Hello. Looking for some config help for the future state to sort this out please for UTM 9. Thanks.
All working fine for outbound Internet.
Simply want DEVICE1 to use WAN2 as its gateway while the rest of the network uses WAN1.
I am not looking for failover or load balancing at this point.
Thanks for reaching out to Sophos Community and hope you are well.
Seems UTM Multipath rules configuration would achieve your use case: https://support.sophos.com/support/s/article/KB-000034635?language=en_US
Hope this helps and thank you for choosing Sophos
Raphael AlganesCommunity Support Engineer | Sophos Technical SupportSophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS AlertsIf a post solves your question use the 'Verify Answer' link.
Thank you. Can you be more specific? I looked at that extensively and was not able to create a working configuration. I am not interested in load balancing or failover - does your recommendation still apply? Thanks again.
We can use, Itf. Persistence: Interface persistence is a technique which ensures that subsequent connections from a client are always routed over the same uplink interface.
Then we under it we can use: By Interface: Select an interface from the Bind Interface drop-down list. All traffic applying to the rule will be routed over this interface.
and this would achieve the use case above for your future state.
If you're still fighting this, please insert pictures of your 'Uplink Balancing' tab and the Edits of any Multipath rules.
Cheers - Bob
Thank to both of you. This all seems in service of doing load balancing or failover which is not what I want. Are you saying this is still the place you need to be to configure a 2nd WAN regardless? This is where I started but it always seemed to be load balancing. I had assumed I'd be doing more with routing rather than uplinking
please show us your screenshots from the "uplink balancing" tab and the edits of your "multipath rules".
In contrast to their name "multipath rules" can be used to force the use of only one interface for special clients or services.
Let us help you getting this solved.
Mit freundlichem Gruß, best regards from Germany,
New Vision GmbH, GermanySophos Silver-Partner
If a post solves your question please use the 'Verify Answer' button.
Thank you. I now have a working configuration using uplink balancing and multipath rules. I changed the WAN2 weighting (wrench icon in Active Interfaces) to 0 as a solution to stop the load balancing - is that the recommended way? My multipath rule selects a source host group, service any, and destination Internet IPv4 with an itf persistance = Interface and then selecting my WAN2 link.
It still seems kludgy but maybe I have more to learn. My inclination was to look at static or policy routing. Or is this a Sophos specific thing?
Thanks to all for being so helpful.
It would have been easier and quicker for you to learn if you had started by posting the pictures Philipp and I suggested. Rather than set the weight to zero, I normally add a Multipath Rule to force the traffic out WAN1 just as I forced the other traffic out WAN2. That's a more-flexible solution.
Thank you. I am working to understand the background on this as well. This (+) Sophos UTM: best practice for uplink balancing and multipath rules - Recommended Reads - UTM Firewall - Sophos Community was helpful and a helped me understand more although i am still not clear why this over static or policy routes and knowing that would fill in a gap.
Nevertheless, I did have it working and after enabling the uplink balancing, all of my existing masquerading rules some of which were for additinal address IPs were retargeted to uplink interfaces so then I went to create a multipath rule with itf persistance interface and none of the additional address IPs are available for selection.
I can go back to my original masquerade rule and change it to the additional address but then I read in the Rulz about the order and it looks like that would come after the multipath rule. I am not clear on the traffic flow yet.