I live in a remote area in broadband terms. The service we now enjoy is beamed from the next hill and acceptable but we have no fall back connection. I do however have an ADSL copper connection which is available from a different ISP. This has a much lower bandwidth but would be available as a fallback option should the wireless link fail. Is there a wiki which would get me started with setting this up please. I am using an SG135 UTM.
I searched for a guide but didn't find what I needed.
Grateful for any pointers please.
It's easier than you expect:
Cheers - Bob
Found this answer and am working on it now. Before I make a mess of things please could you clarify what you mean by "unused NIC"
Could mean several things to me.
Hi Bob and many thanks for your patience.
I now have a dedicated Vlan with its own subnet and DNS and DHCP enabled on the UTM. With a rule set allowing WAN connection and through trunk connection and a vlan access port on the switch I can see the world! This checked out with a dhcp connection from my laptop and I can access the WAN from it. OK.
I have now plugged the router lan into the switch. I know the router IP and it has DHCP enabled. I am not aware of any firewall settings in the router. OK
What I still need a bit of help with now is the rules for enabling this connection on the UTM please. Having set the NIC port as an access port for the vlan my understanding is that the there is nothing more for me to do on the switch because all the rest is done on the UTM but as I type I have no idea if the connection is working or any traffic being shared.
My problem is with the Multipath Rules and Uplink Balancing.
I tried to set up the multipath rules as any -> any -> any -> undefined. I am OK with persistence by source/destination but I am stuck with undefined.
I have set up the subnet for a new connection on the UTM which has dns and dhcp services but my other router also has it's own dhcp server and subnet for the ISP. When I tried to make this work I had an unexpected prompt for a login from the UTM (I was already logged in) and my ISP email service was blocked. I know I have made a mistake and sure enough on the UTM dashboard the port was flagged with an error. Further guidance would be appreciated please.
So I have multipath rule set up now as any->any->any->Uplink interfaces and two interfaces set up on Uplink Balancing with the Active interfaces as External (WAN) and the interface I created using vlan. My problem is that when I enable this configuration I get an error message on the new interface I get a prompt that a login is required but no clue which or where as when I select the UTM comes up with an error and to cap it all I have no internet or email.
I know I have been slow but hope you haven't given up on me as I am stuck.
I am attaching screenshots of the settings I have set up for multipath rules and uplink balancing and the pop up messages I received when I tried to use browser and email after enabling these settings.
I have had to disable them to be able to send these screenshots. I have zipped the screenshots and am trying to send them here as a compressed file hich I hope you will be able to open. Please let me know if you need these shots in a different format.
Hello,are you using webfiltering? Do you have setup an outgoing interface there?
Mit freundlichem Gruß, best regards from Germany,
New Vision GmbH, GermanySophos Silver-Partner
If a post solves your question please use the 'Verify Answer' button.
Many thanks for your kind reply. Many thanks for the use of English as my German is non existent but I do listen to a great deal of Bach..
It seems I do have some web filtering set up. I am not aware of this but may have been set up by original supplier, long since departed. Two networks are shown on the Allowed Networks tab. Neither involving my planned uplink balancing.
Should I just add the two interfaces or is there more configuration required.
again: you do not have defined an outgoing interface there?
Hi Philipp, Thanks for pointing this out to me but as I stated above I have no idea how this has been set up or when. What is worse is that I have no idea if I need Web Filtering or on which interfaces. What function do these serve?
Why for example are Admin and Internal allowed and how are they defined. I shall now look further into the machine but if there are any guidance notes please advise.
Many thanks again,
The Optional Interface you have highlighted is not visible on my device.
I turned the Web Filtering off and the Uplink balancing still does not work.
Is there a step by step guide on how to do this please?
In Web Filtering you can configure different Profiles so that traffic for different groups or internal LANs can be handled differently. In order for WebAdmin to show the 'Optional interface for outgoing traffic' as suggested by Philipp, you must run the following command as root at the command line:
cc set http enable_out_interface 1
Hi Bob, I am not having much success here. The Web Filtering was a surprise as I had no idea it had been set. I wonder if it came as a result of my setting something else.
Can I leave Web Filtering off while I try and sort out my second WAN connection?
I tried this, as I said earlier, but even with Web Filtering turned off I still had no internet or email access as soon as I turned on the multipath rules and uplink balancing. What next I ask?
With regard to Philipp's advice and your related help I note that if I access the UTM as root it negates any support available from Sophos. Do I really have to go in using SSH. Surely it shouldn't be necessary for what I am trying to achieve?
Yes, it's not advised for people to start mucking around with things at the command line unless it's something known to be acceptable. Sophos UTM: How to change the outgoing interface for Web Filtering gives more instruction than I did, but it clearly indicates that the command I give above is acceptable.
How about a picture of your Multipath rules?
If I try and set the GW on the second interface it automatically turns on the Uplink Balancing which calls a login popup and stops my WAN connection so I have not included the default GW on the AAISP interface.
On the multipath rules there is only the one rule.
I have set an arbitrary IP subnet for the AAISP interface. I do not have the IP address of the router but can get it in the morning.
I am having trouble inserting the file so see if it works:-
For reasons I don't understand I cannot insert my zipped screenshots this time. I get a message saying the file or url is not allowed to be inserted!4667.Pictures.tar.gz
But this seemed to work.
Sorry, Alastair, but I don't have a tool that lets me see those pics. How about just jpegs or pngs?
Ok I think my file was damaged. Try this.
what makes me wonder here is your remark "it automatically turns on the Uplink Balancing which calls a login popup and stops my WAN connection". What do you mean by "login popup"?And, of course, the second GW forces uplink balancing to be enabled, that's by design.
@Bob: I think we need to fix this "login popup" thing before we ca go any further here...
Thanks, Alastair, that helps. I don't think this will work if the AAISP interface doesn't have a default gateway.
Agreed, Philipp, that confused me, too...
Hi Bob & Philipp,
Sorry for the long pause. We have guest occupying the room and I have to wait until he leaves and I can access the AAISP router. Hope will get there this evening and check out the AAISP connection and router settings. I thought AAISP could access from their end but couldn't. More fun later!!!
OK, I have checked out my other broadband connection with AAISP. The connection is up and working. The router lan port is configured as a normal access port with DHCP and default GW and I can connect to it with laptop and browse. All OK so far.
On the UTM I have set up a dedicated access port, port 1 on its own subnet with unique IP/25 addresses and it is connected to the AAISP lan port.
The problem is when I try and set the default GW for port 1 on the UTM, things go wrong. As soon as I do this I get the warning that uplink balancing is required and is enabled. I then get a link error on the AAISP.
If I try and cinnect to a website using a Firefox browser I then get an Warning:Potetntial Security Risk from Firefox with the message. See screenshot and note the Network management prompt in the corner. Unfortunately this also took me off line so I have to back out to be able to send this which may be why the screenshot appeared above!!!
Grateful for what to try next.