Drop-In-Mode


#1

Hey my question is in regards to drop-in-mode.

  1. If I have a Balance 380 with 3 WAN and will dedicate Sophos UTM behind WAN1 of 380 then if WAN1 goes down so does my Sophos, as they are on same public range?
  2. In the event question 1 happens what is the point of drop-in-mode if I can’t utilize any other LAN interfaces on the 380 and utilize DHCP on 380 for another subnet like VoIP phones?
  3. When Drop-In-Mode is enabled and working as designed, what does it do since my firewall can only utilize 1 WAN? Does it literally just load balance traffic specified in the 380 outbound policies?

*I am just trying to wrap my head around in fully because it seems a bit confusing as to how it fully operates or how it should operate based on documentation and videos.

*For example we used to use Edgewater Networks for of VoIP Phone deployments and these devices have a “proxy arp” setting where you can pass-through another public IP to another firewall attached to the edgemarc and tell the proxy arp pass-through command exactly what local interface to pass to on the edgemarc. But you can also still utilize ALL of the other LAN interfaces on the edgemarc for DHCP and they are all configurable in a “port based VLAN” mode.

Thanks


#2

Hello tjvoip45,

  1. If I have a Balance 380 with 3 WAN and will dedicate Sophos UTM behind WAN1 of 380 then if WAN1 goes down so does my Sophos, as they are on same public range?
    A. If you have 2 additional WAN links, the peplink will intercept traffic from the Sohpos and rout it out WAN 2 or 3 based off the outbound policies. When WAN 1 disconnects your Sophos will not disconnect. You are only pointing to WAN 1 as the gateway.

  2. In the event question 1 happens what is the point of drop-in-mode if I can’t utilize any other LAN interfaces on the 380 and utilize DHCP on 380 for another subnet like VoIP phones?
    A. Since your Sophos doesn’t actually go down when WAN 1 goes down, you should utilize this device for all internal clients no matter their subnet. It is perfectly OK to create a new VLAN specific to VoIP from the UTM.

  3. When Drop-In-Mode is enabled and working as designed, what does it do since my firewall can only utilize 1 WAN? Does it literally just load balance traffic specified in the 380 outbound policies?
    A. You can use all 3 WANs for inbound and outbound on your Sophos. For inbound, the peplink can port forward or 1to1 NAT any additional IPs from WAN 2 and 3 to build additional inbond paths if needed. Outbound is dictated by your outbound policies.


#3

Great, thanks for clarifying that and in this particular setup will Qos still be applied in the Balance if say I had SIP and RTP prioritized as HIGH? I wanted this for my VoIP subnet that is behind the Sophos. I just don’t know how Sophos is quite yet in regards to NAT or how it handles SIP traffic as a whole and am a little worried. Also, will the Intrusive Detection and Dos Prevention in the Balance mess with traffic behind my Sophos if this is kept enabled on the Balance. I am assuming it will and to just let the Sophos handle all UTM stuff.

Thanks


#4

This should be fine. Application Prioritization is based on services (port number). Once Balance 380 received SIP or RTP packet, it will give priority to these services regardless of the source IP.

Intrusive Detection and Dos Prevention will check for the inbound traffic only.