This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Hibernate an Interface / Network Definition

I have had the following issue occasionally over the years, and am surprised it hasn't been brought up / fixed before. Unless there's a simple workaround I'm missing.

A (simplified) example:

- Standard(ish) UTM install, one uplink, two internal subnets (.48.x and .50.x). Three NICs in the UTM, all used.

- We have a new uplink coming, and for good reasons, want to run two uplinks for a few weeks in fail-over mode. We know how to do this, and are willing to turn off the .50.x subnet for the duration.

- Thus the sensible thing to do would be to put the .50.x network definition (which is on eth0) on ice, use eth0 for a new uplink definition, and work for a few weeks with two uplinks, one working internal subnet, and one dormant internal subnet.

But we can't, because UTM doesn't allow a network interface definition to be "not connected"! As far as I can see, I have to delete the .50.x subnet, with all the associated rules, run our transition phase, and then rebuild everything the way it was before. Time-consuming and error-prone, at best.

(Yes, if there was a VLAN-capable switch onsite, we could put two links on VLANs, but there isn't one. Also we could temporarily add a fourth NIC to the box, but there's no space left in it).

So is there a simple way for us to put the .50.x network definition and rules on hold, so that I can simply reactivate them when we turn it back on?



This thread was automatically locked due to age.
  • Hello Alatark,

    Thank you for contacting the Sophos Community!

    Would taking a backup before you made the change work and once you finish just upload the backup?

    Maybe configuring a Red to Red tunnel and use that interface temporarily for the .50 subnet?

    But yes to put in hold it is not possible at the moment, that would be more of a feature request!

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Thanks for the quick reply.

    I was aware of the backup possibility, but it would of course have the old uplink definition, whereas we are hoping to be on the new uplink at completion (otherwise we could just skip the entire exercise)!

    As you imply, the backup then restore approach has the merit that redoing the uplink config at the end will be easier than redoing all the .50.x rules, which are quite complex, whereas I'm hoping both uplink configs are basic DHCP jobbies.

    As I said in the original post, this is the third or fourth time I've run into this particular Catch-22 with Astaro, and it seems to me to be something that is missing from an (otherwise) extremely well designed piece of software.

  • Salut Alatar,

    Why not simply add another Ethernet NIC?  Then again, if the goal is to replace your current WAN connection, why not just unplug from the current ISP's connection, plug in the new one and, if you have problems, switch back?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks, Bob -

    Yes, I did mention that option in my post: "Also we could temporarily add a fourth NIC to the box, but there's no space left in it". Plus, I'm 200km away, and no-one there could do it without making the situation worse.

    All that's really needed is an option "Not Currently Bound" in the interface selector. As emmosophos says, probably needs to be a feature request.

  • Not even a USB port where a USB NIC could be attached?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Now that's a good idea -- I didn't think of it. I could ship them one.

    How likely is it that the UTM will see the USB adapter and autoconfigure it, such that I'll be able see it in the interfaces list in (remote) WebAdmin? Plugging in a USB adapter, and then a Cat5 into that, is about the limit of what I can expect from the onsite staff...

    Paul

  • Fingers crossed, a reboot might be all that's needed.  However, the ISO/DVD installer only loads the drivers for the hardware it sees.  I don't know.  Maybe have your reseller ask Sophos.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA