I am considering purchase of a multi-WAN router and trying to understand if the Balance line can do what I need. I have three WAN sources, each with different cost of bandwidth. I want to make sure that the very high cost (satellite) source never sees certain types of traffic (everything but SMTP and POP, basically).
I read through the materials on outbound load balancing and firewalling. I could see that I can force a certain kind of traffic through a specific WAN port with an Enforced outbound rule, or I can block all traffic of a certain kind through all WAN ports. But what I could not determine is whether a Balance router can specifically block traffic from a given LAN IP / port / protocol etc from passing through a given WAN port.
Hi. Yes this is possible. Lets assume WAN1 is DSL WAN2 is Satellite and you have a USB 4G Dongle connected.
Listed in order of cost we have Satellite, 4G, and then DSL. I would also expect there to be bandwidth limits on the 4G WAN and the Satellite WAN.
So, with your requirements in mind we can put together some requirement statements:
For General Internet access DSL and 4G should be used with load balancing.
Satellite should only be used for email (SMTP/POP3).
These translate into the following three outbound policies:
General Internet Access : Source Any -> Destination Any -> Protocol Any - > Weighted Balance (DSL, 4G)
SMTP Over Satellite : Source Any -> Destination Any -> Protocol SMTP -> Priority (SAT -> WAN1 -> 4G)
POP3 Over Satellite : Source Any -> Destination Any -> Protocol POP3 -> Priority (SAT -> WAN1 -> 4G)
In the Outbound Policy main screen we would then set the satellite rules as highest priority so they are matched and acted on first, then all other network access would be matched by the catch all general internet access rule and be load balanced.
I have used the priority method for the email rules above so that if the Satellite was down, your email would still be sent (over WAN1 - unless it was down then 4G would be used).
Depending on the difference in available bandwidth across the DSL and 4G, you would adjust the sliders in the weighted balance rules so that the balance favours the link with most bandwidth.
If the 4G link has a hard bandwidth cap (like 8Gb/month) you can set that in the WAN properties so that it is not used after the bandwidth level has been reached.
Thank you very much for that explanation. What still confuses me is your General Internet Access setting. According to the Youtube video I watched about outbound policies (https://www.youtube.com/watch?v=rKH4AS_bQnE), a weighted balance of âzeroâ does not mean that no traffic will ever go over that WAN link â it means âthe particular WAN will only be used as a backup.â That is exactly what I donât want to happen â having the satellite link used for standard traffic when not expected would be a horrifyingly expensive outcome. Can I somehow combine the rules you created with firewall rules that block some kinds of traffic over certain WAN ports?
Ah yes - you are absolutely right. If all other WANs have failed apart from the Satellite WAN then the general internet access policy (using weighted balance) above will end up using the SAT WAN as the only available link.
Let me just confirm what you are after then. In normal day to day use you want load balancing across WAN1 and WAN2 (you havenât mentioned what those are - but it doesnât really matter). Then if both WAN 1 and WAN 2 fail (so they are both down) you want to use WAN3 - the satellite WAN) for email traffic only - absolutely no other LAN client traffic but email should ever be sent over the satellite link when its live.
Yes, thatâs right. As a practical matter, the WANs would not be enabled at the same time. For example, if the mobile connection is available, the satellite equipment would be powered down to prevent accidental use and wear and tear. And when the satellite equipment is turned on, no wifi or 4G connection will likely be available. So the rules are really intended to prevent unnecessary traffic over high-cost links when those are available.
Ah I missed this obviously.
Nope no way to do this currently. It would need a modification to the weighted load balancing rule where specific WANs can be disabled completely (rather than set to 0 and so used as backup).
At the moment this isnât possible. However the engineers are working on a new feature (no ETA at the moment) which would probably meet your requirements. They are looking to allow more outbound control, rather than blocking traffic on a specific WAN though.
The target implementation is with Firmware 7.2.0 - no ETA.
Can I somehow combine the rules you created with firewall rules that block some kinds of traffic over certain WAN ports?