Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 9086 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Limit webserver to one uplink when uplink balancing

JonathanEmberton

We have 2 uplinks. One is a fiber connection (static IP) the other is a cable modem connection (non static IP). I have uplink balancing enabled, which works great. The issue is the webserver initiates connections to outside resources. Sometimes things are not working like they should and when I turn off the cable modem connection we never have any issues. I suspect there are times where the server is initiating the connection to the outside resources from the cable modem uplink and it is getting rejected. Is there a way to have uplink balancing but force a webserver to only utilize one of the uplinks?



This thread was automatically locked due to age.
Parents
  • 0

    Hi, Jonathan, and welcome to the UTM Community!

    Yes, the answer is a Multipath rule.  The default balancing is "by connection" so you may want to activate the "Example HTTP" rule in general instead of binding the traffic from the server to one interface.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I don't see how enabling the example HTTP rule would help.  Any-> websurfing ->any-> uplink interfaces.   Will still allow the webserver to send traffic across the Fiber or the cable modem connection.  Or am I missing something.

    I tried to create a multipath rule, of webserver, ->any->any-> but the only option is uplink interfaces. I cant select the interface I want.

  • 0 in reply to JonathanEmberton

    Oh, I just noticed I can create a new group and only put the fiber connection in the group.. Would that work?

Reply Children
  • 0 in reply to JonathanEmberton

    A while ago I had a similar issue. We had vendors who used a single IP address on the outside of our firewall as part of their system's security. So we had to make sure that all traffic to these vendors went through the interface to which the source IP address was assigned.

    So I created a static route for the destination site to point to the default gateway related to the required interface's IP. If the interface IP was 10.1.1.100/24 and the ISP gateway was 10.1.1.1, I set the next hop for www.whatever.com to be 10.1.1.1.

    May not be the most elegant or even the preferred approach, but it worked perfectly.

Unfiltered HTML