Trying to get outbound policy working correctly on my Balance One and need a little help/confirmation on a few suspicions:
I have currently two WANs, WAN1 which is a WISP that fails for anything from a few seconds to minutes several times a day which is 30/3. WAN2 is a cellular 4G connection that for reliability I have bandlocked to a band where it generally gets 3/3. Latencies are pretty comparable, but both being wireless connections vary depending on the weather, etc.
In my house there are three teachers that can be teaching on Zoom/Meet/Teams/etc. throughout the day. Stability is key, and Speedfusion Cloud (Or Fusionhub Solo as well) provide that stability. Now I am trying to manage data usage as well on top of it. I would like all typical video streaming (Youtube, Amazon Prime, ABC, CBS, etc.) to NOT go through the Speedfusion Cloud so I don’t need to pay money for the bandwidth. This would ideally be a Priority WAN1 with fallback to WAN2. Obviously stability on these is far less critical. For right now I would like all other traffic to go through the Speedfusion tunnel.
As much as possible I would like to continue managing as much of the network as possible on UniFi, using the Balance One only to do the load balancing of the connections and Speedfusion as it’s capabilities blow away the non-existent UniFi capabilities for this. In my plans once I get everything working I am likely to set up PiHole as well for local DNS/Ad-Blocking.
A brief description of my physical setup
I currently have both WAN1(Bridged, Static) and WAN2 (NAT, Dynamic non-public IP so really double NAT) running into WAN1 and WAN2 on the Peplink Balance. It is currently in Drop In Mode with the Static IP passed through to the UniFi Router. The UniFi Router is providing Firewall, NAT, etc. and down from that is a UniFi Switch, that distributes out over Ethernet, MoCA, etc. throughout the house to wireless APs and wired devices. I am using external DNS (18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52 in that order)
My problem is I can’t get the Balance One Outbound Policies to affect things. I currently have a default rule to send all traffic out Speedfusion. Before that I have outbound policies, either enforced or priority matching the MAC addresses of the various Rokus, Chromecasts, Apple TVs, etc. to send them out WAN1 first and WAN2 as a fallback on the priority, or just WAN1 on the enforced. All the traffic from these devices is still going out Speedfusion though. I also have rules set up on the Balance One for traffic destined to Speedfusion, Protocol: All Known Video Streaming to go out WAN1 (Have tried both the Priority and Enforced rules) and these don’t seem to work. This is confirmed by checking under Status>Active Sessions>Netflix (Or other protocol) and seeing only SF-NY listed as the destination, and checking the realtime usage of Speedfusion vs the WANs and seeing that they line up as if SF is used.
Which brings me to my questions:
- I assume the Peplink is not matching MAC addresses because NAT is happening on the UniFi and the layer2 info is not being transmitted past that? This is a bit weird because while it has been a long time since I remembered IP routing, I was thinking MAC addresses always remained in the packet, and just the IP address was changed for routing purposes. Even beyond this though I HAVE had Mac address matching work for my iPad (The rule is disabled in the screenshot, but I confirmed it was working at one point) which is still going through UniFi as the WiFi on the Peplink is turned off and I have never bothered to look up the SSID or password much less type them in.
- If I disable NAT on the UniFi (Not possible on the current Dream Machine Pro, but I have a Security Gateway Pro 4 that I just replaced for a client I can drop in place instead if needed) would this allow the Peplink to then follow the MAC addressing rules? It means I need to get a new controller, which I can do but I am just not anxious to run out and spend money on it immediately (CKG2 and Rackmount is about $300) without hearing that I am on the right track.
- Am I missing something to get the outbound Speedfusion destination policies working correctly?
I think that is it for now, thanks in advance for the help!