This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Policy Based Routing, can I send VPN over 4G?

[REPOSTED FROM XG FIREWALL]

Hello,

With a mail server behind an SG115 appliance connected to the world via a super slow static IP ADSL.

If i were to use PBR and a 4G dongle, what traffic can be diverted to 4G?

I expect everything that needs the static IP address [email, DVR, VPN] to remain on ADSL, but all web traffic, WSUS, Onedrive, SharePoint etc to go via 4G.

Can the VPN be sent/rerouted over the 4G dongle? This would solve the most common gripe both users have about slow connections.

With my limited understanding, The user connects to the appliance using the Sophos VPN client via the static IP address on ADSL, I am totally in the dark if the appliance can, after authentication, then hand off the VPN to the faster 4G whose IP address is a not publicly addressable, this seems impossible to me.

If I cannot do this, then seems little point in getting the 4G dongle.

I am fairly ignorant of the detailed workings of the SG115, so here I am asking questions.

Thanks in advance.



This thread was automatically locked due to age.
Parents
  • There's no way to do a hand-off, Simon, but you should be able to use DynDNS to allow the users to login via the IP on the dongle.

    As for outbound traffic, Multipath rules can determine which traffic goes out which connection.  This also would allow fail over if one of the connections went down.

    An experienced, knowledgeable UTM installer can probably save you several hours and leave a clean configuration that is easy to modify if your needs change.  Sophos Sales in Australia can suggest a good Sophos Partner near you.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • There's no way to do a hand-off, Simon, but you should be able to use DynDNS to allow the users to login via the IP on the dongle.

    As for outbound traffic, Multipath rules can determine which traffic goes out which connection.  This also would allow fail over if one of the connections went down.

    An experienced, knowledgeable UTM installer can probably save you several hours and leave a clean configuration that is easy to modify if your needs change.  Sophos Sales in Australia can suggest a good Sophos Partner near you.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • The primary issue is 4G IP addresses are not publicly addressable and so a VPN connection cannot be initiated from the outside world to the appliance over 4G, regardless of DynDNS.

    I still feel the PBR has value for us and I certainly won't be configuring this, I don't need that kind of self induced drama in my life.

     

    Cheers.

  • I just pinged my cell phone operating on 4g LTE, Simon.  Then again, my AT&T cellular IP also responded when I was no longer on LTE, but was using WiFi.  And, I got the same IP when I disabled WiFi on my iPhone again.  I didn't expect that.

    I don't understand how a 4G device could communicate on the Internet without a public IP.  Or, are you saying that the IP actually "lives" at the ISP?  Even then,  I would think your UTM could be reached on the IP as determined by the DynDNS client in the UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob,

    while this link is not 100% technically on the money and should not be relied upon in court, it does illustrate the concept in principle.

    https://dyn.com/blog/is-4g-ddns-possible/

    However, my mobile provider does allow, in some circumstances, for a price, a static addressable IP on certain LTE devices.

    I will post back when I have more details.

     

    Cheers Simon

  • Thanks, Simon - you taught me something I didn't know!

    I see now how that must work.  I'm guessing that their router uses the IMEI or MEID of the cellular device instead of assigning an IP address and tracking that.  In any case, it's clear that you need something special for inbound traffic to be able to be directed to your box.

    Cool!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA