WAN Link Load Balancing in v20

Hello Nathan,

Thank you for contacting Sophos Community!

You can review what method set on your device by executing the below command from the console.

console> show routing wan-load-balancing

You may refer to the below KBA for more details.

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/Gateways/RoutingLoadBalancingWeights/index.html

Opting for the session persistent will have better user experience. 

Thanks, but that doesn't really answer my question. Sophos support says that if we want load balancing, then set both WAN links to active with a weight of 1, and don't touch persistence. 

Does anyone have experience using this feature in schools? 

Hello,

How much bandwidth do you get from each?

1Gig from each.

Hello,

Like suggested earlier, apply these changes and you shall have better output

console> show routing wan-load-balancing

You may refer to the below KBA for more details.

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/Gateways/RoutingLoadBalancingWeights/index.html

Opting for the session persistent will have better user experience. 

Ok now I feel like I'm getting conflicting information from support. We were told by Sophos support that using the default config (active-active with a weight of 1 for both) without touching Session Persistance, will balance sessions and users should not have an issue. But what you seem to be implying is different.

Here's the output: 

console> show routing wan-load-balancing
IPv4 WAN Link Load Balance method : Weighted Round Robin

Hello,

Could you share us the ticket number so we can validate what have been communicated?

Also, these are configurable options and updated in KBA too. However, we still review the ticket and provide necessary feedback.

01947356. We dont have load balancing configured now. We're waiting until Thanksgiving break to do so. However, I want to make sure we're doing this properly the first time. And you're telling be different info than Sophos Support so I'm a bit confused.

Thanks again for all of the help.

Hello,

Thank you for sharing the ticket number.

I could see the same information shared on the ticket as well. This KBA contains the information about how round robin and session persistence load-balance works.

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/Gateways/RoutingLoadBalancingWeights/index.html

However, if you still have any concern. Please feel free to connect us by dialing the support number.

Hi Mayur, maybe I'm not understanding this correctly, and for that I apologize. You seem to be recommending that we enable session persistence. However, our Sophos support engineer is not recommending it. Please see their response below:

Situation:
Handling of browser traffic

Thank you for sharing the Queries, below is the resolution to the query provided:

When both WAN links are set as active with equal weights (1:1), the Sophos Firewall automatically handles load balancing based on the number of sessions. The firewall uses a round-robin method to distribute sessions between the gateways—assigning the first session to one gateway (e.g., gw0) and the next to the other (e.g., gw1), and so on. This balancing is purely session-based, and the amount of data transmitted in each session does not influence the decision.

In this scenario, the round-robin mechanism is already in place with equal weights, so you don't need to explicitly run a round-robin command. Additionally, session persistence, which ties traffic from the same source to the same gateway, is typically not recommended if your goal is to balance the traffic evenly. The firewall’s internal algorithm will hash the source and destination IPs to automatically distribute traffic across the links.

Please let us know if you require any further assistance from our end.

Please note once you update we will get back to you within 2 business days.

Thank you for Choosing Sophos
Regards

Zeel Trivedi | Technical Support Engineer | Sophos Support

Hi Mayur, maybe I'm not understanding this correctly, and for that I apologize. You seem to be recommending that we enable session persistence. However, our Sophos support engineer is not recommending it. Please see their response below:

Situation:
Handling of browser traffic

Thank you for sharing the Queries, below is the resolution to the query provided:

When both WAN links are set as active with equal weights (1:1), the Sophos Firewall automatically handles load balancing based on the number of sessions. The firewall uses a round-robin method to distribute sessions between the gateways—assigning the first session to one gateway (e.g., gw0) and the next to the other (e.g., gw1), and so on. This balancing is purely session-based, and the amount of data transmitted in each session does not influence the decision.

In this scenario, the round-robin mechanism is already in place with equal weights, so you don't need to explicitly run a round-robin command. Additionally, session persistence, which ties traffic from the same source to the same gateway, is typically not recommended if your goal is to balance the traffic evenly. The firewall’s internal algorithm will hash the source and destination IPs to automatically distribute traffic across the links.

Please let us know if you require any further assistance from our end.

Please note once you update we will get back to you within 2 business days.

Thank you for Choosing Sophos
Regards

Zeel Trivedi | Technical Support Engineer | Sophos Support

Hello Nathan,

I believe, we all understood it correctly. 

Sophos (Community/Ticket), providing an information that session persistent will route the traffic of that session completely via the service provider through which session is established. We are not denying to use the session persistence, this is most effective method for the load-balance hence the traffic which is related any banking or exam does not breaks in between (Round robin, it may route via different public IP and session may break). Also the recommendation was suggested as you mentioned online exams.

As the traffic load-balance takes place based on session, we may notice minor difference in Internet usage of both the service providers. However, it will not have much difference in the usage.

Now, it is up to the customer which algorithm suits your requirement. You can opt that. 

Again, thanks for the attention on this issue. To sum it up, if our biggest concern is the potential for sessions to bouncing back and forth between WAN links, then your recommendation is to enable session persistence as this will lead to the best possible user experience? And to do that, we would run the following command? 

set routing wan-load-balancing session-persistence source-only ip-family ipv4

Hello,

Yes, you have understood it correctly!