This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Using an SG210 as a WAN selector.

 Afternoon all. I'm a Sophos noob and have a question!

I have been tasked with using an SG210 as a WAN selector.

From e0 I'll have a connection to my core switch which hosts some VLAN's.

The Link from the core to the Sophos is routed so my default route on the switch is 0.0.0.0 0.0.0.0 192.168.199.1, the core switch IP address is 192.168.199.2 and this link is on VLAN 199

The core switch is the D/G for all the LAN's so LAN to Sophos should be a straightforward routing path.

I have created the appropriate routes on the e0 interface that point to 192.168.199.2

On e1, e2 and e4 I have different WAN routers.

e1 ip is 10.1.1.2 with the router connected being 10.1.1.1. Traffic is then NAT'd by this router to the outside world. e2 and e4 follow the same pattern except e2 is a DHCP addressing scheme.

The use case is this: The Sophos is on a ship. Sometimes it will be at sea using a VSAT internet service connected to e1. Sometimes it will be docked using a harbour supplied shore-lie on e2 and sometimes it will be close to shore and using a 3g/4g router on e4. The crew (who will be trained) need to be able to log in to the Sophos, choose the appropriate WAN connection and have traffic flow. They will not want to load balance at all, they just need to be able to get internet down whatever link is most appropriate at the time.

I am having trouble making this work. I am more used to Kerio devices which make this a breeze (because they are designed as WAN selectors) and I am fairly handy with Cisco CLI too. I've spent a good while at this searching the internet and the forum for answers to no avail. I'm looking for as minimal configuration as possible to keep complication down and to try to make any fault-finding easier should there be issues arising in use.

I am hoping the attached diagram helps with the explanation.



This thread was automatically locked due to age.
Parents
  • Hi Mark and welcome to the UTM Community!

    Jaydeep's suggestion is a good one, but I would put all thee Interfaces in 'Active'.  Then, all the crew has to do is power down the less desirable routers and the UTM will automatically pick the one that's live.

    Instead you could use a Multipath rule bound to each Interface with them in the order of throughput speed - I would guess e2, e1 and then e4.  Then, the UTM would choose the fastest connection available and no one would have to touch anything!

    Cheers - Bob
    PS It sounds like you've strong networking skills, but little experience configuring UTMs with WebAdmin.  WebAdmin is a GUI that manipulates databases of objects and settings.  A single change there can cause the Configuration Daemon to rewrite hundreds of lines of the code used to run the UTM.  I've seen experienced CCIEs create really ugly WebAdmin configurations.  I would urge you to have a strong, experienced UTM consultant review the current configuration and make suggestions on how to simplify it and make it easier to manage and modify.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi Mark and welcome to the UTM Community!

    Jaydeep's suggestion is a good one, but I would put all thee Interfaces in 'Active'.  Then, all the crew has to do is power down the less desirable routers and the UTM will automatically pick the one that's live.

    Instead you could use a Multipath rule bound to each Interface with them in the order of throughput speed - I would guess e2, e1 and then e4.  Then, the UTM would choose the fastest connection available and no one would have to touch anything!

    Cheers - Bob
    PS It sounds like you've strong networking skills, but little experience configuring UTMs with WebAdmin.  WebAdmin is a GUI that manipulates databases of objects and settings.  A single change there can cause the Configuration Daemon to rewrite hundreds of lines of the code used to run the UTM.  I've seen experienced CCIEs create really ugly WebAdmin configurations.  I would urge you to have a strong, experienced UTM consultant review the current configuration and make suggestions on how to simplify it and make it easier to manage and modify.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Hi Bob.

    Busted! I'm a Cisco guy. Not quite CCIE but I'm fairly handy and yes I don't get my hands that dirty with UTM's in my normal day job.

    I have put all three (now four) interfaces in Active. Great tip and definitely makes life easier.

    I'm having an issue with another piece of kit but a search on here suggests changing from auto-negotiation to fixed so that's next. If that doesn't work there will be another question!

    With regards to multipath, what happens if there is only a single connection available? Presumably the Sophos doesn't care it will just use what it can see as up and interfaces not assigned to use that one up interface are simply cut off? I am again imagining quote a lot of rules to cover every eventuality. Final config will have 6 VLAN's that all need internet and 4 external connections to choose from. To be honest I don't think I want to be that adventurous with this deployment right now.

    I'll pitch getting a UTM consultant in but as the job is costed and sold, any money spent comes off the bottom line and for the most part, it's working well right now. But I'll make the point using your words. Thanks.

    I'm a self-made man. But I've lost the instructions...

  • Assuming that you want all VLANs to be able to access the Internet at any time, you would just one Multipath rule for each WAN connection like the following:

    You could have a single masquerading rule like 'Any -> Uplink Interfaces' instead of one for each VLAN and each interface (6x4=24!).

    Cheers - Bob
    PS Check #7.7 in Rulz (last updated 2019-04-17).

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Starting to not like this experience at all. I am having a lot of problems deciphering what the hell it's doing with my traffic and in all honesty what I want is 5 minutes on the phone with someone who knows these things properly so I can make it work. I can't believe I'm that far away from making it work but I just can't find it.

    And my latest screw up was to set the VLAN on my internal interfcae. That cut me off good and proper despite the next hop switch interface being configured for the same VLAN. What's that about? Layer 2 configs match but traffic doesn't pass. I know UTM's are "anti-routers" but to me that makes no sense at all and yes I have matching Layer 3 IP's to go with the matching Layer 2. Can't seem to connect to it all all now so it's getting factory reset and I'm starting again.

    I'm a self-made man. But I've lost the instructions...