Network Protection: Firewall, NAT, QoS, & IPS Client cannot reach Server on ISP1 when using Uplink Balancing forcing ISP2

UTM Firewall requires membership for participation - click to join

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Client cannot reach Server on ISP1 when using Uplink Balancing forcing ISP2

Marco Hald over 2 years ago

Hi,

we have a UTM active-passive Cluster with two Uplinks configured (ISP1=Uplink and ISP2=o2).

I have one Testclient which uses ISP2 and surf the Web without a Problem.

But it can't connect to a Server which is NATed on a public IP from ISP1

It can however reach Servers Protected with Webserver Protection on the UTM on ISP1

The Webserver Protection ant the NAT is working from all other ISPs for example my home Network.

This is the Multipath Rule for my Client

The Masquerading Rule:

And the Firewall Rule:

This is the NAT Rule to the Server i try to reach:

Do you have any Ideas where I can start Troubleshooting this ?

This thread was automatically locked due to age.

Parents

BAlfson over 2 years ago

Hallo Marco,

I'm confused. Is your #5 Multipath rule binding outbound traffic from "o2 (Network)" to the "O2" interface? is "o2" a LAN interface? Is "O2" an interface with a public IP and a default gateway? What is whited out in Multipath rule #4 - the Testclient?

You wrote:

"I have one Testclient which uses ISP2 and surf the Web without a Problem.

"But it can't connect to a Server which is NATed on a public IP from ISP1"

Is the Testclient in "o2 (Network)"? Is ISP2 on the "O2" interface? When you say "can't connect," what do you see - an error message or just no response?

Have you tried a NAT rule like the following?

Full NAT : Testclient -> (HTTP/S & Zenworks-Joinproxy) -> ISP1 (Address) : from o2 (Address) to server

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

BAlfson over 2 years ago

Hallo Marco,

I'm confused. Is your #5 Multipath rule binding outbound traffic from "o2 (Network)" to the "O2" interface? is "o2" a LAN interface? Is "O2" an interface with a public IP and a default gateway? What is whited out in Multipath rule #4 - the Testclient?

You wrote:

"I have one Testclient which uses ISP2 and surf the Web without a Problem.

"But it can't connect to a Server which is NATed on a public IP from ISP1"

Is the Testclient in "o2 (Network)"? Is ISP2 on the "O2" interface? When you say "can't connect," what do you see - an error message or just no response?

Have you tried a NAT rule like the following?

Full NAT : Testclient -> (HTTP/S & Zenworks-Joinproxy) -> ISP1 (Address) : from o2 (Address) to server

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data