This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multipath to another UTM?

I'm planning on multipathing to another UTM like so:

SITE A UTM interface B (WAN 2) > SITE B UTM interface C (SITE A UTM) > NAT > INTERNET

So, the question is:

where to apply the firewall rules?

1. At SITE A interface and a) allow all traffic or b) limit access here
2. At SITE B interface and a) allow all traffic or b) limit access here

My preference would be at SITE B where the natting will take place as this keeps it uniform with most things. 
I'd simply allow all traffic that enters SITE A interface A (going to SITE B UTM) to flow

So the multipath traffic would be filtered 50/50 at SITE A & SITE B

Any downsides to this?



This thread was automatically locked due to age.
Parents
  • i would use RED between the two Sophos so you'll have a virtual Interface that you can use Multipath rules on. Basicly both UTMs will get another Network Interface (redX) that you can use like a secondary Internet Connection.

    ---

    Sophos UTM 9.3 Certified Engineer

  • Hi Ben,

    no need for reds' here. This is a 1g PtP link (AKA leased line) so there's absolutely nothing else on it. Traffic is segregated via vlans.

    Cost's a fair bit per month too!

    The setup is working well although I'm only halfway there with it due to other things needing done first.

    The main thing I've learnt at the minute is not to use any proxy on the 2nd UTM for traffic coming from the 1st UTM as everthing eg authentication, filtering, QoS etc will have taken place here. So basically, the 2nd UTM uses NAT protection but no firewall rules ie it's an any/any rule for traffic coming from the 1st UTM.

    All other traffic on the 2nd UTM ie coming from the lan etc is filtered as normal ie web filtering, firewall rules etc. It is these rules etc that will be used when the traffic flips and enters via SITE B so the filtering is done at SITE B UTM with 50% going to SITE A UTM and following the same process as above.

Reply
  • Hi Ben,

    no need for reds' here. This is a 1g PtP link (AKA leased line) so there's absolutely nothing else on it. Traffic is segregated via vlans.

    Cost's a fair bit per month too!

    The setup is working well although I'm only halfway there with it due to other things needing done first.

    The main thing I've learnt at the minute is not to use any proxy on the 2nd UTM for traffic coming from the 1st UTM as everthing eg authentication, filtering, QoS etc will have taken place here. So basically, the 2nd UTM uses NAT protection but no firewall rules ie it's an any/any rule for traffic coming from the 1st UTM.

    All other traffic on the 2nd UTM ie coming from the lan etc is filtered as normal ie web filtering, firewall rules etc. It is these rules etc that will be used when the traffic flips and enters via SITE B so the filtering is done at SITE B UTM with 50% going to SITE A UTM and following the same process as above.

Children
No Data