Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 16 replies
  • Answers 3 answers
  • Subscribers 28 subscribers
  • Views 3074 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Connect Two XG Firewalls With Backup WAN

Nathan Johnson

I have a scenario that I'm having trouble thinking through how to configure on the XG firewalls.

Let's say I have two separate buildings (Building A and Building B) on a campus that sit adjacent to each other.  Both buildings have XG firewalls and both have their own ISP for internet access.  The two buildings have to talk to one another and are currently connected via site-to-site IPSec VPN through the ISPs.  There is buried fiber between the buildings and I would like to use it instead of the VPN to which I'm confident I can get configured.  What else I would like to do is WAN failover.  For example, if the ISP connection for building A were to get cut by a backhoe, I would like the firewall in building A to route traffic for the internet through the ISP connection at building B.  I'm assuming that the ports connecting the fiber between Building A to Building B would have to be WAN ports, but is this possible with the XGs?  I'm kind of confused on where to start with it. 



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    It would be great if you could share the network diagram to understand it better and we can assist you further.

  • 0 in reply to Keyur

    Here's a generic overview graphic.  At one time the two buildings were connected via the fiber and were part of one large network, but they were split out so they could each have independent networks and internet service and so we can achieve internet redundancy like what I'm trying to accomplish.  I hope this helps and just let me know if you need any more details.

     

  • 0 in reply to Keyur

    How would I do this with UTM 9.x ?  I have a very similar circumstance with UTM 9.x

  • 0 in reply to Phreeze

    In my situation I am not using IPSEC tunnels.  I have a Layer 2 Fiber / Private network between site A & B ..  All internet traffic currently goes through Site A. if internet connection goes down at Site A  i want all Internet Traffic to go to Site B  through a smaller backup internet connection.  Again Im on UTM 9.x not XG.

     

    Also The private ethernet / Fiber link is not connected directly to either UTM A. or UTM B .  We do that with Layer 3 switches.  Each UTM connects to the switch on each site via Copper Patch Cable via LAN 1 Port.  It is a Trunk Port therefore all appropriate VLANS are Tagged.

     

    We basically want the UTM A  to say "Hey, My internet connection just broke.  Route all outbound Internet traffic to Site B UTM.  Once Internet connection comes back up...switch back.. mainly because SITE A has 500 mb/500 mb connection. while. Site B is 100/100 and is meant as a Backup / Fail over....

  • 0 in reply to Phreeze

    Hi  

    I would recommend you post this thread on UTM community page so community members could help you to achieve your scenario.

  • 0 in reply to Keyur

    I know it's been a couple months, but I'm just finally getting back around to this project.  I have the XG at building B set to failover to the fiber connection that goes to building A.  I have a WAN 2 WAN rule on the XG in building A to allow that traffic out to the internet.  I came in early this morning to test it and I'm having issues.  So I can see in the logs of building A XG the traffic from building B going out to the internet.  It's hitting the correct firewall rule and the correct NAT rule (this XG has SFOS 18 which I hate).  However, when the traffic comes back, it gets dropped.  The logs states "Invalid Traffic" with "Could not associate the packet with any connection".  I did create a "return" WAN 2 WAN firewall rule afterwards to allow any back to the port going from building A to building B, but that didn't help as I got the same result.  I'm not really sure where to go from here.

  • 0 in reply to Nathan Johnson

    OK, so I was finally able to work out everything as I needed.  All I had to do was go in to the NAT rule and click the checkbox "Override source translation for specific outbound interfaces" and add my primary ISP interface as well as my backup ISP interface.  Once I did that, it all flowed perfectly as expected.  I hope this helps anyone else who might be trying to accomplish the same scenario.

  • 0 in reply to Nathan Johnson

    Hi Nathan,

    do you need to create WAN to WAN rules in both A and B? also if you don't mind sharing your WAN to WAN rules settings?

    Also, for your routing settings. 

    Thank you!

  • 0 in reply to RTG

    Yes, you have to create a WAN-to-WAN rule on both firewalls.  Basically, what you want to do is create a rule on building B that uses the IP of the port from building A that connects to building B as the source and then set the destination to WAN - ANY.  Then just do the opposite on the firewall at building A (see screenshot below). 

    Depending on your requirements, I think you can either create a policy route or the WAN link manager.  I'm actually using both because building A houses a domain controller, so traffic needs to flow between the buildings regardless if a WAN connection is down or not.  But if you're just going to use it as a backup WAN connection, I believe you can get away with just creating a rule under the WAN link manager.


    I hope that helps!  

  • 0 in reply to Nathan Johnson

    Hi Nathan,

    I think my case is the same as yours, I also intended to route LAN traffic from A to B regardless of WAN up or down. Now im trying WAN to WAN first but i cannot ping the link IP on both sides.

    XG A - Port 10 as WAN with IP 128.8.8.2 and GW 128.8.8.1

    XG B - Port 10 as WAN with IP 128.9.9.2 and GW 128.9.9.1

    Then i follow your Firewall rules

    XG A - WAN -->128.9.9.2

               WAN-->Any

    XG B - WAN--> 128.8.8.2         

               WAN-->Any

    Thank you

    Jay

  • 0 in reply to RTG

    You might need to either enable ping on the WAN side or make sure there is a rule to allow ping.  System - Administration - Device Access is where you'll find it.  

    Then right below that is where any exceptions would go.  For example, I need ping enabled on the WAN for network monitoring system but I don't want anyone else to ping any WAN interfaces, so I create an exception rule at the bottom to DENY all pings then place any allow ping rules above it, just like you would in a typical firewall.

  • +1 in reply to Nathan Johnson

    Hi Nathan, i managed to route WAN traffic from A to B, now how im going to communicate LAN from A to B or B to A. do you have a sample configuration.

    Thank You!

    Jay

Reply Children
  • 0 in reply to RTG

    Simply create a regular firewall rule on each firewall that allows the required IP(s) or subnets from the other side to pass.  For example, if you wanted everything from building A LAN to talk to anything on building B LAN, just create a rule that allows just that (see below).  Then, just do the opposite on the firewall of building B.