How to create Site-to Site RED full tunnels

  • Article ID: 120263
  • Updated: 06 Mar 2014

This article provides instructions on configuring Site-to-Site RED tunnels between UTMs in "full tunnel" mode, such that all traffic not destined for other known networks will be sent over them. 

Applies to the following Sophos product(s) and version(s)
Sophos UTM

Operating systems
UTM v8, v9

Basic Information

Site-to-site (UTM-UTM) RED tunnels can be configured to work as 'full' tunnels, where all traffic not destined for a local network (such as internet traffic) is sent over them.

What To Do

Creating a full Site-Site RED tunnel involves configuring the tunnel as an uplink & adding the address of the remote UTM as the gateway, and then using Uplink Balancing to weight the RED interface at 100%.

Where to configure: WebAdmin

Step 1: Configure the RED tunnel as an uplink

First, configure your RED tunnel as an uplink by doing the following:

  1. Login to the WebAdmin and go to Interfaces & Routing > Interfaces 
  2. Click Edit on the RED tunnel interface.
  3. Check IPv4 Default GW.
  4. Enter the address of the remote side of the RED tunnel under Default GW IP.
  5. If you do not have uplink balancing configured already, you'll get a message stating that it will be enabled. Click OK.
  6. Click Save.

Step 2: Configure Uplink Balancing 

Next, do the following:

  1. Login to the WebAdmin and go to Interfaces & Routing > Interfaces > Uplink Balancing
  2. Ensure the RED tunnel interface is in the Active Interfaces list.
  3. Click the Wrench icon next to Active interfaces.
  4. Set the RED tunnel interface weight to 100, and your primary uplink's weight to 0.
  5. Click Save.

All internet traffic will now be routed over the RED tunnel instead of directly out your primary uplink. You'll need to ensure that the UTM on the remote side of the tunnel allows traffic from the local UTM to reach the internet, by creating firewall and masquerading rules as appropriate.

If you would like traffic destined for certain websites to not be routed over the RED, and go directly out your primary uplink instead, you can add interface binding rules for them under Interfaces & Routing > Interfaces > Multipath Rules. Alternatively, you can also weight the RED tunnel to 0% instead of 100%, and then use multipath rules to forward traffic only from certain hosts over the RED tunnel.

Related Articles

KB 120157 - How to configure Site-to-Site RED Tunnels
KB 116573 - Sophos RED (Remote Ethernet Device) Technical Training Guide

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent