Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 1 reply
  • Subscribers 4 subscribers
  • Views 2885 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

multiple internet links, Uplink balancing, multipath, Full and DNAT services and failover

itsNeil

Hello,

I'm hoping for a little advice :)

At the moment I have 2 internet services where traffic is split between those two links on an adhoc basis using static routes, fixed ip addresses, NAT, etc but offering no automatic failover if a link goes down.

Both links are about to be upgraded (inbound IP addresses will change, etc) so when that happens I'd like to configure things so we have actual redundancy and failover. To do that I was thinking to utilize Uplink Balancing and Multipath Routing, such that both links are being utilized for all inbound and outbound traffic.

I have approx 20 x IPSec Site-to-Site VPN's, several Full NAT, DNAT and at least one SNAT rules allowing for mobile users to connect back to specific services whether they are in the office or out in the field, etc.

 My current thinking is:

- (take a backup! :)

- Setup the new interfaces, enable Uplink balancing, add both new interfaces as active links

- remove the static routes

- Then for the DNAT and Full NAT rules, change the 'Going to:' address to 'uplink addresses'

- setup New Multipath Rule: Source = any, service = 'big old list of services', destination = any , Itf Persistence = 'source/destination'

- setup DNS A Records with multiple IP's for the site (eg headoffice.example.com has A records of Interface1 static ip (eg 1.2.3.4) and Interface2 static ip (eg 4.5.6.7)) and  individual dns names int1.example.com (1.2.3.4) and int2.example.com (4.5.6.7). 

- I hope to use headoffice.example.com for things like MS RDP addresses. (Inbound connections will favour one link, but that's ok). 

- Only one of the remote sites has a UTM so far, so I was thinking to just setup IPSec VPN tunnel remote ends with primary address of int1.example.com and secondary of int2.example.com. Such that if the UTM is starting the connection from either interface, it should just work. 

 

So. Does this sound like it will work? Have I missed something obvious? Will it break my network?! Is there a better approach? :)

Any advice would be greatly appreciated!

 

All the best

Neil



This thread was automatically locked due to age.
  • +1

    For the IPSec between two UTM's you can define an interface group in interfaces where you can put both external interfaces. This interface group on its turn can be used in the IPSec connection. On the remote UTM you'll have to make an availability group with the external public IP's from the other side in the same order as your interface group. Then you can use the availability group as the source for the remote UTM.

    As for the NAT's using Uplink Primary Addresses, this will work but beware that it only works on the primary addresses (which it's also called). Should you need it enabled on additional addresses, you will need to make additional NAT rules.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Unfiltered HTML