This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM - Dual internet migration path


I'd like to ask a question about connecting my UTM to two different internet services at the same time. I have a UTM9 running Firmware version 9.703-3. I currently have the ETH1 configured for ISP1 and it has a static IP address with the gateway defined at the interface level. I have a service ISP2 online and ready to be used.

My goal, in a nutshell, is to make a gradual transition of the various services from ISP1 to ISP2. I've broken down the 'services' into the following:

General web traffic, browsing, etc from the internal network to the internet.

Remote Access VPN with the Sophos SSL VPN client.

Connectivity of 2 REDs.

Site to Site VPNs for 3 tunnels.

Port forwarding of 1 application to an internal server. (custom NAT rule)

The ISP1 service is still up and will be in the foreseeable future. However, I am not specifically aiming to have automated failover or load balancing or anything like that. If I have to enable something to make the transition, fine, but that isn't the goal, so I don't want to turn that into a major effort.

My understanding is that I don't have to do this all at once. I can basically create a new interface, address it for ISP2, connect, then gradually move services over over the next week or so. This will minimize impact on the organization.

However, I went to create the next interface ETH2 for ISP2, and it wouldn't let me configure the default gateway on the new interface. it says, "Can't have multiple default gateways. Uplink Balancing will be enabled."

So, my questions are...

Does this sound right? Do I need to have uplink balancing enabled?

I see 3 paths..

1. I can take the default gateway off ETH1, I would think that it wouldn't know how to route (for example) the site-to-site vpn traffic, which is still bound to ETH1.

2. I can enable the uplink balancing. presumably ETH1 would be standby and ETH2 would be Active. Will it still route the other traffic (i.e VPN, RED, custom NAT) out ETH1, even though ETH1 is in "standby"?

3. Or maybe it would be better to just create static routes and not have the gateways at the interface level?

Any recommendations or feedback would be appreciated. Option #4 is to do everything at at the same time and just reconfigure ETH1. But, than means that I break everyone and that can make for a bad following day.



This thread was automatically locked due to age.
  • Hey Ben,

    I would enable Uplink Balancing with both connections active, click on the wrench icon and assign a zero weight to the old connection.  That means that "General web traffic, browsing, etc. from the internal network to the internet" will go out the new connection unless it's off.

    All of the other categories will require new configurations and/or changes in your public DNS records.

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey Ben,

    I would enable Uplink Balancing with both connections active, click on the wrench icon and assign a zero weight to the old connection.  That means that "General web traffic, browsing, etc. from the internal network to the internet" will go out the new connection unless it's off.

    All of the other categories will require new configurations and/or changes in your public DNS records.

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA