) in order to pass by PtP Link (as preferencial) and only in case of failure of Ptp link will pass trough WAN .

    Many thank for the pacience of all the readers and support (expecially from Philipp).

    Some suggestion about the VPN is really wellcome.

    If I would like to add other indications for the Community I will upgrade this post or place an additional reply to this discussion.

    Regards,

    FAB

    FAB

Unfiltered HTML