Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 16 replies
  • Answers 3 answers
  • Subscribers 28 subscribers
  • Views 3088 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Connect Two XG Firewalls With Backup WAN

Nathan Johnson

I have a scenario that I'm having trouble thinking through how to configure on the XG firewalls.

Let's say I have two separate buildings (Building A and Building B) on a campus that sit adjacent to each other.  Both buildings have XG firewalls and both have their own ISP for internet access.  The two buildings have to talk to one another and are currently connected via site-to-site IPSec VPN through the ISPs.  There is buried fiber between the buildings and I would like to use it instead of the VPN to which I'm confident I can get configured.  What else I would like to do is WAN failover.  For example, if the ISP connection for building A were to get cut by a backhoe, I would like the firewall in building A to route traffic for the internet through the ISP connection at building B.  I'm assuming that the ports connecting the fiber between Building A to Building B would have to be WAN ports, but is this possible with the XGs?  I'm kind of confused on where to start with it. 



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    It would be great if you could share the network diagram to understand it better and we can assist you further.

  • 0 in reply to Keyur

    Here's a generic overview graphic.  At one time the two buildings were connected via the fiber and were part of one large network, but they were split out so they could each have independent networks and internet service and so we can achieve internet redundancy like what I'm trying to accomplish.  I hope this helps and just let me know if you need any more details.

     

  • +1 in reply to Nathan Johnson

    Hi  

    Scenario When the IPsec connection is not there.

    If both the firewalls are connected through fiber and terminated on each XG firewall interface, I would propose the below configuration which might help you to achieve your requirement.

    Please configure Fiber Connected Interface on XG as the WAN zone in Building A as a backup of the primary ISP link, so when the primary ISP link goes down, the traffic would be forwarded through Fiber Link configured as a WAN zone.

    Now when traffic reaches to Building B Fiber Interface which is also configured as WAN zone, you need WAN to WAN firewall rule in the building B firewall so traffic would be forwarded through Building B ISP.

    For IPSec/MPLS Failover, please refer to the article - https://community.sophos.com/kb/en-us/123323

  • 0 in reply to Keyur

    Then, I can have a separate WAN to LAN rule to allow the LAN of Building A to talk to the LAN of Building B and vice-versa along with a static route on each end to send the traffic for the opposing LAN out the fiber WAN ports, correct?  That makes sense to me.  I guess I was thinking too much about it being WAN and LAN traffic together and I was thinking about single rule setups rather than multiple rules.  Sometimes I guess helps to have another peer to help hash it out.  I really appreciate your help!  I can't try it out in the middle of the day, but I'll try it out one evening this week and reply back.

Reply
  • 0 in reply to Keyur

    Then, I can have a separate WAN to LAN rule to allow the LAN of Building A to talk to the LAN of Building B and vice-versa along with a static route on each end to send the traffic for the opposing LAN out the fiber WAN ports, correct?  That makes sense to me.  I guess I was thinking too much about it being WAN and LAN traffic together and I was thinking about single rule setups rather than multiple rules.  Sometimes I guess helps to have another peer to help hash it out.  I really appreciate your help!  I can't try it out in the middle of the day, but I'll try it out one evening this week and reply back.

Children
  • +1 in reply to Nathan Johnson

    I finally had time to work on this last night and I have it working.  It was really simple and for some reason I was making it harder than it actually was in my head.  So here's what I did:

    I configured a port on the XG of Building A with a /30 IP address and connected it to a port on the XG in Building B with the other /30 IP address.

    Then I went in to Network and Wan Link Manager of each XG set the ports connecting the buildings to failover if ALL other WAN links were down.

    Then I went in to Routing and set a Policy Route on each XG to route the appropriate traffic across the fiber ports.

    Finally, I simply created the appropriate firewall rules to allow the traffic to flow.

    Everything works perfectly EXCEPT the DHCP relay.  Our DHCP server for the corporate data network is at Building A.  When the site to site VPN was in place, I had set up a relay to route it over IPSec and it worked fine.  But now it's not working for some reason.  That's not too important of an issue to fuss over as I have simply set up a DHCP server on the XG to service those requests for now, though I would like to get the relay to work again if possible.