Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 1693 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Default Routing for XG interal services (DNS, Access to external services -mail blacklist queries, etc- )

juergenb52

I need some help in a XG 17.5 setup.

the FW has 3 external interfaces (E1, E2, E5).
The others are used for DMZ (E3), internal LAN (E0) and PBX (E4).

E1 uses public Subnet-A
E2 uses public Subnet-B
E5 uses public DUN (VDSL).

All Firewall rules are using Interface E1

Sometimes, the firewall is´nt working fine and a lot of requests to the web are delayed or not working at all.

Sophos suggested, that the internal services (DNS lookup, requests to email blacklist providers or routing) are not using only "one" external interface.

These services might send data out on E2 or E5 and wait´s for the data on interface E1, the data might travel over 2 interfaces (one out and another in).

Sophos will not provide any help, because they don´t know how to this or this would be an initial setup.
Initial setups are not supported.

Has anyone done this before in the web gui or in the advanced shell?

Thanks

Jürgen



This thread was automatically locked due to age.
  • 0

    This will be resolved in V18 (with Policy based Routing), but in the current state, you can do following:

    XG uses a WAN Link Manager with active / passive state for the system generated traffic. 

    Which means, if one Interface is active and two passive, the active will be used for 100% of the own traffic. 

    Firewall Rules are not affected by this system. So you could basically setup one interface for active, the other two as passive, should resolve your issue. 

     

     

    PS: Active / Passive is not using the same mechanism like UTM. The interface is still up and can be used all the time.

     

    PS2: In your personal com, you wrote, that Port E1 and E2 uses the same subnet? If that is true, i am quite unhappy with such a setup and would recommend to place a Alias on E1 with the IP of E2. Maybe this would resolve this issue. 

  • 0 in reply to LuCar Toni

    Thanks LuCar Toni,

    In WAN Link Manager all 3 external interfaces are marked as Active (Port E1, E2 and E3).
    I will change this so that only one interface Port2_GW / E1 will be the Active, the others are all Backup now.

    What you say seems legit.
    If all where Active and the system generated traffic uses PPPoE, this would explain why a Disconnect of PPPoE solved the problem immediately.

    The PPPoE ISP is a cheap 250MBit VDSL Line and not allways the best, only advantage is the speed.
    Telekom 50MBit is rock solid ...

    Port E1/E2 use different subnets with it´s own gateway.

    Jürgen

  • 0 in reply to juergenb52

    Hello

    Isn't this simply called fail-over-link on other manufacturers product (or something like that) ?  The idea here is not simply work on a standby WAN when the main failed, but also split WAN traffic on many interfaces.  If so, I understand you cannot "weight & route" traffic towards each WAN link according to priorities & rules, and not simply a "default" on XG.

    If I'm not wrong, this can easily be accomplish on simplest and cheapest Cisco routers. If you are in a mood to add such equipment ...

    Paul Jr

  • 0 in reply to Big_Buck

    I guess, here is a issue with the other interfaces right now. 

    Normally this should work quite fine. https://community.sophos.com/kb/en-us/123530

    But depending on the information right now, it seems like the ISP 2 (not the PPPoE connection) does not work properly. 

    So if the XG chooses for certain traffic the ISP 2 connection(s), it runs into some issues. (And XG load balance the System own traffic across all WAN connections). 

    Quite confirming this statement is, that the XG fails everything, if the PPPoE connection dies. So XG fails over to the ISP2 and nothing works anymore. 

    This is somehow a "special" configuration: There are two different ISPs involved. ISP1 with the PPPoE and ISP2 with two different WAN connection coming from one router. This gets split up by a switch(?) into two different Interfaces on XG. I guess the switch or the router or maybe XG messing up something here (ARP?) and this causes those outages. 

    Until this is resolved, i would recommend to work with PPPoE as active and ISP2 interfaces as passive. 

  • 0 in reply to LuCar Toni

    Hi Lucar Toni,

     

    XG (SFOS 17.5.8 MR-8) is failing again on the ISP 2.
    I checked the ISP 2 with a second PC.

    ISP 2 is fine and working, only XG is failing.

    AND still no support available from sophos...

  • 0 in reply to juergenb52

    Do you have a Support Case? Maybe  can look into this. 

  • 0 in reply to juergenb52

    Hi  

    Sorry for the inconvenience caused!

    Please PM us the service request number, I will check and assist you further.