Thread Info
  • Replies 6 replies
  • Subscribers 6 subscribers
  • Views 3974 views
  • Users 0 members are here
Options
Suggested

Sophos UTM: best practice for uplink balancing and multipath rules

taowang
8 months ago

Note: Please contact Sophos Professional Services if you require direct assistance with your specific environment.

Overview

This article focuses on best practices to configure Uplink Balancing and Multipath Rules for 2 or more WAN links.

Thanks to @BAlfson for great explanation about default multipath rule.

Basic setup

To distribute traffic evenly on 2 WAN links,

  1. Go to Interfaces & Routing > Interfaces > Uplink Balancing, enable Uplink Balancing.
  2. You don't have to create the following multipath rule, but you should know it is the default applied when traffic doesn't qualify for any multipath rule.
    Go to Interfaces & Routing > Interfaces > Multipath Rules, create a multipath rule with
    Source: an internal network
    Itf. Persistence: By Connection
    Balanced to: Uplink Intefacees

    Note: Like all ordered (numbered) lists in UTM, once a rule applies, no subsequent rules are considered.



  3. Go to Network Protection > NAT > Masquerading, create a masquearding rule with "Interface: Uplink interfaces". If no such masquearding rule, UTM might choose wrong WAN interface for outbound traffic.

Internal network uses a specific WAN interface for outbound traffic

  1. Enable Uplink Balancing, and create a masquerading rule with "Interface: Uplink interfaces" for the internal network as above
  2. Create a multipath rule with
    Source: the internal network
    Itf. Persistence: By Interface
    Bind interface: the WAN interface designated for the internal network
    Skip rule on interface error: checked, so that traffic will be sent out from another up WAN interface if bind interface is down.

WAN interface serves only one host

Target: WAN interface "WAN_200_225" is only used by 192.168.10.9 to access Internet, no other internal host/network can use it to access Internet.

  1. Enable Uplink Balancing, and create a masquerading rule with "Interface: Uplink interfaces" for the internal network as above
  2. Create a multipath rule, set
    Source: host definition of 192.168.10.9
    Itf. Persistence: By Interface
    Bind interface: WAN_200_225
    Skip rule on interface error: checked
  3. Edit schedule of uplink balancing
  4. Change weight of interface "WAN_200_225" to 0, so that it won't be used by other multipath rule configured with "Itf. Persistence: Connection/Source/Destination"

Load traffic on specific WAN interfaces

Assume UTM has 3 WAN interfaces, traffic from an internal network needs to be loaded on 2 WAN interfaces only.

  1. Enable Uplink Balancing, and create a masquerading rule with "Interface: Uplink interfaces" for the internal network as above
  2. Create an interface group contains those 2 WAN interfaces, in UTM webadmin > Interfaces & Routing > Interfaces > Interfaces > New Interface… > Type: Group
  3. Go to Interfaces & Routing > Multipath Rules, create a multipath rule, configure 
    Source: the internal network
    Itf. Persistence: By connection
    In Advanced Settings, set Balanced to:  the interface group

Technical KBA for reference

Sophos UTM: Uplink Balancing and Multipath rule, support.sophos.com/.../KB-000034635



Updated with default multipath rule, suggested by BAlfson
[edited by: taowang at 3:38 AM (GMT -8) on 7 Nov 2020]
[edited by: FloSupport at 1:05 AM (GMT -7) on 8 Jun 2021]
  • 8 months ago

    Wouldn’t it be the same to set the weight to 0 for the 3rd wan interface for the case “Assume UTM has 3 WAN interfaces, traffic from an internal network needs to be loaded on 2 WAN interfaces only.”?
    And by the way a demo for the weight setting I think.

    PS That is an important topic which definitely deserves a best practice.

    BR

    Alex

    -

  • 8 months ago

    Since upgrading from 9.510 to 9.6 we sometimes face strange Multipath issues. Since then, we have seen this multiple times, that reply packets are being sent out the wrong wan interface, which leads to asymetric routing.... I think this is still persistent. We use weight=0 for the secondary line, this is the setting, that the affected systems have in common... Really strange issue.

  • 8 months ago in reply to seroal

    Maybe another issue was implemented, while solving this issue:

    • NUTM-10018 [Basesystem] MiddleWare starting up time takes long when having lots of multipath routes

    https://community.sophos.com/utm-firewall/b/blog/posts/utm-up2date-9-601-released

  • 8 months ago in reply to Alexander Busch

    I don't like to use the 0-weight trick, Alex, because it's "hidden" during a quick overview.  Maybe it's just the way my brain takes in information, but, for me, the advantage of having Multipath rules is that the "documentation" is clearer to someone coming in behind the person that originally configured Uplink Balancing.  I don't have sites where there are a lot of Multipath rules though.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 5 months ago

    Balancing by connection is a good way to enter into ReCaptcha hell and be forced to log in over and over. I use multipath for failover.

  • 1 month ago in reply to Ryan Miller2

    Ryan, "By Connection" is the default.  You would want a Multipath rule "By Source/destination" to avoid your issue.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML