The recent storm in UK took out our power and internet connections for several days but when power and the fallback broadband connection were first restored I had hoped that the fallback would work.
Not so I fear and in trying to get it working I munged the lot. Had to restore UTM configuration from backup. Now I have power and both connections working but no second connection configured as fallback. I want to start over.
Please could somebody help me with a step by step guide. My last efforts were plagued by problems. I am in unfamiliar territory here so need an idiots guide please.
i use a 100:0 weighting for a quasi-standby interface.In contrast to a real standby interface, incoming connections and outbound connections routed specifically via this interface are possible.The 15 minutes…
Sophos UTM: Uplink Balancing and Multipath rules
Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum PartnerSophos Solution Partner since 2003 If a post solves your question, click the 'Verify Answer' link at this post.
Hi Dirk and many thanks for the links and hope of a solution. I shall go through the details later but there is one concept I am struggling with (I am well beyond my know how here,) and this concerns the respective configuration of my second broadband connection and the port on the UTM to which it connected. I have the details of the router as follows:-
I have deleted the actual details for obvious reasons but you will note that the lan connection is a DHCP server with a limited pool of addresses but enough. This connection to the router works as I expected and if I plug in my laptop with my laptop NIC configured for DHCP I have a connection and am good to go.
Where I am not confident is how to configure the interface on the UTM. I started out by giving it an address on a subnet with DHCP and DNS services as though I were connecting a computer to the UTM. This would have two DHCP servers facing each other an this doesn't seem right. On the other hand I have no idea what else I should do for this connection to work. It would be great if I could sort this out before following the detailed instructions on the link you kindly offered.
The UTM is connected on its WAN side (the LAN side of the ISP router) like a PC.IP address / mask and gateway + the ISP router (or 22.214.171.124) as DNS forwarder - nothing more. Possibly even obtain this from the ISP router via DHCP.Another subnet is used on the LAN interface. The UTM / SG firewall itself can / should offer DHCP + DNS here.
Hi Dirk, I have now sorted out the UTM connection by copying the existing first connection. The configuration is slightly different from my settings for a network switch or pc connection but is now good.
My other problem was with a misconfigured router and I needed help from ISP who made the original configuration and this has now been corrected, so all good.
The links you gave me have been a great help and I have the basics right. I am not sure the apportionment is as I need it to be but will check usage over the weekend and come back if I need more help. I do need to raise a new question about Firewall settings as I find many many Firewall Violations on the logs, which is a bit worrying.
Meanwhile many thanks again for your help.
I have been adjusting the balancing between WAN connections using both connections in what I believe to be the Multipath mode. I would like to try the failover mode but cannot find the Type drop-down list on the Uplink balancing. It seems the help page may be slightly different or I am just too dumb. Can you advise please. Also do I need to set the multipath rules on the Multipath rules page? It seems the percentage apportionment is set by a drop down menu on the Uplink balancing page.
Finally please could you help me setting up the Monitoring and in what format will this information be available? Is there a graphical version for Monitoring and how do I access it please?
"I would like to try the failover mode"if you have 2 or more interfaces within uplink balancing, failover is active.You can create a "standby" interface moving a interface from "interfaces to standby field (but why ... you will lose the multipath function)"Multipath rules"... you only need, if you would direct special traffic to a defined interface. traffic not handled by MP-rules are loadbalanced. So: no. not necessaryNo great solution for monitoring.Dashboard shows the current load per interface, logging and reporting shows the history for interfaces. PRTG may be used too... but interface numbering changes sometimes.
Hi Dirk and many thanks for your reply.
The underlying issues for me and reason for my questions are that one WAN connection is six times faster than the other and the faster one is also free of charge to me, so the standby my primary reason for setting this up.
The higher speed nil cost connection is slightly less reliable because the power supply which feeds it is more vulnerable to outages so the slower connection is better than nothing, hence failover or standby.
I am trying to understand how balancing works if I do not move the slower connection to standby, given the very unequal connections. If I have one client making a large download is the traffic split between the two interfaces or does it use only one?
I have tried changing the apportionment to 90% 10% and also changing the time from 1 hour to 15 minutes but I have not yet been able to observe the consequences of these changes.
Finally there is one set of circumstances where we may wish to direct certain traffic to only one interface. How would this traffic be filtered to enable this.
Please forgive the dumb questions but if there is more reading you can suggest that would be appreciated.
i use a 100:0 weighting for a quasi-standby interface.In contrast to a real standby interface, incoming connections and outbound connections routed specifically via this interface are possible.The 15 minutes are the glue-time. Balanced connections will use the same interface if new connections with the same parameters are created.