Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 7153 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multipath, BGP or Policy Routing

CS

Hi Folks,

i need some ideas with following problem:

- redundant connections, 2 routers with bgp (each 10GbE)

- one public network with several services -> one WAN interface

 

Now the problem:

1) If using bgp on utm, then 1 route (over bgp) with failover (second link standby).

BTW. The "Internet" object does not work anymore, because there is no default gateway on the WAN interface.

 

2) If using policy routes, i can use the second link, but in case of error no failover is possible (like multipathing, "skip rule on interface error")

 

3) Using 2 interfaces and multipathing is not possible because of only one public network with many services.

 

I suggest policy routing with monitoring the bgp routes and "switching" routes and gateways on and off with the REST API.

Other ideas?

 

Thanks.

CS



This thread was automatically locked due to age.
  • 0

    I haven't tried it before, but I think the following will work: create a Network definition 0.0.0.0/0 and bind it to the WAN interface.  Did that work as a replacement for the Internet object?

    I admit that I'm confused by the use of the two additional routers - why not just do BGP on the UTM and leave the other routers out of the picture?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    The routers are placed by the ISP (Deutsches Forschungsnetz). I can't remove them. BTW the "Internet Object Problem" did not belong to these routers, but to BGP insted of default gateway.

    Without the default gateway bound to an interface, the internet object won't work. I use it in many firewall rules, because there are many internal networks. Without the internet object i need many more (deny) rules and the rules system gets more complex.

    I will try to use 0.0.0.0/0 instead of ANY or INTERNET, but i can't test it in the productive enviroment.

    Thanx!

     

     

    Sophos Certified Architect (UTM + XG)

Unfiltered HTML