Connect Two XG Firewalls With Backup WAN

Hi Nathan Johnson 

It would be great if you could share the network diagram to understand it better and we can assist you further.

Here's a generic overview graphic.  At one time the two buildings were connected via the fiber and were part of one large network, but they were split out so they could each have independent networks and internet service and so we can achieve internet redundancy like what I'm trying to accomplish.  I hope this helps and just let me know if you need any more details.

Hi Nathan Johnson 

Scenario When the IPsec connection is not there.

If both the firewalls are connected through fiber and terminated on each XG firewall interface, I would propose the below configuration which might help you to achieve your requirement.

Please configure Fiber Connected Interface on XG as the WAN zone in Building A as a backup of the primary ISP link, so when the primary ISP link goes down, the traffic would be forwarded through Fiber Link configured as a WAN zone.

Now when traffic reaches to Building B Fiber Interface which is also configured as WAN zone, you need WAN to WAN firewall rule in the building B firewall so traffic would be forwarded through Building B ISP.

For IPSec/MPLS Failover, please refer to the article - https://community.sophos.com/kb/en-us/123323

Then, I can have a separate WAN to LAN rule to allow the LAN of Building A to talk to the LAN of Building B and vice-versa along with a static route on each end to send the traffic for the opposing LAN out the fiber WAN ports, correct?  That makes sense to me.  I guess I was thinking too much about it being WAN and LAN traffic together and I was thinking about single rule setups rather than multiple rules.  Sometimes I guess helps to have another peer to help hash it out.  I really appreciate your help!  I can't try it out in the middle of the day, but I'll try it out one evening this week and reply back.

I finally had time to work on this last night and I have it working.  It was really simple and for some reason I was making it harder than it actually was in my head.  So here's what I did:

I configured a port on the XG of Building A with a /30 IP address and connected it to a port on the XG in Building B with the other /30 IP address.

Then I went in to Network and Wan Link Manager of each XG set the ports connecting the buildings to failover if ALL other WAN links were down.

Then I went in to Routing and set a Policy Route on each XG to route the appropriate traffic across the fiber ports.

Finally, I simply created the appropriate firewall rules to allow the traffic to flow.

Everything works perfectly EXCEPT the DHCP relay.  Our DHCP server for the corporate data network is at Building A.  When the site to site VPN was in place, I had set up a relay to route it over IPSec and it worked fine.  But now it's not working for some reason.  That's not too important of an issue to fuss over as I have simply set up a DHCP server on the XG to service those requests for now, though I would like to get the relay to work again if possible.

How would I do this with UTM 9.x ?  I have a very similar circumstance with UTM 9.x

In my situation I am not using IPSEC tunnels.  I have a Layer 2 Fiber / Private network between site A & B ..  All internet traffic currently goes through Site A. if internet connection goes down at Site A  i want all Internet Traffic to go to Site B  through a smaller backup internet connection.  Again Im on UTM 9.x not XG.

Also The private ethernet / Fiber link is not connected directly to either UTM A. or UTM B .  We do that with Layer 3 switches.  Each UTM connects to the switch on each site via Copper Patch Cable via LAN 1 Port.  It is a Trunk Port therefore all appropriate VLANS are Tagged.

We basically want the UTM A  to say "Hey, My internet connection just broke.  Route all outbound Internet traffic to Site B UTM.  Once Internet connection comes back up...switch back.. mainly because SITE A has 500 mb/500 mb connection. while. Site B is 100/100 and is meant as a Backup / Fail over....

Hi Phreeze 

I would recommend you post this thread on UTM community page so community members could help you to achieve your scenario.

I know it's been a couple months, but I'm just finally getting back around to this project.  I have the XG at building B set to failover to the fiber connection that goes to building A.  I have a WAN 2 WAN rule on the XG in building A to allow that traffic out to the internet.  I came in early this morning to test it and I'm having issues.  So I can see in the logs of building A XG the traffic from building B going out to the internet.  It's hitting the correct firewall rule and the correct NAT rule (this XG has SFOS 18 which I hate).  However, when the traffic comes back, it gets dropped.  The logs states "Invalid Traffic" with "Could not associate the packet with any connection".  I did create a "return" WAN 2 WAN firewall rule afterwards to allow any back to the port going from building A to building B, but that didn't help as I got the same result.  I'm not really sure where to go from here.

OK, so I was finally able to work out everything as I needed.  All I had to do was go in to the NAT rule and click the checkbox "Override source translation for specific outbound interfaces" and add my primary ISP interface as well as my backup ISP interface.  Once I did that, it all flowed perfectly as expected.  I hope this helps anyone else who might be trying to accomplish the same scenario.

Hi Nathan,

do you need to create WAN to WAN rules in both A and B? also if you don't mind sharing your WAN to WAN rules settings?

Also, for your routing settings. 

Thank you!

Hi Nathan,

do you need to create WAN to WAN rules in both A and B? also if you don't mind sharing your WAN to WAN rules settings?

Also, for your routing settings. 

Thank you!

Yes, you have to create a WAN-to-WAN rule on both firewalls.  Basically, what you want to do is create a rule on building B that uses the IP of the port from building A that connects to building B as the source and then set the destination to WAN - ANY.  Then just do the opposite on the firewall at building A (see screenshot below). 

Depending on your requirements, I think you can either create a policy route or the WAN link manager.  I'm actually using both because building A houses a domain controller, so traffic needs to flow between the buildings regardless if a WAN connection is down or not.  But if you're just going to use it as a backup WAN connection, I believe you can get away with just creating a rule under the WAN link manager.

I hope that helps!  

Hi Nathan,

I think my case is the same as yours, I also intended to route LAN traffic from A to B regardless of WAN up or down. Now im trying WAN to WAN first but i cannot ping the link IP on both sides.

XG A - Port 10 as WAN with IP 128.8.8.2 and GW 128.8.8.1

XG B - Port 10 as WAN with IP 128.9.9.2 and GW 128.9.9.1

Then i follow your Firewall rules

XG A - WAN -->128.9.9.2

           WAN-->Any

XG B - WAN--> 128.8.8.2         

           WAN-->Any

Thank you

Jay

You might need to either enable ping on the WAN side or make sure there is a rule to allow ping.  System - Administration - Device Access is where you'll find it.  

Then right below that is where any exceptions would go.  For example, I need ping enabled on the WAN for network monitoring system but I don't want anyone else to ping any WAN interfaces, so I create an exception rule at the bottom to DENY all pings then place any allow ping rules above it, just like you would in a typical firewall.

Hi Nathan, i managed to route WAN traffic from A to B, now how im going to communicate LAN from A to B or B to A. do you have a sample configuration.

Thank You!

Jay

Simply create a regular firewall rule on each firewall that allows the required IP(s) or subnets from the other side to pass.  For example, if you wanted everything from building A LAN to talk to anything on building B LAN, just create a rule that allows just that (see below).  Then, just do the opposite on the firewall of building B.