SD-WAN policies my experience so far

Hi Ian,

i cannot follow you.

Maybe let's spend some time on SD-WAN Handling.

Basically Sd-WAN will hit right before the packets is about to leave the Interface.

So everything already took place.

Only SNAT will be applied afterwards. 

I am confused, that your setup is working with a Linked NAT and not a default nat? 

Maybe take a look at the conntrack on the CLI to find the matching SD-WAN policy. 

I also updated to V18 yesterday and now I let the migrated Linked SD-WAN rules work for the first time since they all work.

Since you can easily switch between 17 and 18, I will start the days again with 17 and create 10 dummy rules there. These will be migrated and I can adjust them in the future if necessary. So I have 10 dummy SD-Wan rules for the first time :)

Has the advantage for me that I can continue to work only in the firewall rules, until the V18 is further optimized.

The new SD-WAN was implemented like another vendor did and to be honest having 3 separate menu for creating things is not Sophos-style. It does not mean that if the competition does in that way is the right way to do the things. This is the approach been used even for DNAT where the destination network is the WAN ip and not the server itself.

In my opinion SD-WAN in v18 could be improved by adding SD-WAN policies inside the Rules and Policies as a new Wizard (like BAR in v17) or by putting extra fields in the same Firewall rule.

This is "made simple" UI.

Hi Tim,

swapping  back and forward will break your APs each time if you have any installed.

Ian

Hi Luk, LuCar,

are you saying I need a NAT rule as well as an SD-WAN policy, that does not make sense from past posts on the subject.

Anyway, I have a working SD-WAN policy for my VoIP devices, no NAT rule.

With my streaming firewall rule the SD-WAN policy will pass the https and http traffic regardless of web proxy or DPI but fails the 8000. If I change the services to ANY, https and http pass but 8000 does not. Logviewer shows the packets leaving but never being answered. As soon as a NAT rule is created traffic passes and music flows.

Ian

No I don't use the WLAN function of Sophos at all, we have a UniFi Wlan network here which I only connected to the Sophos network via VPN.

Lets recap this:

SNAT and SD-WAN Policy have no real relationship.

Both will be applied or not applied and services different purposes. 

SD-WAN: Decide which Interface / route XG has to take.

(S)NAT: Decide, which IP to use. 

If no SD-WAN applies, WAN Link Manager will be used (for Default route). 

If no SNAT Rule applies, the IP will not be MASQ, therefore you will communicate with a Private IP. 

Recommend to use the Default SNAT Rule as always. 

This will cover the MASQ for all Traffic leaving all your WAN Interfaces. 

No need for Linked NAT at all. 

This rule will be automatically updated with all WAN Interfaces created on XG. 

You now have to create a SD-WAN policy, if you want to create a "special routing Case". Like VOIP over A or B. 

https://www.youtube.com/watch?v=TolZsFNbBuM

Watch the video for more info regarding SD-WAN.

A proper KB should be published for SD-WAN ASAP

Hi Luk,

thank you for that link, very interesting. I cannot find where the troubleshooting tab is, but never mind I don't need it. Interesting how fields can be left empty in SD-WAN Policies and some of those tricks do not work in the Application selection field. While the video was very informative it did not to me anyway explain why certain ports will not work.

I found why I was having performance issues when I first tried removing all the migrate Linked NAT rules, I was not aware of the migration created SD-WAN policies, having removed them and enabled the default NAT rule all is good.

Ian

Thanks Ian for your tests.