Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 3787 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM Routing

Goran Cvijanovic

Hello everyone,

 

I have silly problem in my scenario with UTM, I will first describe my network because I wan't you to understand what I want to achieve before you tell me something like "Turn on uplink balancing".

Ok, so i have a company with two locations, both locations have internet connection and local networks.

Location A: I have 2 ISP at this location attached to Sophos UTM, they are configured for uplink balancing in active/active mode. I also have fiber connection to location B using third ISP that's providing 1Gbps between locations that is used to connect those networks.

Location B: At this location I have only 1 ISP attached to Cisco 2921, and I also have already mentioned fiber connection to location A. Because this (B) location have only ADSL 15/1 Mbps I decided to send all traffic to location A via fast fiber 75/75 Mbps link. Other reason for doing this is to get equal protection of all devices at both locations, because only location A have Sophos UTM SG330. At this location I configured Cisco router (L3 switch in this case) to check fiber connection via location A by sending ping to DNS server of a fiber ISP, and if ping to DNS server fail, L3 switch thinks that there is no Internet at location A and route traffic to 2921 router with ADSL Internet connection and everything works just fine. I tested this and everything is working as it should.

Now I came into a problem. I want to create a failover in case if I lose both Internet connections at location A. Location B will figure out that location A lost Internet and send traffic to Cisco, but I want UTM to also send all traffic to location B while Internet is down. At first I was thinking it's going to be easy to achieve something like this. I went to Interface configuration and changed interface that is connecting me to location B to also include default route, and after that I added that interface in Uplink Balancing as standby interface, and same second I have lost connection between locations because when I put that interface to uplink balancing as standby interface, UTM instantly shutdown that interface because other uplink interfaces are still up. Problem is that I want to use this fiber as my uplink ONLY when I lose both ISP-s at location A, but I need that fiber connection active always for other traffic between locations.

Now I'm thinking what will happen if I add this interface in active mode also, but i set Weight to 0? Does this mean that UTM will keep this interface UP but it will not use it to send Internet traffic to this interface while other 2 ISP-s are up, or it will send small portion of traffic via this interface. Sending Internet traffic from A to B location is only acceptable if we lose both ISP-s at location A.

I also tried adding default route to fiber connection with bigger metric, but I'm not able to create default route in Interface/Static Routes, when I put AnyIPv4 in destination UTM just doesn't allow this.

Am I missing something while there is a simple solution to my problem, or this is really hard to achieve?

Reason I'm posting question is because I already broken connection in production (for 2 minutes :D) when I added this interface as backup, so I can't test configuration in production anymore, and I want to hear others before I decide to change something again.

Thanks everyone in advance!



This thread was automatically locked due to age.
Parents
  • +1

    Hi, Goran, and welcome to the UTM Community!

    Yes, you should be able to accomplish what you want with a zero weight.  You will not need a Static route, but I'm assuming that the default gateway for the connection to location B is an IP on the Cisco.  Note that you will still need firewall rules in the 330 and Cisco and a masquerading rule for the location A traffic in the Cisco.  I'm also assuming that I understood correctly that the Cisco isn't responsible for routing location B traffic to the 330.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks for answer!

    Cisco L3 switch 3850 is responsible for routing at location B, and that switch is checking fiber connection to location A, if he lose that connection he will pass traffic to local Cisco 2921 router that have all necessary configuration (NAT and route to location A networks via L3 switch). I just needed confirmation because I don't want to test in production anymore. UTM also have all configuration like firewall and NAT to both WAN interfaces. I have local traffic working without problems, the only new improvement I want to add is Internet failover for location A if for any reason they lose both ISP-s.

    I will post results when I configure this.

    Once again, thanks for answer!

Reply
  • 0 in reply to BAlfson

    Thanks for answer!

    Cisco L3 switch 3850 is responsible for routing at location B, and that switch is checking fiber connection to location A, if he lose that connection he will pass traffic to local Cisco 2921 router that have all necessary configuration (NAT and route to location A networks via L3 switch). I just needed confirmation because I don't want to test in production anymore. UTM also have all configuration like firewall and NAT to both WAN interfaces. I have local traffic working without problems, the only new improvement I want to add is Internet failover for location A if for any reason they lose both ISP-s.

    I will post results when I configure this.

    Once again, thanks for answer!

Children
No Data
Unfiltered HTML