Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 3 subscribers
  • Views 10757 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multipath is stateless?

Ivar Pikker

Hi,

I just find out that UTM9.4 multipath rules are stateless. I made my internal and external interfaces both with gateway, so I expected to freely route to any interface and dont care to concern about return packets. With policy route I must write also rules for return packets, but to route back to right wan-interface firewall must get information from state table. Example when connection come from wan1 to lan, then return packet incoming interface is lan, source is some internal ip and destination is any. But when connection come from wan2, then there is also the same. Only chance is to use state table. So, I made both lan and wan as gateway interface and made multipath rule to wan. But return packets wasnt come back. After I made also multipath rule from wan to lan, return packets come back. So, why the heck I need lan to be as gateway interface at all, if state information still missing. So, then I made lan back to "without gateway interface" and used policy routing to route return packets back to internal machine. And multipat rule stay still from lan to wan, because I have also other wan-s (with gateway set up) and I used statically bound multipath rule for interface. But still nothing. Then I made static route and return packets come back. It seems total buggy stuff when static route rules work but policy route rule not. Also I noted some other anomaly - sometimes policy route rule for some other internal subnet allows connection (it get return packets) for completely other subnet. So when I activated policy route rule for 12.0 subnet, then 100.0 subnet starts working. How this can be done at all. Its total mess. UTM 9.4 just dont work. 



This thread was automatically locked due to age.
  • 0

    Ivar, it sounds like you're fighting WebAdmin instead of letting it work.  WebAdmin automatically creates all of the routes necessary when you configure Uplink Balancing with Multipath rules - in fact, these are probably handling the traffic before your manual routes even sees it.

    Show us pictures of the Interfaces in the boxes on the Uplink Balancing tab and the Edit of one of the Multipath rules that aren't working the way you want them to work.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I already shut it up and start using XG instead. In XG there isnt this kind of problems and all works. I had only one multipath rule to send all to WAN1. Some interfaces with gateways, some without. But instead, just answer - is multipath stateless or stateful? Do USG holds interface information in state table? Example XG Firewall holds, pFsense holds, Kerio hold, CheckPoint, almost all enterprise firewalls can do it, UTM was the first one with such kind of problem.

    Regards.

  • 0 in reply to Ivar Pikker

    It is absolutely Stateful and Uplink Balancing with Multipath rules works perfectly with it.  Sorry you had so much trouble.

    Good luck with XG!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    But maybe it dont work when I use static mapping to interface in multipath rule. Ok, I have no idea, but anyway XG seems more powerful, it have also zones (pain is to write firewall rules without zones or interfaces) and in UTM bridge dont work with rules and routing, but in XG it works and by rules directed bridge is very important for me. But UTM GUI outlook is mutch better than in XG, XG GUI is total crap.

    Regards.

Unfiltered HTML