Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 3896 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple interfaces and RED

contact.pl contact.pl

I have 2 loacations and each location has 2 internet links. Currently I have one RED tunnel between locations which works fine. Now I will be adding two direct links between those locations. I would like to achive two things:

- RED tunnels should always try to establish connection first through direct links and only if they are down through internet. I didn't see anywhere in interface possibility to setup this. I am assuming it has to be done through some smart firewall rule but I am not sure how to create such rule.

- Since I have two direct links I would like to load balance traffic through those links - so question is - can I establish two red tunnels between same devices and policy route different traffic through each tunnel or is there a way to force RED to do loadbalancing for me

Pawel



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

     

    first of all, load balancing between two RED Interfaces is not possible. We "could" implement some kind of BGP load balancing but it only relies on connection pinning. Like RED50, the XG/SG can only stick one connection A to Tunnel1 and Connection B to tunnel2. 

    The balancing algorithm selects an outgoing link based on source and destination IP address. It does not balance on a per packet basis. The reason is that TCP performance suffers severely when packets are reordered due to different paths in a single TCP connection.

    This means that any transmission with the same source and destination IP address will always take the same interface combination. For example, outgoing packets always on WAN 1 to uplink 1 on Sophos UTM, incoming packets always from uplink 2 on Sophos UTM to WAN 1. When a client behind a RED 50 downloads a large file, all incoming packets will be transmitted via one interface only. When a client downloads simultaneous two files from two different servers the incoming packets will be transmitted via either one interface or both interfaces depending on the IP addresses.

     

    Next point: Do you have static IPs on both XGs? 

    You would have to setup the tunnels with this command: https://community.sophos.com/kb/en-us/122999

    XG1 ISP 1  -- RED Tunnel -- XG2 ISP1

    XG1 ISP 2 -- RED Tunnel -- XG2 ISP2 

     

    So you apply the command: 

    XG1: Destination XG2 ISP1 SNATIP: XG1 ISP1 

    XG1: Destination XG2 ISP2 SNAT: XG1 ISP2 

     

    And versa vice

  • 0 in reply to LuCar Toni

    Two questions

    - how BGP would help me blance traffic - in my case I need to sent traffic type 1 ( client to server ) through link 1 and traffic type 2 ( server to server ) through link 2

    - how SNAT will help in my case as I am little lost :)

  • +1 in reply to contact.pl contact.pl

    Would suggest to forget about the BGP Part. Simply build up 2 Rules afterwards. Will work.

     

    You need SNAT to define the correct outgoing IP Interface to the correct ISP WAN interface of the other site. If you dont do this, you cannot control, which WAN Port is used by XG to build up the RED Tunnel in the first place. 

Reply
  • +1 in reply to contact.pl contact.pl

    Would suggest to forget about the BGP Part. Simply build up 2 Rules afterwards. Will work.

     

    You need SNAT to define the correct outgoing IP Interface to the correct ISP WAN interface of the other site. If you dont do this, you cannot control, which WAN Port is used by XG to build up the RED Tunnel in the first place. 

Children