Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 4 subscribers
  • Views 8621 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM to UTM LAN interconnect via RED L2 tunnels: how to deploy WAN Uplink Redundancy?

jockyw2001

We implemented a working L2 LAN interconnect with a single UTM9 to UTM9 RED tunnel. The RED server site has 3 WAN uplinks. The RED client site has a single WAN uplink. Is it possible to deploy the WAN Uplink Redundancy? Something like setting up 3 RED tunnels, each using a different WAN uplink on the RED server. If the primary RED tunnel fails, the LAN interconnect automatically  falls back to one of the other two tunnels. Or, perhaps even better, to use all 3 tunnels in parallel. Does this sound feasible?



This thread was automatically locked due to age.
  • 0

    This can work, Jocky, but not if you bridge the two ends as I suggested in your thread about DHCP.  Frankly, this would seem more valuable than the bridged solution and could be done easily with Multipath rules.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hm, that's a pity then, because we use a L2 RED tunnel where at both ends we bridge the red nic with the internal lan nic. We require interconnected LAN with same IP network address at both ends. I agree, the redundancy is valuable, but since the interconnected LAN is only a temporary solution for a couple of weeks we can survive w/o redundancy. Why is it multipath and uplink balancing cannot work with RED L2 tunnels?

  • 0 in reply to jockyw2001

    Multipath rules only apply to Uplink interfaces, and that requires a default gateway.  Hmmmm...

    I've never tried this, but what happens if you add the IP on the Client UTMs LAN interface as a default Gateway to the LAN interface on the Server UTM?  Make sure the Server UTM has Multipath rules that capture all other traffic.  The rule for RED traffic would need to be at the top of the list.

    If that works, then try adding a second and third RED connection.

    An interesting thought experiment.  If it works, please let us know!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • +1

    here is your solution including screenshots etc. (its in german but i think you'll understand when you see the screenshots)

    http://www.klehr.de/michael/sophos-utm-site2site-vpn-mit-mehreren-providern-ipsec-failover-grered-devices-und-ospf-routing/

    ---

    Sophos UTM 9.3 Certified Engineer

  • +1 in reply to Ben

    Excellent, Ben, I'd forgotten about Michael's blog even though, with his permission, I had put an IPsec version of that piece into the local UTM Wiki about two years ago.

    I believe that his prescription will work, with some adjustments.  Michael's task was to have two redundant tunnels, each on a separate pair of WAN connections.  The Goal here is to have the Client side establish three redundant tunnels, one to each of three WAN connections on the Server.

    Jocky, you won't need the Multipath rules 4 & 5 on the Client side since you have only a single ISP there.  I'm still pessimistic about whether this can work with the LANs bridged over the RED connections.

    It seems like the easier solution would be to have one tunnel with the single-ISP site as the Server and the 3-ISP site as the Client.  Then, just have two Multipath rules in the 3-ISP UTM with one that binds all RED traffic to the primary interface and then a following rule binding all RED traffic to the secondary interface.  If both are down, then traffic will go out the third.  This way, you also get to keep the bridging.  The downside is that an outage would cause a sub-one-minute interruption instead of having instant fail over with Michael's approach.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Ben

    Hi Ben & Bob, that very much sounds like the solution for our problem. Actually we just swapped the red client & server roles between the sites. So now the new site is the red server and has a single wan uplink. The old site, which will be phased out in some months, is the red client and has 3 wan uplinks. I think the multipath combined with ospf routing is what we must go for.

     

    Cheers,

    JockyW

Unfiltered HTML