Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 39 subscribers
  • Views 2390 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Different rules per interface under WAN zone?

Sagi Mor1

Hello Guys,

 

So we have 3 WAN interfaces connected to our Sophos.
These WANs are really different in their performance (download/upload speed) and even BW limitations.

*These are satellite links.

Anyway, i'm trying to set rules depending on the outgoing interface, but all i can do is "zone" which includes all of the 3.

I want for example - if only the "slow" WAN is available - i need to limit/block lots of things
On the other side, if the "fast" WAN is available - most of the traffic will be allowed.

But as it seems, i can choose "WAN" as outoging zone - so i cannot differentiate between each interface.

 

The only option for me is to use 3 separate zones, and avoid using the WAN zone? 

 

Thank you. 



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Sagi Mor1

    Hi again,

     

    Still seem to fail here.

     

    Under "WAN" zone i have 3 interfaces/gateways to 3 different ISP's

    Only single ISP will be Up at a given moment.

    ISP1  is very fast, so while ISP1 is active - no traffic shaping/qos needed.

    If ISP1 is down - system will failover to ISP2:
    ISP2 is very slow - So when the system is using this ISP, i
    wish to give higher priority for Emails/Teamviewer and other "work" related things.

    Problem is: if i use WAN zone all rules is applied no matter which ISP i'm on.
    Destination zone = WAN
    i need Destination zone= WAN(interface1) + WAN(interface2) for example... not both!

  • 0 in reply to Sagi Mor1

    Sagi,

    on v18, you need to use SD-WAN and make sure that SD-WAN takes precedence than static routes. You can check the route precedence on XG console:

    system route_precedence show

    On v17, you can select the gateway you want from the firewall rule.

    If it does not work, please share the firewall rules.

    Regards

  • 0 in reply to lferrara

    Hi Luk,

    First, thank you very much for the help here!

     

    I'm out of the office atm, tomorrow's morning i will share the configurations.

     

    Meanwhile:
    SD-WAN does take precedence over static/vpn.
    Traffic is able to pass from LAN --> WAN.
    If the 1st gateway is down, taffic will be routed via the 2nd gateway. 

    But i'm still struggling to find where i configure different QOS/Traffic shaping for each ISP individually.

    Hope tomorrow you will help to find an answer for that!

    Thanks again, and great night.

    Sagi.

  • 0 in reply to lferrara

    Thanks again Luk.

    So if i must to apply these only per service - and in WAN zone i cannot do seperation between interfaces.. 

     

    What if i will work with 3 "LAN" zones that will act as WAN?

    So i can do rules like:

    Lan --> "WAN1"  accept HTTPS + traffic shaping X
    Lan --> "WAN2"  accept HTTPS + traffic shaping Y
    Lan --> "WAN3" accept HTTPS no traffic shaping.

     

    Notice that these "WANS" zones are acctually configured as "LAN" zones. but they will be connected to my routers.
    So when i'm on "WAN1" i have some type of traffic shaping for HTTP
    but when i'm on "WAN2" i have different type of traffic shaping (or nothing at all if i wish).

    I will have to configure NAT and probably gateways manually i guess?
    Anything else i "lose" if i choose to not use WAN zone and just connect each router to different LAN zone?

     

     

Unfiltered HTML