Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 26 subscribers
  • Views 6710 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Different routing for different networks

Sergiu Panaite

I thought this would be working straight out of the box, but I think the built-in load balancing is working against me.

What I have:

- two different WAN connections, say WAN1 and WAN2; both set as active with the same weight

- LAN, where say LANAll is all hosts, except one host which (within the same subnet) is LANSpecial

 

What I want:

- LANAll to use WAN1 primarily and fall back to WAN2 if needed

- LANSpecial to use WAN2 primarily, and fall back to WAN1 if needed

- XG device (for DNS etc) to follow LANAll

- I've created two Firewall rules to do the "discriminatory" routing above

 

What actually seems to happen:

- The LANAll and LANSpecial traffic is following the two Firewall rules I created

- But the XG traffic (used for DNS  or ICMP for example, as the XG is acting as the DNS server for the LAN) is load balancing across WAN1 and WAN2

- Even if I set the weight for WAN1 to 100 and WAN2 to 1, it still load balances albeit a lot less traffic goes to WAN2 (I guess this is expected)

 

How can I force the XG traffic not to load balance automatically, and only follow my desired rules? If I set WAN2 as a Standby gateway, will it still be usable by LANSpecial?



This thread was automatically locked due to age.
Parents
  • 0

    OK, so partial answer based on my observations: I've now set WAN2 as a Backup gateway, however the rule that states that LANSpecial should use WAN2 as primary then WAN1 as backup still makes it go via WAN2, which is what I wanted.

    Slightly confusing, but at least it *seems* to work...

Reply
  • 0

    OK, so partial answer based on my observations: I've now set WAN2 as a Backup gateway, however the rule that states that LANSpecial should use WAN2 as primary then WAN1 as backup still makes it go via WAN2, which is what I wanted.

    Slightly confusing, but at least it *seems* to work...

Children
  • +1 in reply to Sergiu Panaite

    Sergiu,

    What you did is correct. Even if wan 2 is configured as backup, policy rule can override it.

    This was introduced with v16.

    Thanks

  • 0 in reply to lferrara

    Thanks Luk! Looking at it, I guess it makes sense.

    There's one more thing, though it may be a different question: when configuring the link in WAN Link Manager, say you use "If not able to ping on IP address x.x.x.x then shift to another available gateway"; does the XG's automatic ping check source the ping specifically from that interface? If it doesn't, then you can have a situation where the ping is actually going out via another WAN interface, so even though the one that failed is unusable, the ping will always work (of course, provided that the IP you're pinging will respond to both of your public IPs).

  • +1 in reply to Sergiu Panaite

    Sergiu,

    I report you back what the online documentation says about:

    The failover rule has the form:
    IF Condition 1 AND/OR Condition 2 then Action
    Depending on the outcome of the condition, traffic is shifted to any other available gateway.
    A ping rule is automatically created for every gateway. The device periodically sends the ping request to check health of the link and if link does not respond, traffic is automatically sent through another available link. The selection of the gateway and how much traffic is to be routed through each gateway depends on the number of configured active and backup gateways.
     
    http://docs.sophos.com/nsg/sophos-firewall/v16011/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp%2FGatewayManage.html%23
     
    Thanks