Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 27 subscribers
  • Views 1292 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Two WAN interfaces for single DYNDNS entry.

Responsive Group Sophos

Hello I was wondering if there is anyway on the Sophos XG to configure 2 WAN interfaces for a single DYNDNS entry. 

I am currently in a situation where one of our venders has a specific bit of gear that stops working if/when our main ISP feed goes down and the backup failover starts to handle the internet feed. They are required to manually change it in their system. I know I have worked on other firewalls with this as an option but the UI doesn't seem to have that in the XG. Can this be done from a CLI instead?

If not and anyone has any sort of out of the box suggestion I am open to any suggestions.

Thanks a bunch!!



This thread was automatically locked due to age.
Parents
  • 0

    I would have assumed that the dynamic IP automatically changes at the failover, which results in a different public IP. I'd think that the dynamic DNS mechanism simply contacts a Sophos server every 5 minutes and asks "what IP am I coming from?" and then sends that to the DDNS server.

    So you're saying this doesn't work? Or you don't see an option to enable it and so assume it won't work?

  • 0 in reply to Wayne Folta

    The DYNDNS works fine in the firewall. The issue is when the firewall fails over from connection 1 to connection 2 there is a different DYNDNS entry. The system the vender has can only accept a single static IP or DYNDNS entry. So everything else skips along without missing a beat when we go from connection 1 to connection 2 with the exception of this one bit of gear. It just stops working because it still it trying to use a DYNDNS entry on a connection that is down.

Reply
  • 0 in reply to Wayne Folta

    The DYNDNS works fine in the firewall. The issue is when the firewall fails over from connection 1 to connection 2 there is a different DYNDNS entry. The system the vender has can only accept a single static IP or DYNDNS entry. So everything else skips along without missing a beat when we go from connection 1 to connection 2 with the exception of this one bit of gear. It just stops working because it still it trying to use a DYNDNS entry on a connection that is down.

Children
  • 0 in reply to Responsive Group Sophos

    "... when the firewall fails over from connection 1 to connection 2 there is a different DYNDNS entry." Do you mean the DDNS IP changes, or do you literally mean there are two different DDNS names ("RGS1.com" and "RGS2.com" or something like that)? I keep imagining that there is one DDNS name ("RGS.com", say) and the IP changes depending on which gateway -- hence IP -- is being used.

    Sorry to be so dense... I don't have the luxury of two gateways and failover, so maybe am confused on how it would work. I assume single name ("WF.com" but changing IP when failover occurs -- much like if my ISP changes our public IP), but I guess that's not how it works.

    Are you saying the old piece of equipment caches IPs but can look to a main and a secondary IP so when the failover occurs you would update the main DDNS but that equipment will never reread it, but you also want to update the second DDNS which the equipment will check when it can't contact the main DDNS's cached IP -- but then it also caches the second DDNS' IP?

    I can't see where a second name (i.e. DDNS entry) comes into the picture.

  • 0 in reply to Wayne Folta

    interface 1 is a cable connection with cable.dyndns-server.com as the dyn entry

    interface 2 is DSL with dsl.dyndns-server.com as the dyn entry

    interface 1 has ip 10.x.x.x (whatever)

    interface 2 has ip 192.x.x.x (whatever)

    the item having the issue is ONLY using cable.dyndns-server.com as it way to find an IP and cannot ever have the dsl.dyndns-server.com as an entry to find an address. It only has one field as an entry.

    When interface one goes down and the firewall routes traffic to interface 2 as the primary ISP connection the item having the issue still has the connection 1 as its ISP feed.  The field in the equipement having the issue cannot dynamically change the dyndns entry it must be entered manually.

    hope that explains it.

     So back to my original question, can two interfaces be set under a single dyndns entry in the CLI or does anyone have an out of the box solution for this issue? 

  • 0 in reply to Responsive Group Sophos

    OK, I think I've got it. So you've got the two DDNS names updating (each associated with the appropriate interface) so when both are up external machines can get to either one even if one or both of the ISPs change the IP they give to you. That part works as you expect. (I've not done this, but the Help appears to say you can Add more than one, each associated with a separate interface, so I assume its working for you.)

    But when a failover occurs, cable.dyndns-server.com is not being DDNS updated by the Sophos to reflect that the Sophos failover has occurred which means that the Sophos is now using a 10.x.x.x address only. That is, both cable.dyndns-server.com and dsl.dyndns-server.com should both return the same 10.x.x.x ("DSL") IP.

    If that's not the way it works, I'd say that's a bug.If you think about the single DDNS name case, I'm pretty sure you'd expect that that single name would swap its IP address from the primary public IP to the secondary public IP. And thus, you should be able to put cable.dyndns-server.com in your special equipment and it will get the appropriate IP (10.x.x.x without failover, 192.x.x.x after failover). That's the point of DDNS. So if that's not the way it works, you should report it as an issue. My guess is that there's no clever workaround.