regarding this thread, is there new features in version 19?
You can do this in V19.0 and even better in the currently EAP Version of V19.5.
You need to specify your SD-WAN rule for VOIP and then tell the firewall, which gateway it should use.
the solution you provided just route VoIP traffico to a secondary WAN, but not apply traffic control.
If i have 2 WAN (both different in term of bandwidth and not symmetrical and both in use active-active scenario), how can I guarantee SIP traffic?
There is one thing that I don't understand about the Sophos Traffic Shaping settings. How can the Sophos XG determine how much bandwidth (download and upload) there is on multiple WAN, when you can only define a single value, the total WAN bandwidth.
In a scenario where you have multiple WAN, very different in term of bandwidth, jitter, latency, how can Sophos determine, for example, that on WAN A there is 90Mbps in down and 18Mbps in up and on WAN B 25Mbps in down and 3 in up. Without this basic knowledge how can you guarantee SIP traffic?
I agree it's little bit confusing user interface. Let me try to answer your query.
If you have 2 WAN interfaces (WAN A 90d/18u and WAN B 25d/3u) then you should consolidate all bandwidth and set total bandwidth as 136Mbps (90+18+25+3). Think of it as one common aggregated WAN pipe.
After that, based on different type of traffic shaping policies like application/web/user/firewall, you can orchestrate and divide your aggregated bandwidth between desired traffic. Along with it, if you can orchestrate your traffic using SD-WAN or static routing to particular WAN interface, you can decide usage of your WAN ISP link. That's how you can guarantee SIP (or any other) traffic.
If as admin, one make misconfiguration in traffic shaping policy, it's possible you won't be able to achieve desired results (limiting some traffic or guarantying some traffic).
Hope it clarifies.
Thanks for the reply.
Correct me if I'm wrong, with this traffic shaping logic it's not possible to shape traffic with two distinct policy over 2 WAN.
Sophos XG/XGS allow you to select the traffic shaping policy in the firewall rules, but firewall rule does not permit matching the outbound interface.
In the scenario that i described above, I set the total bandwidth on 136Mbps (converted in KB/s). Now I'd like to set 2 QoS rules for each WAN. The first for VoIP traffic, and the second for all the rest. This should result in 4 firewall rules:
1) SIP traffic over WAN1 -> apply QoS policy for SIP on WAN1
2) generic traffic over WAN1 -> apply QoS policy for generic on WAN1
1) SIP traffic over WAN2 -> apply QoS policy for SIP on WAN2
2) generic traffic over WAN2 -> apply QoS policy for generic on WAN2
I had the same objection: in the settings it only accepts a single number, but that's misleading. The answer I found -- based on a post by @Prism -- was to set that number to the maximum and then use the up/down settings on each Traffic Shaping policy/rule. The single number is an attempt to support a default (i.e. subtract everything else from the limit) but I think it doesn't work as Sophos thinks it might.
In your case, it sounds like 4 firewall-Rule-Based Traffic Shaping policies (or are they rules) that are applied to the appropriate firewall rules.
The configuration you mentioned makes sense if you have some identifier to distinguish between 2 SIP based firewall rules. For example, if you have 4 SIP clients and you use 2 SIP clients to use FW rule1 and for other 2 SIP clients, use FW rule2. In this case, you also need to create SDWAN rules with similar matching criteria and divert 2 SIP clients' traffic via WAN1 and for other SIP clients, create another SDWAN rule and divert traffic via WAN2.
Another use case could be - If you have a requirement where you want to use 10Mbps (out of 136Mbps) for SIP traffic then you can create single traffic shaping policy (FW type) and create single Firewall rule and let SIP traffic load balance between WAN1 and WAN2.
As I mentioned earlier, you first needs to decide your traffic shaping policies, map them with firewall rules and if requires WAN interface level granularity, you can map the same traffic with SDWAN rules.
As all subsystems are decoupled and have their own purpose. It's admin's responsibility to design their configuration, routing, security enforcement and deploy it.
Traffic shaping policy also allows you to choose different upload/download, share same bandwidth among multiple users/firewall rules kind of functionalities. It's quite flexible but at the same time confusing/complex too!
I'll give you a real scenario. With the 2 WAN described above, WAN1 has lower latency and jitter so is best suited for VoIP, I'm routing all SIP traffic on the first WAN, applying correct QoS for WAN1.
This is simply done with a firewall rule that target source LAN Zone, destination WAN zone, SIP traffic and apply QoS policy for WAN1.
Now immagine that you have an outage on the first WAN, and all the traffic is automatically routed on second WAN. This is done with SD-WAN policy. As mentioned above the second WAN is different in term of bandwidth/latency/jitter so I'd like to apply a correct QoS policy. And the problem rises here. During failover the SIP traffic will match the firewall rule above, and the wrong QoS policy will be applied.
Correct me if I'm wrong. I believe that the Traffic shaping policy is applied before the routing decision (SD/WAN policy). In a multiple WAN scenario where SD/WAN engine apply SLA routing/load balancing and failover/failback decisions you cannot reliably applying limit/guarantee traffic shaping policy.
After understanding your requirement, it sounds like per interface based traffic shaping policy requirement which Sophos firewall is not supporting as of now. However, I would suggest if you can try following configuration which I believe can help achieve your use case.
- Sophos Firewall supports "Gateway host" support (Routing >> Gateway) which you can add on top of default WAN gateways.
- You can replicate your default ISP gateway configuration. One additional support available in Gateway host is, you can apply "Zone" to it.
- You can create 2 custom zones (Network >> Zone) of type LAN or DMZ. Let's call it WAN1 and WAN2.
- You can associate WAN1 zone to Gateway Host1 (representing ISP1) and WAN2 to Gateway host2 (representing ISP2).
- Create SDWAN profile with Gateway Host1 as first gateway (low latency/jitter) and Gateway Host2 as second gateway
- Create SDWAN route for SIP traffic and attach SDWAN profile
- Create 2 traffic shaping policy for SIP traffic appropriate for ISP1 and ISP2. Let's call it SIP-ISP1 & SIP-ISP2
- Create 2 Firewall rules (assuming SIP clients are behind LAN zone)
(1) LAN > WAN1 - Allow SIP traffic - Apply SIP-ISP1 traffic shaping policy
(2) LAN > WAN2 - Allow SIP traffic - Apply SIP-ISP2 traffic shaping policy
This would help to choose different firewall rule in case of SDWAN failover/failback between ISP1/ISP2 link.
Please check out whether it works for you or not.
Thank you for the suggest!
I thought about the zones solutions yesterday. Do you know if it's safe to associate a WAN interface to zone type LAN or DMZ?
Yes, it's safe (though may not look clean!) to use. You are not associating it with WAN interface actually. It's Gateway host property and applicable for outbound traffic only going via that WAN interface.
This is great!
Thanks, for the solution shared above!