Updated on September 9, 2020 at 12:23 am
I’ve been using Sophos UTM (formerly Astaro) for years now since my buddy Daniel introduced it to me. It’s free for home use and similar to Checkpoint.
Using it has been straightforward and it currently contains tons of features and I absolutely love it. One of the features I wanted to write about is multiple uplinks. This one is important to me as I continue to build out my network architecture with multiple internet connections to different ISPs. And especially since my gigabit internet connection should be installed soon.
For multiple internet uplinks you will need hardware with multiple NICs to support at a minimum the connection to your local network and the incoming connections from each of your ISPs.
Once you have your hardware configured correctly, let’s have a look at the configuration settings you need in the Sophos UTM to get things going.
You will obviously need to have your interfaces configured and showing in the UTM interface first looking like this below. And you need at least three functioning interfaces as mentioned earlier.
Now for uplink balancing there are a couple ways to configure the links; active and standby modes. Active mode meaning the traffic is balanced between the two connections and Standby mode meaning that if the primary connection fails, the backup connection takes over.
After you get uplink balancing enabled and configured one of the things you will notice is that your Masquerading rules have changed a bit to say “Uplink Interfaces” instead of pointing at a specific external interface.
Even though I have my two incoming connections set up for balancing, I don’t really care about that aspect but instead want to direct an internal VLAN to only use a specific outgoing connection. This is where Multipath Rules come into play.
Basically you want to bind a specific internal network (SmartCity) to a specific outgoing network connection (SmartCity DSL) as below.
Once you have the multipath rule configured, you will end up with a rule similar to this. Also make sure you have set Interface Persistence to “by Interface”.
Once you have configured these few things, any host connected to the “SmartCity” internal network, in my case this is a VLAN, will use the “SmartCity DSL” connection for any outgoing internet access.