Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 3 subscribers
  • Views 14635 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PTP Wireless network and WAN Connection Failover

cleight
Good evening everyone,

I am trying to setup a network that I feel is fairly simple, yet having issues on figuring out the best method to complete the task.

I have the following scenario:

Primary Site:
ISP --> External WAN Int (50.203.X.X)
PTP --> PTP WAN Int (10.10.10.1)
LAN --> Internal LAN Int (192.168.2.0/24)

Secondary Site:
ISP --> External WAN Int (50.204.X.X)
PTP --> PTP WAN Int (10.10.10.3)
LAN --> Internal LAN Int (192.168.1.0/24)

What I am trying to accomplish it two things, one send all traffic between the sites over the PTP Link unless the link is down. Second send Internet traffic through PTP in the event ISP is down.

I have setup the interfaces in UTM and have them both being monitored with uplink monitoring. Where I am stuck is how to route the traffic from the LAN through the PTP.

Thanks in advance.


This thread was automatically locked due to age.
Parents
  • 0
    Yes, that is possible.  VLAN 1 is reserved, and, before V9.3, you can't have a tagged and untagged VLAN on the same interface.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Bob,

    I'm attempting basically the same thing, however, I'm experiencing issues with the ISP failover VPNs over the PTP interface. They say Error: No connection and I notice the VPN ID's are different on each connection

    Also, with uplink monitoring, how do you differentiate between the ISP connection and the PTP connection going down. How do you specify that the UTM needs to enable the Site to Site VPN over the internet connection, or the one over the PTP to redirect internet traffic?

    I'm running UTM 9.403-4

    Thanks,

    JR

  • 0 in reply to JRWalters

    It's almost two years later and we have some new capabilities, JR. We'll use the OP's (Chris) scenario and I'll try to make this more precise.

    Let's start with a redundant connection between the sites.

    #1. In the Primary site:

      1. Create an Interface Group named "Connect Sites" containing "PTP WAN" and then "External WAN."
      2. Create an Availability Group named "Secondary Site IPs" containing a Host object for 10.10.10.3 and then one for 50.204.x.x.
      3. Create a Remote Gateway with "Secondary Site IPs" as the 'Gateway' and a Network object for 192.168.1.0/24 in 'Remote Networks'.  Create an IPsec Connection using the new Remote Gateway with "Connect Sites" as the 'Local Interface' and "Internal LAN (Network)" in 'Local Networks'.
      4. Enable the tunnel.

    #2. In the Secondary site:

      1. Create an Interface Group named "Connect Sites" containing "PTP WAN" and then "External WAN."
      2. Create an Availability Group named "Primary Site IPs" containing a Host object for 10.10.10.1 and then one for 50.203.x.x.
      3. Create a Remote Gateway with "Primary Site IPs" as the 'Gateway' and a Network object for 192.168.2.0/24 in 'Remote Networks'.  Create an IPsec Connection new Remote Gateway with "Connect Sites" as the 'Local Interface' and "Internal LAN (Network)" in 'Local Networks'.
      4. Enable the tunnel.

    Now, let's take care of the situation where a site loses its ISP connection and needs to get to the Internet via the PTP and the other site's connectivity.  We'll do this for the Primary site.

    #3. In the Primary site:

      1. Create a Remote Gateway with the Host object for 10.10.10.3 created in #1 as the 'Gateway' and the Network object created in #1for 192.168.1.0/24 in 'Remote Networks' along with the "Internet" object.  Create an IPsec Connection using the Remote Gateway just created with "PTP WAN" as the 'Local Interface' and "Internal LAN (Network)" in 'Local Networks'.
      2. Leave the IPsec Connection disabled.
      3. In 'Interfaces and Routing >> Uplink Monitoring':
        1. Create an Action to disable the tunnel created in #1
        2. Create an Action to enable the tunnel created in #3.

    #4. In the Secondary site:

      1. Create a Remote Gateway of type "Respond Only" with the Host object for 10.10.10.1 created in #2 as the 'Gateway' and the Network object created in #2 for 192.168.2.0/24 in 'Remote Networks'.  Create an IPsec Connection using the Remote Gateway just created with "PTP WAN" as the 'Local Interface' and "Internal LAN (Network)" in 'Local Networks' along with the "Internet" object.
      2. Enable the IPsec Connection.

    An additional configuration #5 and #6 comparable to #3 and #4 is needed to provide ISP redundancy for the Secondary site.  Thus there are three tunnels needed to make this work.  The trick is using "Respond Only" mode in the last two tunnels in the fail-over-to site and Uplink Monitoring Actions on the other site to switch between tunnels.

