This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Virtual interface for BGP multihoming?

I have going over this in my head for weeks and browsing all over on the forums for an answer and I cannot find or am just not searching right or something.

We have a /24 from ARIN (got one of the last ones) that I need to come to my UTM. Here is what it looks like right now.

eth1 connected to ISP-1's CPE

eth2 connected to ISP-2's CPE

eth3 is my DMZ

eth4 goes to my internal switch

Pretty straight forward right?

The ISPs are giving me a /30 for my side of the interface. I am running into an issue where it appears I require the /24 I own to be on an interface in order to use it for VPN termination and other forwarding is this accurate? Do I require a router between my UTM and the ISP CPE?



This thread was automatically locked due to age.
Parents
  • Hi, Justin, and welcome to the UTM Community!

    I think the answer to your last question is "no," but I don't understand the question before it - what is it that you want to do?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • lets say I own 1.2.3.4/24 and that I am advertising that via BGP to the two ISPs I have. In the event one of them goes down I still want VPN connections to stay up and running. Currently this is impossible because the interfaces are set to carrier specific ISPs. From what I can see without using a router in my own address space and making the UTM a host on that network I cannot use the block I own as a VPN point since it is not the primary address on any interface.

Reply
  • lets say I own 1.2.3.4/24 and that I am advertising that via BGP to the two ISPs I have. In the event one of them goes down I still want VPN connections to stay up and running. Currently this is impossible because the interfaces are set to carrier specific ISPs. From what I can see without using a router in my own address space and making the UTM a host on that network I cannot use the block I own as a VPN point since it is not the primary address on any interface.

Children
  • Hi,

    well, there isn't a virtual Interface you can set up, but you can assign those IPs that you announce over BGP on any interface. You can make a network definition for 1.2.3.4/24 and announce that without it beeing on a physical interface. You can put individual IPs of that /24 on (lets say) DMZ or any WAN Interface. I had that working before.

    ---

    Sophos UTM 9.3 Certified Engineer