Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 2 answers
  • Subscribers 2 subscribers
  • Views 19951 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Standby Interfaces & uplink Interfaces

LuisApodaca

hi guys

I need to ask, I am not sure about what is the best configuration I´ll Should try for combine standby interfaces in uplink Interfaces and Multipath Rules, and also I have a trouble

 

I was reading post´s like these and I noticed Balfson was saying we shouldn’t combine Uplink Balancing with Multipath Rules, he was talking about "interfaces", but I have "Uplink Interfaces" and is not clear for me, so I don’t know if what He said Applies for any network structure or in my case, can I keep the server as I have right now?

 

We have 2 ISP´s, the primary with 100 Mbits synchronous with no DHCP, and the secondary with 10 Mbits not synchronous in DHCP mode, only for use when we have a failover on the primary, the tricky part for me is when we go on failover the internet is only for 3 vlans, not the entire network

 

that is why I setup this:

 

Uplink Balancing

   Active Interfaces: primary ISP

   Standby Interfaces: secondary ISP

 

Multipath Rules

   Rule 1: all the network ->any->any->Uplink Interfaces

   Rule 2: group of 3 vlans ->any->any->Uplink Interfaces

 

with all that config, my standby interface it appears normally in dashboard in UP state, not like a Standby, is that ok?

 

An also in dashboard I have an UP in the link part, so far I wasn’t having no trouble, but since today I am having an ERROR in the link part (UP in state part), the standby ISP interface works with a ADSL Modem, I checked directly connected on it and is working fine, any idea on this?

 

Thanks and regards.



This thread was automatically locked due to age.
Parents
  • 0

    Hi Luis,

    I'm not sure what you saw that you interpreted me saying to not use Multipath rules - I use them all the time.

    If the backup ISP is a fixed charge, the only thing I would do differently is that I would put it in 'Active' instead of 'Standby'.  If you're still having troubles, Please show pictures of the Edits of the two Multipath rules with 'Advanced' open.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I apologies, it wasn´t Balfson, it was " da_merlin " really really sorry

     

    https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/33415/multipath-rules-second-interface-missing

     

    But also I didn't said "not to use them", I did said "not to combine them with Standby interface ", remember I am using the object "uplink interfaces" in multipath rules not just "interfaces", that is why I ask

     

    I turn back the second ISP in an Active Interface in second place, and the error message in link part disappeared, but in that moment I lose internet in both interfaces, I guess it is because I let 100 in Weight in both interfaces

     

    I only need to use the secondary ISP in case (and only in that case) the primary has some trouble, so I turned all back to as I had it before and right now is working fine, the error magically disappeared, but again I guess we Should have the word "standby" in the state part from dashboard, isn't it? still we have the word "up", that was the issue which confused me in the first time, and I am still confused, why is working now and not then if at the end I have the same config?

     

    Weird situation, any idea? Thanks anyway and regards.

     

         

  • 0 in reply to LuisApodaca

    I didn't look closely enough at your first post, Luis.  I would do this differently.

    Put both Interfaces in 'Active Interfaces'. In both Multipath rules, instead of persistence "by Connection," I would bind each to the interface:

    1. Internet de Alestra01 [by Interface] : Any -> Any -> Internet -> Alestra01
    2. Internet de Infinitum01 [by Interface] : Navigacion Infinitum -> Any -> Internet -> Infinitum01
    3. Internet de Alestra01 [by Interface] : Any -> Any -> Internet -> Alestra01

    As long as Alestra functions, all traffic will go out via it.  Also, in the 'Advanced' section of rules, DON'T select 'Skip rule on interface error'.

    Cheers - Bob

    EDIT 2017-06-20 Added DON'T and rule 3.  Rule 3 is needed to prevent subnets outside "Navigacion Infinitum" from using Infinitum01.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Ok, if I get it right, you are asking me to;

    1) Go on “Uplink Balancing” put the secondary ISP (infinitum01) in active group, Not Standby group

    2) Then in “Multipath Rules”, edit them both for change the option "Itf. Persistence:" for setting it to "By Interface" Not “By Connection”, isn´t it?

    In this case I have this questions;
    1) what is the point for have the Standby option? should not be a Standby the secondary ISP?
    2) is this advice because the secondary ISP does not have same quality? doesn´t matter that it is only for 3 vlans? (just 10 users on those)

     

    Is clear for me that with this config we could accomplish our goal to keep having internet in those vlans in case we lose Primary ISP, I believe in your experience, but this is confusing me more then the beggining,, lol, could you please explain more this config.?

    Thanks and regards.

  • 0 in reply to LuisApodaca

    ERRATA: in my first reply when I said ;

    "I turn back the second ISP in an Active Interface in second place"

    I was trying to said," I did put the second ISP in an Active Interfaces group in second place"

    sorry, it was mi bad.

  • 0 in reply to LuisApodaca

    My bad - I just corrected my post. [:D]

    For me, the Standby Interface is one for which there are per-GB charges.  Having one of those services in Active costs a lot more than putting it in Standby.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Ok, for me a Standby Interface is a secondary which is only to keep the service in case occur some trouble, in this case lose internet service, we use it while we can recovery the primary service from a power failure from the ISP or some other trouble, and doesn’t matter what is the cost for it,,,, ok is not like it doesn’t matter the cost, but in this case is Not a subject

     

    If we consider the fact that rule it is only intended for a small fraction of users, it is not for the entire network, even better, just a little quantity of users, it does not matter that it is a service with less capacity in Mb, and talking about this point

     

    Less capacity & just for 3 Vlans;

    1) why to put the rule number 3, if I already setup the rule number 2 for specific 3 vlans? isn’t redundant?

    2) in what part I should don’t select "Skip rule on interface error'."? I can´t see it in the rule edit window, there is no such option in Advanced part!!

     

    I let you more images to help, thanks and regards.

     

       

  • 0 in reply to LuisApodaca

    1. Without that rule, traffic from the subnets other than "Navigacion Infitum01" will qualify for the default - balancing by Connection on the working available WAN connection.

    2.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    ok, got it

     is good to know this behavior, no matter if you put only a group of vlan, if the the second rule comes to action it will serve for all the network, I guess the reason is about the "uplink balancing" objet I have in those setups, isnt it?

     About the picture you sent, for "Skip rule on interface error" I see is there for you, but if you could see in what I sent to you, is not there for me, I guess it will appear in the moment I start to change everything

     I cannot try all these setups you suggest until next week, we enter in maintenance mode, so, I will let you know how it was it

     thanks and regards.

     

  • 0 in reply to LuisApodaca

    Yes, Luis, once you change it o 'by Connection', the content of 'Advanced' will change. [;)]

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to LuisApodaca

    Yes, Luis, once you change it o 'by Connection', the content of 'Advanced' will change. [;)]

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML