Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 2806 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAN Link Failover - customer in the same subnet

Daniel Hörberg1

Hey!

So, I'm fairly new to Sophos and I'm still learning the specifics. We have a bit of an annoying problem.

We're using a dynamic IP VDSL connection as our failover link (port3) together with our main connection (port2). We do some small time hosting for our closest customers and everything is working very well. But one of our customers recently got a WAN IP that is in the same subnet as our failover link. Say we have 90.200.200.X and so do they.

The problem is that our Sophos XG 210 tries to send all the traffic from this customer back out through the failover link. So when I ping from them to us, I see traffic coming in on port2 and leaving on port3, which obviously doesn't work. Shouldn't this gateway be completely disabled unless the main connection goes down?

The failover is setup with standard failover settings according to https://community.sophos.com/kb/en-us/123530

Firmware is 17.1.3 MR-3

 

Dunno if more information might be required, but I'd appreciate the help :) Thanks!



This thread was automatically locked due to age.
Parents
  • 0

    I cannot follow your description. Can you give us some kind of visual network plan of your issue. Maybe we can help you. 

  • 0 in reply to LuCar Toni

    I'll see if I can explain better.

    We have a main connection and a backup connection. These are configured as active/backup respectively under "WAN Link Manager" in our Sophos XG.

    This works perfectly fine as it is, nothing wrong with the failover function itself. It does what it's supposed to if the main connection goes down, and the other way around.

    But...

     

    Main connection IP: 31.200.200.X

    Backup connection IP: 90.200.200.X

     

    One of our customers also has 90.200.200.X cause they are on the same ISP as our backup connection.

    When they send traffic to us, the firewall tries to send everything back out through the backup connection even if it's not active, which must have something to do that they're on the same subnet.

    To get around this, I had to close our backup connection temporarily. But how do I solve it permanently? I mean, there will always be a risk of a customer sharing the same exact subnet right?

  • 0 in reply to Daniel Hörberg1

    Hi,

    Unfortunately, I do not know now whether the XG is also going to route communications to a group in which the WAN ports are and then the primary uplink is used

    So to say:
    Wan -> All to -> Lan Primary Uplinks
    and
    Lan -> All to Wan Primary Uplinks

    So the communication goes from - to always over the primary uplink

    With the UTM one could realize it that way.

    It would be an idea if this is possible with de XG

  • 0 in reply to Pascal G

    It just seems so... unintelligent... that it sends traffic back on an uplink that is not supposed to be active by any standards (it's only for failover).

    Again, this particular customer pings in on primary uplink and the XG replies back through the backup uplink, just because they happen to use the same ISP and thus get the same WAN subnet on their end. If that's the case, we either need to drop our backup connection or get rid of this customer. Like huh?

    I mean, it just seems like such an overlooked problem if that's the case.

Reply
  • 0 in reply to Pascal G

    It just seems so... unintelligent... that it sends traffic back on an uplink that is not supposed to be active by any standards (it's only for failover).

    Again, this particular customer pings in on primary uplink and the XG replies back through the backup uplink, just because they happen to use the same ISP and thus get the same WAN subnet on their end. If that's the case, we either need to drop our backup connection or get rid of this customer. Like huh?

    I mean, it just seems like such an overlooked problem if that's the case.

Children
No Data