Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 16326 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Configuring link LAN TO LAN

Welisson

Hello,

I need configuring  a link lan to lan.

 

I can ping both side from UTM9 Sophos 1 (Link1 and Link2) to UTM9 Sophos 2 (Link1 and Link2), but from my Internal Lan dont work comunication.

I tried created policy route for test but dont work very well.

Test route: Route type: "interface route" --> Source interface: "Internal LAN1" --> Service:"any" -->Destination Network: "Internal LAN2" Target interface: "Link1/Link2" 

To priority, i created group interface with Link1 on top and Link2 down.

 

Between the Sophos have a VPN IPSEC LAN TO LAN.

 

 

 

My cenary:

                                                    LAN TO LAN

UTM9 Sophos 1                                                                       UTM9 Sophos 2

Link1 - 10.10.10.3/28      <---------------------------------->       Link1 - 10.10.10.4/28

Link2- 10.10.10.19/28     <---------------------------------->       Link2 - 10.10.10.20/28

Internal LAN1 - 10.5.0.0/16   <----------VPN------------->         Internal LAN2 - 10.100.100.0/16

 

 

 

I need configuring link Priority: 

"1" Link1 (1Gb) online

"2" Link2 (30Mb) failover

"3" VPN failover

 

What is the best way to create this communication?

 

Thank You



This thread was automatically locked due to age.
Parents
  • 0

    Hi, and welcome to the UTM Community!

    If you have two separate interfaces in the same subnet, you will have routing problems.  Please show a picture of the 'Interfaces' tab from one of the UTMs.

    Do I understand correctly that you have two different WAN connections on each UTM and that you want the VPN to fail over to a slower connection if the faster one is down?

    Cheers - Bob

  • 0 in reply to BAlfson

    Hi, thank you.

    I have same interfaces in the same subnet, but on switch Vlan´s separete.

     

     

     

     

    Maybe I wasn't clear in my request.

    What I need is to define the priority of the primary link and it's failovers.

    Here is the configuration I need.

    Link1 - 10.10.10.4/28 >>>>>>>>>> Primary
    Link2 - 10.10.10.20/28 >>>>>>>>> Failover, to be enabled ONLY if Link1 fails

    If both the links above fail, I want the VPN site to site to be used.

    Its possible on Sophos UTM?

     

    Thank you

  • 0 in reply to Welisson

    Looks like you only need static routes for the 3 different connections with the lowest metric for the highest priority connection.

    The VPN connection needs to be bound to the local interface otherwise it will always take precedence. When you bind it to local interface you can control it with custom created routes.

  • 0 in reply to apijnappels

    Arno, I think I would do the first two with Uplink Balancing and an Any->Any->Any Multipath rule bound to Link 1 if they're WAN connections.  If they're not Interfaces with a default gateway, then your solution is what I would do, too.

    For the VPN, Welisson, I may be confused.  Is the VPN to be done on a third link, or is this via a WAN connection that is neither Link 1 nor Link 2?  If this is a WAN connection, then you have two options.  The one suggested by apijnappels will give you virtually-instantaneous failover.  If instant failover isn't desired, you can use Uplink Monitoring to start the VPN when both of the other links have failed.  In this case, you will want to configure 'Monitoring Hosts' on the 'Advanced' tab.

    Cheers - Bob

  • 0 in reply to apijnappels

    Hello,

    I created the routes:

     

    Network "Internal LAN1 - 10.5.0.0/16" --> Gateway "10.10.10.3" Metric 4   (created with sucess and enable)

    Network "Internal LAN1 - 10.5.0.0/16" --> Gateway "10.10.10.19" Metric 5 (created with sucess, error to enable "the network 10.5.0.0/16 already in use by the destionation network attribute of the static route object to 10.5.0.0.

     

    Don´t worked route with gatewat diferent to same network.

    Is there another way?

     

     

     

     

  • 0 in reply to Welisson

    If link1 and link2 are both active links on separate interfaces (with default gateways set) you can use Uplink balancing for this (like Balfson has explained).

    For the VPN, you might be able to use Interfaces and routing -> Uplink monitoring -> actions and then enable the IPSec site-to-site tunnel between the two UTM's (where you have it disabled in normal operation).

Reply
  • 0 in reply to Welisson

    If link1 and link2 are both active links on separate interfaces (with default gateways set) you can use Uplink balancing for this (like Balfson has explained).

    For the VPN, you might be able to use Interfaces and routing -> Uplink monitoring -> actions and then enable the IPSec site-to-site tunnel between the two UTM's (where you have it disabled in normal operation).

Children