Domain based outbound policy, overflow


#1

I’ve got an outbound policy set that looks like:
Source: Network > 192.168.0.0/16
Destination: Domain name > 1e100.net (Google Apps)
Protocol: Any
Algorithm: Overflow
Order: Wan1, Wan2

Wan1 is our big pipe that has a nearly unlimited cap and has 5 times the upload speed as Wan2 (which is more for redundancy).
Like clockwork, I regularly find many connections to 1e100.net have been established over Wan2. This really cuts into user’s speed; especially on Google Drive. I have specified the correct bandwidths under the respective WAN entries on the interfaces section.

Is Overflow the right choice? Did I format the domain name properly? Other thoughts?


#2

Is there a rule on top of it that might be conflicting? Outbound policy rules work like firewall rules do (from top to bottom) so the more specific rules need to be placed on top.


#3

I can’t see anything above that would conflict.

  1. UDP ≥10001 enforced to WAN2
  2. UDP53 lowest latency
  3. All traffic originating from 192.168.1.22 overflow WAN2 then WAN1 (my “problem” traffic originates from 192.168.1.11)
  4. TCP25 enforced onto WAN1
  5. TCP587 enforced onto WAN1
  6. Then all 1e100.net traffic overflow WAN1 then WAN2
  7. More unrelated rules…

#4

Hi,

Look like you having firewall behind Peplink Balance. Do correct me if I am wrong.

May I know what is the DNS settings in client PC? Using internal DNS?


#5

I do!
Peplink LAN IP 192.168.1.11 is a Cisco ASA
Peplink LAN IP 192.168.1.22 is wifi (not pepwave)

Truly internal network uses Cisco ASA as DNS server and DHCP etc.
It assigns itself as primary DNS to LAN devices and 8.8.8.8 as secondary.
Cisco ASA uses ISP DNS as primary and secondary and 8.8.8.8 as tertiary.

Wifi uses Peplink balance for DNS (so people on the wifi can run their VPN software and connect to vpn.mycompany.com and have it routed to 192.168.1.11 while in the office but across the internet when out and about). Also lets me not broadcast the internal network over the air.


#6

Hi,

May I know the users that connect to Wifi (192.168.1.22) having same issue which can’t route to correct WAN (please ensure DNS Caching in LAN is disable)?


#7

Yes, connections originating from wifi destined for 1e100.net are generally on WAN2… because of outbound rule 3.
Just looked at “Active Sessions” a moment ago and there are 52 total originating from 192.168.1.22; 13 are on WAN1, the remainder are on WAN2


#8

Perhaps this is a genuine overflow situation and the config is behaving perfectly normal.
Is there an easy way to tell?

‘Priority’ may be a better choice…


#9

I would use Priority instead, this way it will always use WAN1 as long as it is up. WAN2 would only get used in the event WAN1 fails.


#10

Changed to priority, cycled WAN2 off and on to break any connections, no effect.



#11

You should try putting your rule as the first one on the list. You can also open a support ticket here:
http://cs.peplink.com/contact/support/


#12

Moved the 1e100 priority rule to the top of the list. No effect.

Ticket has been opened.


#13

Ron, Tim:

I had a similar situation with Ticket #743101.

On Aug 20 you found out that outbound policy doesnt work witn CNAME records. A special firmware was offered but we didnt receive it nor test it.

Does this issue will be solved on 6.2 GA?

AG


#14

Hi AG,

Let me find this out then revert.


#15

Hi AG,

We target to solve this in v6.2 GA.