Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 1 reply
  • Subscribers 26 subscribers
  • Views 8089 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port Forwarding with multiple WAN links

TomEng

Hi there,

I have a network that uses multiple WAN links to connect to the internet. Link speeds (and data costs) vary meaning certain subnets are allocated individual WAN Links. All links are active but there is no load balancing between them: traffic from Subnet-A will always use WAN-A no matter the traffic conditions. Our WAN links are relatively unstable (physical limitations) therefore there are backup gateways enabled should a link go down: Subnet-A would fail-over to WAN-B should WAN-A be down. Each WAN Link has one public IP address and there are two links in this situation.

I have a gaming device that I want to enable port forwarding on. This device will normally use WAN-A but can often fail-over to WAN-B. To create the forwarding rule I have used:

Source - Host: Any

Hosted Server - Source Zone: Any

Hosted Server - Hosted Address: IP List containing the two public IPs of the WAN links. *****This is what I am questioning*****

Hosted Server - Load Balancing: Unsure what to put here. First Alive? Settings for this are unknown

Port Forwarding: Ports

Routing - Rewrite Source Address: Off

No Traffic shaping or Intrusion Prevention

Log Firewall Traffic: Yes

Create Reflexive Rule: Don't know what to put here

I have two of these non-http rules, one for TCP and one for UDP and they are placed at the bottom of the Policy list. Is this the correct way to set this up and could someone please help me fill in the blanks as it were. Do I need to write new NAT rules for this or is there something about WAN Alias' that I could set up.

Many thanks for any help you can provide



This thread was automatically locked due to age.
  • 0

    Hi Tom,

    Unfortunately, fail-over with Port Forwarding is not possible in XG at the moment. You can raise it as a feature request here.

    Meanwhile, Load Balancing of incoming traffic over multiple internal servers is possible. Health Checking keeps a check on servers and sends a notification to the administrator whenever a server goes down or comes up. 

    About load balance-

    Round Robin: In this method, requests are served in a sequential manner where the first request is forwarded to the first server, second request to the second server and so on.When a request is received, Cyberoam checks to see which was the last server that was assigned a request. It then assigns this new request to the next available server. 

    When to use: This method can be used when equal distribution of traffic is required and there is no need for session-persistance. 

    First Alive: In this method, all incoming requests are served by the first server (the first IP Address that is configured in the IP Range). This server is considered as the primary server and all others are considered as backup. Only when the first server fails, the requests are forwarded to the next server in line. 

    When to use: This method is used for failover scenarios. 

    Random: In this method, the requests are forwarded to the servers randomly. Although, Cyberoam makes sure that all configured servers receive equally distributed load. Hence, this method is also called uniform random distribution. 

    When to use:This method can be used when equal distribution of traffic is required and there is no need for session-persistance or order of distribution. 

    Sticky IP: In this method, along with Round Robin distribution of traffic, Cyberoam forwards incoming traffic according to the Source IP Address. All traffic from a particular source is forwarded only to its mapped Server.This means that all requests for a given source IP are sent to the same application server instance. 

    When to use:This method is useful in cases where all requests or sessions are required to be processed by the same server. For example, Banking websites, E-Commerce websites.

    Reflexive rule- When a server hosted in an internal LAN or DMZ zone is published over the Internet, in other words, when a virtual host is created, a WAN to Internal Zone firewall rule has to be created to allow access to the server from the Internet. Additionally, a corresponding Internal Zone to WAN rule also has to be created to ensure that traffic from that server is NATed before it goes out into the Internet. Such a Firewall Rule is called a Reflexive Firewall Rule.

    Hope that helps :)