Custom rules needed for some sites


#1

We are an organization with 5 sites currently connected via managed WAN. We are considering changing our entire infrastructure from managed leased lines and a single T1x3 Internet connection to individual cable/DSL ISPs at each location and Peplink Balance 380s. However, I have recently come across a Knowledge Base article that has me a little concerned. The article “How to Display YouTube Videos Correctly” shows how to create Outbound Policy Custom Rules on a Peplink Balance that will allow local clients to access YouTube. My concern is not that YouTube requires special rules in order to work correctly with a Balance, but rather how many other sites around the world might require special rules. I did not realize until today that it is possible for a site to not work correctly with a Peplink Balance in place unless special rules are created within the Balance.

For those of you with Peplink Balance routers in place, have you found many websites that have required you to create special rules or jump through any hoops in order for things to work correctly? If so, what problems have you seen and what types of sites have required you to create special rules?


#2

Hi Ralph- Not sure where you saw that article because it isn’t on our site. Youtube works just great with the Peplink Balance and really the only thing that might be a concern is when you are on an HTTPS page like online banking and that WAN connection fails. The connection will break and you will need to log back in to the site.

Ive only heard of a couple sites that didn’t play well with traffic coming in from different IP’s and those were some forum type sites, but extremely rare.


#3

I’m guessing he’s referring to this:

http://www.peplink.com/knowledgebase/how-to-display-youtube-videos-correctly/

I would agree that youtube appears to work (for me) without explicit rules, but it would be nice if we could route “low priority” traffic (like youtube, streamtheworld, etc) to lower cost links without maintaining (manually) a list of IPs.

I would LOVE it if peplink could manage sites like these for us, so that instead of specifying an IP/range (or more likely a pile of them which then need to be regularly maintained), I could specify “Destination: Facebook” in a custom rule and have Peplink manage the IP lists for me as part of a firmware/maintenance subscription.


#4

Hi Mitch- Thanks for pointing that out, we will take a look at this old article and update or remove it.

If you are using the current firmware you can already manage sites like this with a custom outbound policy rule based on domain name and send that traffic to a specific WAN link.


#5

Sorry for the delay in getting back to you; I was out of town last week. Mitch was right, that was the KB article I was referring to. I guess there is no real cause for concern though based on your replies. Thanks for the info.


#6

Tim, Ralph,

When you get outside the US, you now have to start dealing with localised CDN routing issues. I have 3 ISP’s connections, and each ISP has a Google and YouTube CDN, as well as the usual Akamai and all the rest.

The problem for us Peplink users, is the DNS addresses returned will be ISP specific when the address goes to a CDN. The Peplink doesn’t know that it must associate DNS answers from ISP A, and route TCP requests to the same ISP A.

So what happens is ISP A with a localised DNS server says youtube is at 1.1.1.1, where it hosts the local CDN. ISP B’s DNS says youtube is 2.2.2.2 and so on. ISP C’s DNS says youtube is 3.3.3.3. Each of those IP’s is located inside the respective ISP’s own ranges.

When the browser launches a youtube page to 1.1.1.1 (ISP A), the Peplink has an even chance of routing the TCP request to any of ISP A, B or C. If by chance the request goes out ISP A, then your OK. But if the Peplink sends the traffic out WAN B or C, then it must go out the public side of ISP B or C, and into public side of ISP A. But ISP A only accepts connections to its CDN at 1.1.1.1 from the local side for its own customers, so no youtube for you.

The solution is you need to add some custom routing rules to the Peplink. You need to get the IP space table of each ISP, and tell the Peplink to route to that particular ISP’s WAN for each subnet added.

Enjoy


#7

I’ve exactly the same issue here in South America. If you specify youtube.com as domain name it doesn’t recognize the local Google CDN of each ISP.


#8

Hi Tim,
Any suggestion?


#9

You need to add Outbound policy rules. One for each ISP DNS google and youtube range. use nslookup, and set its server wan 1 ISPs dns server. Then lookup youtube and google, and record the ip ranges. Change the nslookup server to wan 2 dns server and then wan 3 dns servers, and get those ip ranges for youtube and google.

now add Outbound policy rules.

destination google / youtube ip range
source any
set to wan x to match the appropriate IPs.

Do that three or 6 times, and all fixed.


#10

Thanks for your help rossh_pl, greatly appreciate it!