Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 5 subscribers
  • Views 6266 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Route traffic to a URL over specific WAN interface?

elliottradar

Hi,

We have two internet connections, load balanced using Uplink Balancing on Sophos UTM 9. It all works great except that one of our users is having trouble with security on a particular website because his WAN IP changes depending on which internet connection he's being routed out over.

Is there a way to pin outbound traffic for that domain to one interface, so that his IP address doesn't change? I took a look at Static Routing, but it seems to want an IP, not a URL, and I can't guarantee that there aren't multiple IPs on that domain or that they won't change in the future.

Thanks!



This thread was automatically locked due to age.
  • 0

    Actually, I think I might have found part of the answer to my own question:

    Multipath Rules, create a new destination and change Type from "IP address" to "DNS host" or "DNS Group".

    The trouble is, the URL of the site is something like https://mashofcharacters.webserver99.acme.com -- is there a way to set a wildcard for the acme.com domain?

  • 0

    One option is to use this feature

    Then create one or more  filter profiles to pemanently assign specific source addresses to specific interfaces.   This loses some of the benefits of load balancing.  In the event of a link failurw, you would have to manually update the affected gilter profiles.

    I do not know of a way to do it based on target address.

  • 0 in reply to elliottradar

    Hi, Elliott, and welcome to the UTM Community!

    There's no such thing as a wildcard in DNS, but maybe acme.com can give you a list of the IPs where they check to see the IP your user gets.  Then, you're right, a Multipath rule placed above the other one is what you would want.

    If not, then Doug's suggestion is your best bet.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks for the tips, guys. I'll try the web filtering idea first-- seems the simpler solution-- and I'll let you know how it went.

  • 0 in reply to elliottradar

    When I have this type of issues I usually do a WHOIS on the destination IP address and collect the subnet to where it belongs, since big companies usually have a entire subnet of IP addresses. With that information I create a network definition for that subnet, create a multipath rule like Any > Web Surfing > destination subnet and bind to a specif WAN interface. That way all HTTP/S requests both from internal networks and from the proxy with that destination will go out though a specif WAN and in case of a WAN failure it will fall back to the second link.

    Regards,

    Giovani

Unfiltered HTML