Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Different rules per interface under WAN zone?

Hello Guys,

 

So we have 3 WAN interfaces connected to our Sophos.
These WANs are really different in their performance (download/upload speed) and even BW limitations.

*These are satellite links.

Anyway, i'm trying to set rules depending on the outgoing interface, but all i can do is "zone" which includes all of the 3.

I want for example - if only the "slow" WAN is available - i need to limit/block lots of things
On the other side, if the "fast" WAN is available - most of the traffic will be allowed.

But as it seems, i can choose "WAN" as outoging zone - so i cannot differentiate between each interface.

 

The only option for me is to use 3 separate zones, and avoid using the WAN zone? 

 

Thank you. 



This thread was automatically locked due to age.
Parents Reply Children
  • Hi again,

     

    Still seem to fail here.

     

    Under "WAN" zone i have 3 interfaces/gateways to 3 different ISP's

    Only single ISP will be Up at a given moment.

    ISP1  is very fast, so while ISP1 is active - no traffic shaping/qos needed.

    If ISP1 is down - system will failover to ISP2:
    ISP2 is very slow - So when the system is using this ISP, i
    wish to give higher priority for Emails/Teamviewer and other "work" related things.

    Problem is: if i use WAN zone all rules is applied no matter which ISP i'm on.
    Destination zone = WAN
    i need Destination zone= WAN(interface1) + WAN(interface2) for example... not both!

  • Sagi,

    on v18, you need to use SD-WAN and make sure that SD-WAN takes precedence than static routes. You can check the route precedence on XG console:

    system route_precedence show

    On v17, you can select the gateway you want from the firewall rule.

    If it does not work, please share the firewall rules.

    Regards

  • Hi Luk,

    First, thank you very much for the help here!

     

    I'm out of the office atm, tomorrow's morning i will share the configurations.

     

    Meanwhile:
    SD-WAN does take precedence over static/vpn.
    Traffic is able to pass from LAN --> WAN.
    If the 1st gateway is down, taffic will be routed via the 2nd gateway. 

    But i'm still struggling to find where i configure different QOS/Traffic shaping for each ISP individually.

    Hope tomorrow you will help to find an answer for that!

    Thanks again, and great night.

    Sagi.

  • Thanks again Luk.

    So if i must to apply these only per service - and in WAN zone i cannot do seperation between interfaces.. 

     

    What if i will work with 3 "LAN" zones that will act as WAN?

    So i can do rules like:

    Lan --> "WAN1"  accept HTTPS + traffic shaping X
    Lan --> "WAN2"  accept HTTPS + traffic shaping Y
    Lan --> "WAN3" accept HTTPS no traffic shaping.

     

    Notice that these "WANS" zones are acctually configured as "LAN" zones. but they will be connected to my routers.
    So when i'm on "WAN1" i have some type of traffic shaping for HTTP
    but when i'm on "WAN2" i have different type of traffic shaping (or nothing at all if i wish).

    I will have to configure NAT and probably gateways manually i guess?
    Anything else i "lose" if i choose to not use WAN zone and just connect each router to different LAN zone?