    If at any point, the PTP goes down, the sites will instantly (a minute) hook up with each other over the ISP connections.  If at any point, a site experiences a disconnect from its local ISP, it will shut down the tunnel between the two sites and establish a new one that gives local users access to both the other site and the Internet.

    This should work as designed, but I've not actually done this this way before, so I would appreciate feedback as to its efficacy. TiA!

    Cheers - Bob

    PS The other way uses IPsec Connections bound to individual interfaces, routing and Multipath.  I've seen this described in German and have copied that to the Wiki here.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to JRWalters

    It's almost two years later and we have some new capabilities, JR. We'll use the OP's (Chris) scenario and I'll try to make this more precise.

    Let's start with a redundant connection between the sites.

    #1. In the Primary site:

      1. Create an Interface Group named "Connect Sites" containing "PTP WAN" and then "External WAN."
      2. Create an Availability Group named "Secondary Site IPs" containing a Host object for 10.10.10.3 and then one for 50.204.x.x.
      3. Create a Remote Gateway with "Secondary Site IPs" as the 'Gateway' and a Network object for 192.168.1.0/24 in 'Remote Networks'.  Create an IPsec Connection using the new Remote Gateway with "Connect Sites" as the 'Local Interface' and "Internal LAN (Network)" in 'Local Networks'.
      4. Enable the tunnel.

    #2. In the Secondary site:

      1. Create an Interface Group named "Connect Sites" containing "PTP WAN" and then "External WAN."
      2. Create an Availability Group named "Primary Site IPs" containing a Host object for 10.10.10.1 and then one for 50.203.x.x.
      3. Create a Remote Gateway with "Primary Site IPs" as the 'Gateway' and a Network object for 192.168.2.0/24 in 'Remote Networks'.  Create an IPsec Connection new Remote Gateway with "Connect Sites" as the 'Local Interface' and "Internal LAN (Network)" in 'Local Networks'.
      4. Enable the tunnel.

    Now, let's take care of the situation where a site loses its ISP connection and needs to get to the Internet via the PTP and the other site's connectivity.  We'll do this for the Primary site.

    #3. In the Primary site:

      1. Create a Remote Gateway with the Host object for 10.10.10.3 created in #1 as the 'Gateway' and the Network object created in #1for 192.168.1.0/24 in 'Remote Networks' along with the "Internet" object.  Create an IPsec Connection using the Remote Gateway just created with "PTP WAN" as the 'Local Interface' and "Internal LAN (Network)" in 'Local Networks'.
      2. Leave the IPsec Connection disabled.
      3. In 'Interfaces and Routing >> Uplink Monitoring':
        1. Create an Action to disable the tunnel created in #1
        2. Create an Action to enable the tunnel created in #3.

    #4. In the Secondary site:

      1. Create a Remote Gateway of type "Respond Only" with the Host object for 10.10.10.1 created in #2 as the 'Gateway' and the Network object created in #2 for 192.168.2.0/24 in 'Remote Networks'.  Create an IPsec Connection using the Remote Gateway just created with "PTP WAN" as the 'Local Interface' and "Internal LAN (Network)" in 'Local Networks' along with the "Internet" object.
      2. Enable the IPsec Connection.

    An additional configuration #5 and #6 comparable to #3 and #4 is needed to provide ISP redundancy for the Secondary site.  Thus there are three tunnels needed to make this work.  The trick is using "Respond Only" mode in the last two tunnels in the fail-over-to site and Uplink Monitoring Actions on the other site to switch between tunnels.

    If at any point, the PTP goes down, the sites will instantly (a minute) hook up with each other over the ISP connections.  If at any point, a site experiences a disconnect from its local ISP, it will shut down the tunnel between the two sites and establish a new one that gives local users access to both the other site and the Internet.

    This should work as designed, but I've not actually done this this way before, so I would appreciate feedback as to its efficacy. TiA!

    Cheers - Bob

    PS The other way uses IPsec Connections bound to individual interfaces, routing and Multipath.  I've seen this described in German and have copied that to the Wiki here.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    Thanks Bob! I just got a chance to apply the configuration changes. I had some difficulty getting the first VPN up. I don't exactly remember how I resolved it, might have been some config from the first method still enabled. After I got it working I decided to attempt to test it by disabling the PTP interface. That didn't go over too well and after several minutes they didn't come back up. Re-enabling the interface didn't help either. I was receiving an error similar to a NAT issue. I eventually restarted both UTMs and the link came back.

    I think simulating a failure that way is not the best test, or maybe I just wasn't patient enough.

    I plan on testing the fail overs after hours sometime by actually disconnecting the PTP and unplugging the cable modem and seeing how everything reacts. I'll then report back on how the configuration works in real life.

    Thanks again!

    JR

Unfiltered HTML