This article provides instructions on configuring Site-to-Site RED tunnels between UTMs in "full tunnel" mode, such that all traffic not destined for other known networks will be sent over them.
Applies to the following Sophos product(s) and version(s)
UTM v8, v9
Site-to-site (UTM-UTM) RED tunnels can be configured to work as 'full' tunnels, where all traffic not destined for a local network (such as internet traffic) is sent over them.
What To Do
Creating a full Site-Site RED tunnel involves configuring the tunnel as an uplink & adding the address of the remote UTM as the gateway, and then using Uplink Balancing to weight the RED interface at 100%.
Where to configure: WebAdmin
Step 1: Configure the RED tunnel as an uplink
First, configure your RED tunnel as an uplink by doing the following:
- Login to the WebAdmin and go to Interfaces & Routing > Interfaces
- Click Edit on the RED tunnel interface.
- Check IPv4 Default GW.
- Enter the address of the remote side of the RED tunnel under Default GW IP.
- If you do not have uplink balancing configured already, you'll get a message stating that it will be enabled. Click OK.
- Click Save.
Step 2: Configure Uplink Balancing
Next, do the following:
- Login to the WebAdmin and go to Interfaces & Routing > Interfaces > Uplink Balancing
- Ensure the RED tunnel interface is in the Active Interfaces list.
- Click the Wrench icon next to Active interfaces.
- Set the RED tunnel interface weight to 100, and your primary uplink's weight to 0.
- Click Save.
All internet traffic will now be routed over the RED tunnel instead of directly out your primary uplink. You'll need to ensure that the UTM on the remote side of the tunnel allows traffic from the local UTM to reach the internet, by creating firewall and masquerading rules as appropriate.
If you would like traffic destined for certain websites to not be routed over the RED, and go directly out your primary uplink instead, you can add interface binding rules for them under Interfaces & Routing > Interfaces > Multipath Rules. Alternatively, you can also weight the RED tunnel to 0% instead of 100%, and then use multipath rules to forward traffic only from certain hosts over the RED tunnel.
KB 120157 - How to configure Site-to-Site RED Tunnels
KB 116573 - Sophos RED (Remote Ethernet Device) Technical Training Guide