I've been working on a project to increase the speed and resiliency between all of our sites. We currently have cable internet at each site of varying levels of quality from two different providers and our IPSEC tunnels are slow. Our sites are no more than 6 miles apart so we setup Ubiquiti AirFiber between all the sites. The first week after deploying our AirFiber we had a major wind storm that blew one of them out of alignment. We've re-aimed and pinned them and since we haven't started utilizing this equipment yet it didn't cause any down time, but I want to ensure connectivity in the case of another outage. Our sites are comprised of the following equipment; SiteA - Sophos Firewall XG230 SiteB - Sophos UTM SG230 SiteC - Sophos Firewall XG230 (this site has the three AirFiber's connected via a Ubiquiti Tough Switch) *This firewall is new and arrives today* SiteD - No router just a managed switch with an access point. We intend on just serving internet to this site over the wireless PTP. I'm not sure exactly how to configure these devices to enable failover from the AirFiber to a tunnel over the internet. I think it'd be easier if everything was running XG firewall or all UTM, and I could just setup IPSEC tunnels and fail over groups over the AirFiber/WAN interfaces. I've tried something like that from SiteA to SiteB using a combination of initiate/respond only vpn's on the XG to UTM link, but the fail over group on the XG doesn't work consistently/fast enough... and I've read that it won't have an option to fail back until 17.5 I've been thinking that perhaps if I setup RED tunnels over the internet between each site and then enable OSPF, traffic should route over the AirFiber interface as it's higher bandwidth, and then it would route over the RED interface if the AirFiber connection fails. Or perhaps I could use weighted gateways and policy routes instead of OSPF? Any guidance would be greatly appreciated. Thanks, JR

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Setting up failover from wireless ptp to VPN.

I've been working on a project to increase the speed and resiliency between all of our sites. We currently have cable internet at each site of varying levels of quality from two different providers and our IPSEC tunnels are slow. Our sites are no more than 6 miles apart so we setup Ubiquiti AirFiber between all the sites.

The first week after deploying our AirFiber we had a major wind storm that blew one of them out of alignment. We've re-aimed and pinned them and since we haven't started utilizing this equipment yet it didn't cause any down time, but I want to ensure connectivity in the case of another outage.

Our sites are comprised of the following equipment;

SiteA - Sophos Firewall XG230
SiteB - Sophos UTM SG230
SiteC - Sophos Firewall XG230 (this site has the three AirFiber's connected via a Ubiquiti Tough Switch) *This firewall is new and arrives today*
SiteD - No router just a managed switch with an access point. We intend on just serving internet to this site over the wireless PTP.

I'm not sure exactly how to configure these devices to enable failover from the AirFiber to a tunnel over the internet. I think it'd be easier if everything was running XG firewall or all UTM, and I could just setup IPSEC tunnels and fail over groups over the AirFiber/WAN interfaces. I've tried something like that from SiteA to SiteB using a combination of initiate/respond only vpn's on the XG to UTM link, but the fail over group on the XG doesn't work consistently/fast enough... and I've read that it won't have an option to fail back until 17.5

I've been thinking that perhaps if I setup RED tunnels over the internet between each site and then enable OSPF, traffic should route over the AirFiber interface as it's higher bandwidth, and then it would route over the RED interface if the AirFiber connection fails. Or perhaps I could use weighted gateways and policy routes instead of OSPF?

Any guidance would be greatly appreciated.

Thanks,

This thread was automatically locked due to age.

Parents

0 lna over 6 years ago

Hi Jonathan,

i would build RED Tunnels one over Airfiber one over Internet, then configure Dynamic routing on both RED interfaces and set a weight for the Interface.

(if you do it carefully you can "loadbalance" your Sessions by defining different weights for different net groups "net A to net B use internet", "net C to net D" use Air but you need to make sure not to mix (Request on Air, Answer on Internet) this would confuse the Connection Tracking and would result in "invalid traffic drop" on the XG devices.)

in this scenario you don't need to replace the UTM.

if your AirFiber connection is a direct L2 connection between the Firewalls you don't need a RED tunnel on that connection. if it is routed (AirFiber devices act as L3 Device) you'll either need to teach them dynamic routing or to build RED tunnels on this connections.

Yours Lukas
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 lna over 6 years ago

Hi Jonathan,

i would build RED Tunnels one over Airfiber one over Internet, then configure Dynamic routing on both RED interfaces and set a weight for the Interface.

(if you do it carefully you can "loadbalance" your Sessions by defining different weights for different net groups "net A to net B use internet", "net C to net D" use Air but you need to make sure not to mix (Request on Air, Answer on Internet) this would confuse the Connection Tracking and would result in "invalid traffic drop" on the XG devices.)

in this scenario you don't need to replace the UTM.

if your AirFiber connection is a direct L2 connection between the Firewalls you don't need a RED tunnel on that connection. if it is routed (AirFiber devices act as L3 Device) you'll either need to teach them dynamic routing or to build RED tunnels on this connections.

Yours Lukas
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data