Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

Thread Info
  • State Not Answered
  • Replies 5 replies
  • Subscribers 33 subscribers
  • Views 630 views
  • Users 0 members are here
Options
Suggested

Multi WAN Site routing

cyberhop

Hi All

I am hoping someone with multi wan experience can help us.  I believe its down to routing.

So we have 3 WAN's in operation, see our diagram attached, the copy monitors all sorts of different types of alarms and also has a phone app you can use to turn your alarm on and off.

Some alarms use TCP, some UDP.  With NZ having a massive weather event at the start of the year, a Starlink was purchased as an additional WAN.  It runs a business account and has a public/static ip address.  Public address is 103.235.95.201

So initially when we turned the Starlik on, we had Alarms using UDP not polling successfully, they were coming from clients who had Alarms and also running Starlink connections, the client IP's are DHCP assigned by Starlink and for example could be 103.234.92.27 and 103.235.92.156.  I setup some routing rules.  The Alarms typically come thru Port 2 or Port 3 WAN connections.  One as a primary and one as a backup.

Port 3 is where the Phone app would connect to.  The phone app uses HTTPS.

So a rule was set for those alarm products and phone app to route the traffic for Port 3 connection, under Configure>Routing>SD-Wan Routes.

The Rule would identify the Server IP and force any traffic out of a Primary WAN or secondary WAN.

For example when a client connects there mobile phone to there Starlink home wifi and trys to use the app from the IP's 103.234.92.27 and 103.235.92.156 for example, they are unable to log into the phone app, if they switch there phone to 4G cell internet then it connects.

So I think there is a routing issue of some kind.  I have tried routing rules where it trys to cover any destination traffic.

We did try and setup an additonal WAN in the past and had similar issues with another provider, we ended up just using it double nated for a while so not to disrupt traffic.



Edited tags
[edited by: Raphael Alganes at 5:44 AM (GMT -7) on 14 Sep 2023]
  • 0

    Hello  ,

    Good day and thanks for reaching out to Sophos Community.

    Kindly confirm if my understanding is correct, the external users are supposed to connect on Port5's IP Addresses 103.234.92.27 and 103.235.92.156 or could be different because it is Dynamic but they are unable to when they use their Starlink ISPs at home? 

    You also mention that the Phone app is on Port3? Was this an adjustment to the setup or this is the supposed to be setup? 

    Also can the end users perform a test like Telnet on 103.234.92.27 and 103.235.92.156 or maybe the working IP then on 443 or whatever the port that the app uses and see if telnet would pass through? 

    Also are there any deny logs on the FW side that you can see whenever they try to connect? And did this ever worked before? If yes, are there any recent changes on the FW side (configuration, firmware upgrade etc) prior this issue? 

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Raphael Alganes

    Hi Rapheal, the external users are connecting from these dynamically assigned Starlink address's on ip's in this range 103.234.92.27 and 103.235.92.156 to the Port 3 WAN address using HTTPS traffic for the Alarm app and the House Alarms poll using UDP.  I haven't had the opportunity to get to a remote pc behind those addresses to test telnet.  I dont have anything in the log that shows a deny.  As soon as we diasble the Starlink interface the phones apps connect as normal.  The firewall has been functioning normally until we try and add a new WAN.  We are running the latest os version.

  • 0 in reply to cyberhop

    Hello  ,

    To confirm, Is your Port3 and Port5 both have Public IP addresses from Starlink? Could you verify if there are no conflict on the subnet configured on the each interface? If they are both from Starlink and are on the same subnet, you may disable Port5 and enter in the public IPs assigned to Port5 as additional/alias address/es on Port3 instead. 

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Raphael Alganes

    Hi Raphael, Port 2, 3 & 4 all all different Public ip addresses thru seperate Internet Providers, Only Port 5 is through Starlink.  The other IP addresses are in different ranges completely

  • 0 in reply to cyberhop

    Hi  ,

    Thanks for the additional information. To clarify, when your Port5 (Starlink) is disabled can the external users connect using their Starlink ISP at home to your Sophos Firewall's Port3 then eventually to the internal app without issues?

    And if they switch from their other ISP provider at home, can they connect to your SF's Port3, even though your Port5 (Starlink) is still enabled? or do you still need to disable it?

    If this is the case, I may recommend to check and confirm with ISP (Starlink) if there are any conflict with the assigned IP subnet block on your Port5 with their Public usable IPs for commercial use, etc. Further, may you try a telnet command from the end machine side if ports are open for destination and if you could, kindly share traceroute result as well (For both Starlink and other ISP connection) and your SD-WAN configuration. Thanks

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Unfiltered HTML