Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 7 subscribers
  • Views 566 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Prioritize Interface for Uplink Balancing

enemene123

Hi!

We are using UTM9 on our Sophos SG230 and have two uplinks for internet connections one 10 MBit/s dedicated line (with SA) for VPN and SIP traffic and a 300 MBit/s connection for general Internet access for all our clients and servers.
Often people in the company would complain that their internet connection is slow and I have found out via speed test and their public IP that they are online via the slower 10 MBit/s connection, even though the uplink balancing is set to prioritize the faster connection.
If I understand this correctly, I can't set the weight lower than 10, if set to 0 the uplink will be only in stand by. Meaning there won't be any traffic on the dedicated line unless the faster uplink is down.

Does anybody know a way to set the uplink balancing, that connections will always prioritize a certain uplink without having to deactivate the second uplink?
The slower uplink is supposed to act as an failover in case the faster non SA internet connection is down.
The issue is that we need the dedicated line with SA for our most important traffic like SIP and VPN, so I don't want to have it only on standby.



This thread was automatically locked due to age.
  • +1

    A value of zero means that always another interface with a higher value is chosen if available.  I don't think that means that if its set to zero that it won't be used, it just means that it won't be the preferred connection until your WAN link would be unavailable.

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • +1 in reply to Amodin

    That's correct.
    With weighting of 100:0  (IF1:IF2) IF2 is used for inbound traffic at these interface (VPN, DNAT,...).
    For Outbound traffic the Uplinkbalancing-Rules are checked. If you have a Rule "any -> SMTP -> any = IF2", the outbound traffic use IF2 ... even if this has a weighting of "0".
    Without a matching traffic rule, the weighting of 100: 0 ensures that IF2 is almost never used ... until IF1 is down (for this traffic-type)


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Thank you both, this is a helpful hint.
    Are you talking about the Multipath Rules, or where would I find these rules?
    I haven't checked that out yet and have to read in further. Thanks!



  • +1 in reply to enemene123

    Hallo and welcome to the UTM Community!

    The weighting only applies when you don't select 'Interface Persistence: by interface' in a Multipath rule.  If you make no Multipath rule, the default behavior is "by connection" and the weighting applies to all traffic.

    Note also that Multipath rules are numbered.  This means that once traffic qualifies for a rule, it no longer is considered for higher numbered rules.

    You probably want three rules like the following, each with 'Skip rule on interface error' unchecked:

    1. Any -> VoIP Protocols -> Internet IPv4 : bind to 10 Mbps
    2. Any -> VPN Protocols -> Internet IPv4 : bind to 10 Mbps
    3. Any -> Any -> Internet IPv4 : bind to 300 Mbps

    Note that #2 only applies to connections where your UTM is the initiator of the traffic (default in Amazon VPC, "Initiate connection" in IPsec or "Client" in SSL VPN).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML