Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Subscribers 40 subscribers
  • Views 22152 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multi WAN route traffic based on Application?

SimonSlaytor

Hey Folks,

Hopefully someone can give me a pointer on this. I have an XG firewall with 2 x WAN connections:

Connection 1 - 5Mb un-metered ADSL

Connection 2 - 40Mb 100G per month 4G

In order to reduce consumption of my 4G connections fixed monthly allowance I want to create a rule that routes all 'High Bandwidth' traffic over Connection 1 and leaves everything else to go over connection 2.

I've created a standard rule [User auth off] [LAN/Any/Any]>[WAN/Any/Any] [Application Rule YouTube Accept]-[Gateway1]-Accept.

With this rule enabled _ALL_ my traffic regardless of whether it's to Youtube or not goes over connection 1.

Creating a similar rule but instead using TCP Services as the filter everything works as expected, it's as if the 'Application' rule is being ignored and it's only matching the standard FW IP/Port rule.

Being a home user I do not use user auth, hence per user rules option is disabled. Any pointers?

Cheers

Simon



This thread was automatically locked due to age.
Parents
  • 0

    Hi Simon,

    As per the post, you created a Firewall Rule "[User auth off] [LAN/Any/Any]>[WAN/Any/Any] [Application Rule YouTube Accept]-[Gateway1]-Accept."

    I suggest you to change Gateway = Load Balance, in the configure Firewall Rule.

    Next, navigate through the options System > Network > WAN Link Manager. Here, you can see your both WAN link in Active status. Interesting part here will be, you can define the weight on particular WAN gateway.

    SF allows Load Balancing between 2 or more Active-Active Gateways. By default, SF adds a new gateway as an Active Gateway. Hence, Load Balancing is automatically enabled between the existing and newly added links.
     
    Weighted Round Robin algorithm is used for load balancing wherein each link is assigned a weight. The traffic that SF distributes among the links is in proportion to the weight assigned to them.

    This gives you an option to distribute the traffic between WAN link(s) respectively.

    Please refer the link to learn more on this matter:

    community.sophos.com/.../123530

    Hope that helps.

    Thanks

    Sachin Gurung

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Thanks Sachin,

    I really appreciate you taking the time to reply to my query. 

    I'm aware of the balance/weight option, whilst this would push more traffic to the ADSL over the 4G it isn't solving my core problem, nor in reality is it really an option.

    My ADSL connection is unlimited but comparatively slow (5Mb download/640kb up), my 4G connection is limited to 100G a month but comparatively fast in comparison (40Mb download/10Mb up).

    Whilst slow 5Mb is 'ok' for streaming media hence my desire for the device to 'catch' high bandwidth applications and redirect them over this link in preference to the fast 4G.

    Unfortunately due to the common use of CDN's for media asset delivery I cannot simply add target URLs/Ports into my rules, hence the desire for an application awareness rule.

    I also have the issue in that the 4G connection is 'NAT'd' by the ISP and seems to break streaming on my Sony Bravia TV and my sons XBox Live connection (Both easily sorted using a user rule I realise).

    Simon

  • 0 in reply to SimonSlaytor

    Hi Simon,

    Let's think about some alternative solution to this. Can we configure some devices to consume from 4G connection, irrespective of the kind of traffic.
     Alongside other devices will calculatedly consume the 5 Mb connection. 

    This is because the priority of a Firewall Rule is always higher than Application or Web Filter, which is mostly an architectural behavior in Firewall(s).

    Now if we can configure device specific route through Gateways, we can create MAC-Address based Firewall Rule configured with specific gateway to route the traffic.

    Thanks

    Sachin Gurung

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hi Sachin,

    Many thanks again.

    I'm fully up to speed on creating 'device' specific rules to distribute traffic between the two WAN links using either source/protocol/ports etc as the filter. All that works great, the only thing missing is true VDOM/VRF/Virtual Firewall etc, depending on what the vendor calls it, support.

    Let me give you an example of my concerns and why this simplistic approach won't work well. I have a 'client' Windows 10 PC on my network (my sons), he likes the speed the new 4G connection gives his computer and so I create a rule to push traffic from his ip/mac addr via the 4G gateway, no problem.

    Microsoft have just released the next major build for Windows 10, which if the same as previous builds will be 5G in size. Using static firewall routing rules (something I did years ago using OpenBSD's PF) this 5G will be downloaded over the 4G taking 5% of my monthly allowance, not cool. Perhaps not the best example as I guess I could use a DNS rule to match *.windowsupdate.com but you hopefully get the idea that a normal user may occasionally call upon abnormal bandwidth sites which I want to trap and re-direct.

    So I need a rule first in my list that says [from LAN any] to [WAN any] - [Application Windows update] -> Use ADSL gateway. 

    Followed by a rule that says [From LAN any] tp [WAN any] - [Application Any] -> Use 4G gateway.

    My guess from what you are saying is that the firewall applies the 'match' to the traditional layer 3 src/dst/protocol/port rules in the rule base first and only after that has happened applies the layer 7 ish application rule filter such that if an 'exception' occurs it can no longer 'back-out' and traverse the FW rules base to find a more appropriate rule as the match has already happened.

    If that is the case it would explain the problem, I'll just have to find an alternative as you say.

    Thanks again

    Simon

  • 0 in reply to SimonSlaytor

    Simon,

    virtual Firewall equivalent technology is missing on XG and hope they will integrate it one day. Vote the feature request:

    http://feature.astaro.com/forums/330219-sophos-xg-firewall/suggestions/11262702-virtual-firewall


    Thanks.

  • 0 in reply to lferrara

    Hi,

    I support this. Voted !

    Thanks

    Sachin

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Reply Children
No Data
Unfiltered HTML