This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RED device - Change metric

Hello !

I'm using a RED device and I would like to change the metric value (0 by default and by design I guess ?).
If I type "route -n", I can see 2 routes :
192.168.178.0 * 255.255.255.0 U 0 0 0 reds1 (metric value is 0)
192.168.178.0 10.100.230.254 255.255.255.0 UG 5 0 0 eth4 (metric value is 5)
I need that paquets go through 10.100.230.254 but metric value 5 is higher that 0...
If I change to 0 in the "static routing" tab, routing table only show interface reds1 ! I expect the opposite...

Any advice ?

Thanks !

Olivier



This thread was automatically locked due to age.
Parents
  • Salut Olivier and welcome to the UTM Community!

    Please show a picture of the Edit of the RED server for reds1.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob !

    Thanks for your answer, you know, I'm an old user of the "astaro.org" forum ;)

    Below a printscreen :

    I tried to change the operation mode to "transparent/split" and put "Internet ipV4" as network but it doesn't help :(

    Regards,

    Olivier

  • You can PM ruckus with your old and new email addresses and he can get your old and new "identities" merged.

    Now, this is just a WAG - instead of having a separate Interface using reds1, why not bridge reds1 with eth4 since they use the same subnet?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Thanks for the tips for my account but it's not so important...

    For the RED, it's for "historical" reason : my customer share a MPLS line and default route is pointing to another firewall that I don't manage. It seems Internet is blocked for a weird reason :(

    Remote site is working with Remote App (so, they can work) but without Internet access, I can't support them remotly (Teamviewer...). So, my idea was to install a RED and it works, they have Internet access.

    MPLS line have to be used for "critical" applications but I discovered that if I disconnect the modem in front of the RED, applications through Remote App become unavailable !

    Finally, I found that paquets flows through MPLS in one way but returns through RED...

    That's why I need to change metric :)

    Olivier

  • I bet WebAdmin won't let you fix the misconfiguration in the way you're trying.  Perhaps you could present a simple diagram with IPs and subnets noted.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    You're right, AFAIK there's no settings in Webadmin for that.

    Below, a schema with some details :

    Default route on Cisco L3 on remote site is configured to send packets to RED (Internet).

    A specific route is configured on the same Cisco to reach Datacenter for "critical" applications.

    Thank you !

    Olivier

  • Unless I'm missing something, Olivier, there's no way to make this work with this topology.

    Au fait, je n'ai pas pigé pourquoi le RED serait nécessaire.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Sometimes, you need to replace a RED with a small Desktop appliance (SG/XG). 

     

    SG with network protection.

    XG with Base Protection and two IPsec Tunnel or network protection and RED Tunnel. 

     

    XG would be best case because no subscription needed. 

    __________________________________________________________________________________________________________________

  • Toni, you can make a site-to-site tunnel in XG without any paid subscription? - No kidding?!?  Don't you need to purchase a Support subscription?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Take a look at this KBA: 

    https://community.sophos.com/kb/en-us/131806

     

    Base License includes VPN: IPsec RAS / S2S, SSL VPN RAS / S2S. 

    RED, HTML5 is in network protection.

     

    You can purchase a enhanced subscription - but you do not have to. The KBA explains the warranty status. 

    __________________________________________________________________________________________________________________

  • Hi Bob,

    Je vais continuer en anglais pour la communauté, je ne savais pas que tu étais parfaitement bilingue :)

    Actually, with this topology, it works but in case of Internet or box failure (in front of the RED), users lose access to the datacenter...

    As I tried to explain, default route of the entire MPLS network is pointing to another firewall with no Internet access for this remote network.

     

    @Toni, correct me if I'm wrong but with a SG/XG box with IPSEC tunel, it will be the same ? Tunel have the highest priority in terms of metric and it's by design

    Olivier

  • You would have to configure some kind of backup.

    https://community.sophos.com/kb/en-us/123323

    This should be the same setup in XG, isnt it? 

    __________________________________________________________________________________________________________________

Reply Children
  • So, the only way to do it in XG is with changes at the command line.  Will those changes survive a reboot?  All upgrades?  Is there a document I could have read to answer my own question?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thank you Toni, it's good to know !

    But, in my case, it means I need to replace my main Sophos with a XG model... It's not for tomorrow.

    Anyway, thank you very much Toni and Bob for your time !

    Olivier

  • You dont have to replace the Main SG with XG. 

    XG uses IPsec to connect to SG without problems. 

    __________________________________________________________________________________________________________________

  • Toni,

    In the KB you mentionned, there's a command line to change the default behaviour of routing/metric : in my case, it's useful in the main Sophos, not in the remote site.

    Even if I put a XG box in the remote site with a IPSEC tunel, I'll face the same situation :(

  • You wouldn't have the RED problem with IPsec, Olivier.  I think I mentioned this before.  In the SG in the main office, you can use Static Routes with metrics with an IPsec Connection that's bound to the interface.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA