This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Adding a 4G Sim to XG Firewall in addition to my dsl line

Hi,

 

I  currently run XG Firewall as a VM on my unraid server and have an 80mb dsl line (fastest available here) I have done some tests with a 4G Sim card and can get 200mb so with unlimited data deals being very cheap now would I be able to add this into my XG Firewall installation and "bridge" it with my existing dsl line?

 

Any advice greatly appreciated!



This thread was automatically locked due to age.
Parents Reply
  • Ok, 

     

    An update on my "Progress" :-)

    I have found that with the setup above my internet connection uses only Port4 (the new 4G router) and ignores my dsl connection? cannot understand why this could be as they are both active with the same Weight balance.

     

    I have spent the last couple of hours following guides/videos on SD-WAN policy routing but cannot find a way to combine the two IPS's to give me greater speed.

     

    Hopefully someone can chime in to let me know what I am doing wrong or if it is even possible?

     

    Thanks in advance :-)

     

Children
  • Technically there is "no way" to combine the Bandwidth of both connection together (for a single connection). 

    Its quite simple: You have two different WAN Interfaces with two different IP Addresses. 

    Most of the internet services is based on Sessions. What this means is: A speaks to B to get Data 1. https://en.wikipedia.org/wiki/Session_(computer_science)

    If B is your Content server, it will talk to you as A, as you build up the Session. For example: A:B to get 1. 

    If you now add another IP Address to this equation, you have D.  So your Session is still build up A to B. And if you try to get more / faster data 1, by starting to talk to B with your IP D, it will ask you, if you are nuts, and not understanding, what you are doing. 

    If you are interesting in such things, you can read something about https://en.wikipedia.org/wiki/Stateful_firewall and https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment

     

    There are certain services, which supports such "combining of traffic" methods but they are rarely in field (for example: Peer to Peer). 

    But if you use WAN load balancing on XG, it will "pin" a connection to A or D and use the next connection. 

    See: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/LoadBalancingWeights.html 

     

    If you have both connections as active with 100%, you should be able to do multiple downloads, which would be a combined performance in total. 

    __________________________________________________________________________________________________________________

  • Thank you for your time taken for a detailed reply!

     

    Basically I have seen these load balancers where you can combine/bond multiple ISP's to create a single fast connection,

     

    https://idency.com/products/networking/routers/load-balancing-routers/peplink-balance-30-multi-wan-router/?gclid=EAIaIQobChMIppKxwrDi6wIVk9wYCh0rdwo3EAYYASABEgK_y_D_BwE

     

    I was wondering/hoping if I could achieve the same using Sophos.

     

    I am now considering buying one of these load balancing routers and feeding it into Sophos as my wan connection which would give the result I am looking for based on effectively doing that today with a 4G Router.

     

    Again thanks for your time and if you think this idea will not work please let me know! :-D

     

  • Its not that simple. There are some load balancer techniques done by ISP, which will combine the speed in the backbone of the ISP. 

    But such boxes as you linked are talking about Load balancing within VPN connections. Actually you can do the same with XG. 

    They are talking about SD-WAN.  https://www.sophos.com/en-us/products/next-gen-firewall/sd-wan.aspx

    For your example, this means, you have two boxes, both connected via two WAN Connections. In this scenario, you can send packet 1 over Connection A, and packet 2 over connection B. In the End, XG will assemble the session back together. This leads to combine WAN throughput, but they talk about SD-WAN Performance vs single connection. 

    Nowadays, everything is basically using TLS. Means the connection is encrypted. So the server in the internet expect the connection coming from your initial session initiator. 

     

    The big question is: Why? What do you try to archive in case of performance? 

    __________________________________________________________________________________________________________________

  • Again, thanks for your response!

     

    I have a housefull of kids and work from home, I am sure you know how much kids download/stream these days. 

    Also I download/upload a lot of data for work 

    my dsl connection is 75 down 18 up

    I bought an unlimited 4G sim which is 110 down and 47 up so wanted to combine the 2 together to maximize the performance of both internet connections.

    From what I understand with SD-WAN I can specify which services use which WAN Connection?

    As I mentioned, I did try to use SD-WAN and specified the source as LAN and destination as #PORT2 & #PORT4 (also tried Any) to see if it would utilize both WAN connections thinking it would combine the speed from both?

    So if I am understanding this correctly I can use SD-WAN to tell XG what WAN to use for certain applications but not combine the speed to for example download/upload a file using both WAN connections at the same time?

  • Ok, 

    Maybe I have been over-thinking this?

    Port 1 is my local LAN

    Port 2 is my DSL Line

    Port 3 is my WiFi LAN

    Port 4 is my 4G Router

    Sophos now has 2 gateways

    Does Sophos just balance the 2 connections as best as it can?  Do I need to do anything else?

    Lastly is there a way to see "Live" the upload/download for each WAN port so I can see exactly what is happening?

    Thank you in advance!

  • You could simply assign your Work PC the 4G Router or the DSL connection and give the household the other connection. Thats possible via Sd-WAN Policy based rules. 

    As mentioned earlier, XG will pin a connection to a Interface and stick with this connection for ever or until the connection is closed. 

    For example, if you create a Zoom meeting, it could be, one of both connections selected and stick there for ever. If somebody in your house starts an Download/Upload, this could be on the same WAN interface (its round robin). 

    So a separation would be better. 

    __________________________________________________________________________________________________________________

  • Hi, I really appreciate your time and have spent countless hours trying to make this work.

    The best solution for me would be to specify by IP address what devices I would like to use the 4G Connection (Port 4)

    So basically I would like everything to use Port2 (My DSL Line) except IP addresses I specify to use Port4 (My 4G Router)

    I have tried every combination I can find and watched the SD-WAN video several times but everything I try seems to be ignored by the SD-WAN policy routing.  Is there more I must do like firewall rules?

    I have tried to add another port into XG to create another network to find a way to resolve this as well but then XG refuses to boot on my VM (A known issue/feature I know)

    so is what I am asking possible?

    for example I would like IP address 192.168.0.60 to ONLY use the Port 4 connection which is a different IP Address (192.168.8.5) and Gateway (192.168.8.1)

    If this is possible I would really appreciate an example please? I just cannot get this to work.

    Thank you 

  • It should be possible. 

    Essentially you need a Firewall rule: LAN to WAN. Allow. No attachment to a Port needed. SNAT should be the default SNAT Rule. 

    Can you link your current SD-WAN PBR Rule? 

    You should have two. 

    One on top: Your IPs, ANY ANY - Using Port4. 

    Second on bot: ANY - ANY - ANY using Port2.

    PBR will use first match, so the first rule will be used for your Source IPs, everything else will drop to default. 

    __________________________________________________________________________________________________________________

  • Hi!

    I have disabled port 4 at the moment as when enabled it prevents my letsencrypt connections (I will deal with that after I get this woriking) 

    Thank you!

  • Change the Destination network to ANY in both Rules. That should work. 

    __________________________________________________________________________________________________________________