This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Different rules per interface under WAN zone?

Hello Guys,

So we have 3 WAN interfaces connected to our Sophos.
These WANs are really different in their performance (download/upload speed) and even BW limitations.

*These are satellite links.

Anyway, i'm trying to set rules depending on the outgoing interface, but all i can do is "zone" which includes all of the 3.

I want for example - if only the "slow" WAN is available - i need to limit/block lots of things
On the other side, if the "fast" WAN is available - most of the traffic will be allowed.

But as it seems, i can choose "WAN" as outoging zone - so i cannot differentiate between each interface.

The only option for me is to use 3 separate zones, and avoid using the WAN zone?

Thank you.

This thread was automatically locked due to age.

Parents

0 lferrara over 4 years ago

Sagi,

which version of XG OS are you running?

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 Sagi Mor1 over 4 years ago in reply to lferrara

Used Trial version 17.5.9 until yesterday,

Few hours ago i have updated to latest 18.
Cancel
Vote Up 0 Vote Down

Cancel
+1 lferrara over 4 years ago in reply to Sagi Mor1

Sagi,

on v18, you need to create SD-WAN policy under Routing menu. First create the firewall rule, the associated NAT and then the matching SD-WAN policy.

More info on the following video:

https://www.youtube.com/watch?v=TolZsFNbBuM

Regards
Cancel
Vote Up 0 Vote Down

Cancel
0 Sagi Mor1 over 4 years ago in reply to lferrara

Will try now!

Thanks a lot Luk.
Cancel
Vote Up 0 Vote Down

Cancel
0 Sagi Mor1 over 4 years ago in reply to Sagi Mor1

Hi again,

Still seem to fail here.

Under "WAN" zone i have 3 interfaces/gateways to 3 different ISP's

Only single ISP will be Up at a given moment.

ISP1 is very fast, so while ISP1 is active - no traffic shaping/qos needed.

If ISP1 is down - system will failover to ISP2:
ISP2 is very slow - So when the system is using this ISP, i
wish to give higher priority for Emails/Teamviewer and other "work" related things.

Problem is: if i use WAN zone all rules is applied no matter which ISP i'm on.
Destination zone = WAN
i need Destination zone= WAN(interface1) + WAN(interface2) for example... not both!
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 4 years ago in reply to Sagi Mor1

Sagi,

on v18, you need to use SD-WAN and make sure that SD-WAN takes precedence than static routes. You can check the route precedence on XG console:

system route_precedence show

On v17, you can select the gateway you want from the firewall rule.

If it does not work, please share the firewall rules.

Regards
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 lferrara over 4 years ago in reply to Sagi Mor1

Sagi,

on v18, you need to use SD-WAN and make sure that SD-WAN takes precedence than static routes. You can check the route precedence on XG console:

system route_precedence show

On v17, you can select the gateway you want from the firewall rule.

If it does not work, please share the firewall rules.

Regards
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Sagi Mor1 over 4 years ago in reply to lferrara

Hi Luk,

First, thank you very much for the help here!

I'm out of the office atm, tomorrow's morning i will share the configurations.

Meanwhile:
SD-WAN does take precedence over static/vpn.
Traffic is able to pass from LAN --> WAN.
If the 1st gateway is down, taffic will be routed via the 2nd gateway.

But i'm still struggling to find where i configure different QOS/Traffic shaping for each ISP individually.

Hope tomorrow you will help to find an answer for that!

Thanks again, and great night.

Sagi.
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 4 years ago in reply to Sagi Mor1
Traffic shaping can be applied based on:

Users

Application

Service

Website

https://community.sophos.com/kb/en-us/123062

https://community.sophos.com/kb/en-us/123061

https://community.sophos.com/kb/en-us/123058

https://community.sophos.com/kb/en-us/123060

Regards
Cancel
Vote Up 0 Vote Down

Cancel
0 Sagi Mor1 over 4 years ago in reply to lferrara

Thanks again Luk.

So if i must to apply these only per service - and in WAN zone i cannot do seperation between interfaces..

What if i will work with 3 "LAN" zones that will act as WAN?

So i can do rules like:

Lan --> "WAN1" accept HTTPS + traffic shaping X
Lan --> "WAN2" accept HTTPS + traffic shaping Y
Lan --> "WAN3" accept HTTPS no traffic shaping.

Notice that these "WANS" zones are acctually configured as "LAN" zones. but they will be connected to my routers.
So when i'm on "WAN1" i have some type of traffic shaping for HTTP
but when i'm on "WAN2" i have different type of traffic shaping (or nothing at all if i wish).

I will have to configure NAT and probably gateways manually i guess?
Anything else i "lose" if i choose to not use WAN zone and just connect each router to different LAN zone?
Cancel
Vote Up 0 Vote Down

Cancel