This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

dual ISP routing issue

Hello,

I currently have two ISP gateways connected to my UTM appliance. Uplink balancing is working. One of the ISPs provides a Cable Modem with wireless built in. I would like to use the Cable Modem's internal ports and/or it's wireless to access the internet in my lab essentially bi-passing my UTM since i would not be connecting through the UTM's internal interface. Since my UTM is physically plugged into one of it's internal ports, as a router it has learned the IP address of of the WAN interface of the cable modem and shows this line in the routing table:

default via xxx.xxx.xxx.xxx (I have obscured the IP address) dev eth1 table 221 proto kernel onlink

When I connect using my computer to one of the Cable Modem's ports i have total access to the internet with the exception of the Additional Addresses on the Wan interface of my UTM for the other ISP.

I'm assuming that when I attempt to access any of the Public IPs on the other ISP interface, since it knows how to route to the source IP it sends it to directly to the Cable Modems internal port that it's connected to instead of back through the internet through the WAN interface. However I have been unable to confirm that. 

I have tried setting up a policy route that when traffic comes in for one of the specific addresses, it goes back out the same WAN interface hoping that would stop the routing out the wrong WAN interface. Does this make sense to anybody? Any suggestions as to what may be happening here and how i can fix the issue?



This thread was automatically locked due to age.
  • Hello WRS,

    but thats totally up to the Cable Router. That device must be more a router then a MoDem.
    What I have not understud is, what are you trying to access? Is there a webserver published via NAT in the UTM?

    Maybe you could make a small diagramm to illustrate.

    Best regards 

    Alex

    -

  • What do you learn, if anything, from doing #1 in Rulz (last updated 2019-04-17)?

    Do accesses work if you flushdns on your computer?

    Finally, I would urge you to put the ISP's modem in bridge mode and to connect your computer directly to the UTM's Internal network.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for the sketch. Agree to Bob logs could be helpful.
    Are you trying to access by name or IP? What is DNS resolver of the lab computer.
    One could try to get a few traces of traffic at different interfaces. 
    Do you have multipath rules in place? So traffic of published services uses eth4.

    Best regards

    Alex  

    -

  • Hello WRS,

    this is a classic asymmetric routing setup (different way for reply packets to lab computer). In my opinion the simplest solution is to add an extra route on the Lab Computer (route add "eth4 net" to "eth1 IP") with an appropiate fw-rule.

    bye Josef

    BERGMANN engineering & consulting GmbH, Wien/Austria

  • Josef,

    I don't understand your solution. How will adding a route on the lab computer help? eth4 is the wan interface for one ISP, and eth1 is the wan interface for Comcast both interfaces being on the firewall, not the lab computer. I think i'm missing what your are telling me.

    Thanks

    WRS

  • Hi WRS,

    when your Lab Computer try to connect one of the Public IPs on eth4 the packets go according to his default route over the Comcast Cable Router, the Internet and the Fiber Provider Router to the eth4 on the Sophos UTM. You do then probably some DNAT on the UTM and finally the reply packets should go back. The UTM has an interface in the network of the source IP so it will route out the reply to eth1, but there is no entry in the connections table of the firewall so it will get dropped.

    I would try to avoid such setups, but with a dedicated route on the Lab computer you could route the packets always over the UTM.

    bye Josef

    BERGMANN engineering & consulting GmbH, Wien/Austria

  • Thanks for the explanation. I understand that it at first appears to be a configuration to avoid and maybe i have no other choice but what I'm really trying to do is to NOT go out the UTM with this traffic but rather the Comcast router thus creating a solid separation between the two. My example highlighted my lab but it's bigger than that. 

    In the past i have configured a number of wireless networks bound to separate vlans. Before Comcast upgraded their device and gave me this new router, i had a guest network tied to a vlan that trunked down to one port on one switch which was plugged into Comcast. Then when a guest connected to that ssid they received their configuration via DHCP on Comcast and went directly out Comcast thus completely circumventing our internal network. It worked well. If they needed to connect internally they would have to use our L2tp VPN. 

    Now with the new router, a member of that SSID can resolve our Public DNS record that resolves to our VPN but can't connect, or even ping that address, or any other address on our UTM. This is frustrating to those on my team that setup Laptops for employees because they like to use that Guest network to test the VPN which now they can't do. Maybe this is too unconventional and I should just give it up and accept the fact that there is no way to test our VPN from the inside or go out Comcast internal ports for any other reason. 

    Thanks for your input!