Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 3 subscribers
  • Views 5591 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple ISPs active with Masquearding

JustinEllenbecker

I have been looking for a solid answer for this for 2 days now and have come up empty handed. We had a single ISP and all of my masquerading rules were working fine. I purposely put the IT VLAN out on a different external IP address  compared to normal users. We just added a second ISP and when Uplink Balancing was turned on the Masquerading stopped working. I set the second ISP to 0 for a precedence because it is a smaller connection and we do not want to use it unless the primary is down for outbound traffic. We do however want to accept traffic for a VPN we are using for SIP Voice traffic. This means I could not make it standby and had to add it as an uplink interface from my understanding. Now I have to create a multipath rule telling all traffic from my IT VLAN to go out the external interface and also have to have a masquerading rule? Why do I need to duplicate this rule. If the traffic is going out isp 1 why wouldn't the masquerading rule take effect? Is it because technically it is going out "uplink" interfaces?

Is there an easier way to do this? Obviously I checked the skip rule on interface error so that traffic will still route if the ISP 1 is down but it seems like far too much work to have to create basically the same rule twice for this type of setup.



This thread was automatically locked due to age.
  • 0

    Hi, Justin, and welcome to the UTM Community!

    I would do this a bit differently in Uplink Balancing.  First, put both interfaces in 'Active Interfaces' with 100 weight on each.  Next, if ISP1 is very reliable and rarely has outages over a minute or two in length, you might want to click on the wrench icon and reduce the persistence below 15 minutes.  Finally, make a Multipath rule binding 'Any -> Any -> Any' traffic to ISP1.  Now you have virtually instantaneous failover with no wait for ISP2 to be activated.  Although in your situation with an IPsec VPN keeping ISP2 "alive," your initial approach would work just as quickly.

    For the IPsec VPN, I would use the approach described in Auto-Failover IPsec VPN Connections.

    Cheers - Bob

  • 0 in reply to BAlfson
    I have tried this and kind of went back to what I was on mostly because of the need for the individual Masquerading rules. Hopefully as soon as the second carrier is spun up I can get all of our DNS entries and rules changed over and never have to rely on carrier IPs again and just use the C block I own. I have been working on getting the BGP connection started which will change most of this but I am sure i'll be back if anything comes up.