Speedfusion and Outbound Policies


#1

Site A --> Balance 380 --> LAN (Native 192.168.25.0/24) (VoIP VLAN 10, 10.20.20.0/24 Hosted) (Fiber 30/30, Cable 50/10) *Dedicated SLA Fiber (66 IP Phones, 66 Computers, 3 Servers)
Site B --> Balance 210 --> LAN (Native 192.168.30.0/24) (VoIP VLAN 15, 10.20.30.0/24 Hosted) (Fiber 20/20) *Dedicated SLA Fiber (12 IP Phones, 12 Computers)
Site C --> Balance 210 --> LAN (Native 192.168.35.0/24) (VoIP VLAN 20, 10.20.40.0/24 Hosted) (Fiber 50/50) *FIOS (8 IP Phones, 8 Computers)

Customer just contacted us because they want us to take over their computer network now as well as our current VoIP Network that is there with smaller Balances. I want to utilize the speedfusion technology and connect Site B and Site C to the Site A (HQ). There are 3 servers that utilize different applications and software that every location needs access to. I will have the Balances deal with DHCP for phones.

I have never set up a network like this using speedfusion and I want to utilize the bandwidth bonding and WAN Smoothing for ALL computer and VoIP networks at every location. The VoIP network talks to our hosted data centers but I still want to utilize the speedfusion for added Qos. But the computer networks at all 3 sites need to access all 3 servers.

How would I set up my outbound polices and firewall rules for this? If I sent my VoIP network to the clients feature sever, would I send it directly out the ISP at each location or would I send it out the speedfusion in order to access the WAN Smoothing?

*Customer is in a bind and wants to move fast and has already signed off on hardware. I have about 2 weeks to implement.


#2

Hi

I suggest send Voip traffic directly out the ISP at each location. If Voip quality is bad when directly out locally, you may send Voip to site A by turning on WAN Smoothing.

Basically outbound policies and firewall for these 3 site remain unchanged. All will work as usual + 3 Servers are accessible by users from these 3 sites after SpeedFusion tunnel was established.


#3

Thanks for response.

  1. If I send VoIP traffic through speedfusion from Site B and C to A would my outbound policy at Site A be:
    Source: ANY
    Protocol: UDP
    Destination: VoIP Feature Server
    Algorithm: For example purposes (Priority - Fiber, Cable)
  2. Would WAN Smoothing be turned on on both ends or just one end and if it is just one end then which end would it be turned on?

#4

Hi

Yes.

WAN Smoothing is unidirection. For example if upload from B to A is bad, then you may enable WAN Smoothing at B. Please take note you need to ensure you have sufficient bandwidth if you enable WAN Smoothing.


#5

Perfect and lastly, is there some type of monitoring, notification, or “proof” that the WAN Smoothing is actually working and doing what it is supposed to do? In other words if the customer asks to see proof that this technology is working that I sold them on, how could I show the customer with actual data or in visuals that WAN Smoothing is happening. Even if say the VoIP quality had improved at the site where upload packet loss was occurring. We have these types of customers that need proof and I guess I just don’t want to be in the position where I am just saying “well don’t you notice a difference in the VoIP quality Mr. Jones”.


#6

Hi,

You may check this via Status > SpeedFusion > Click
of SpeedFusion profile > PepVPN Test. Then compare figure I highlighted below.


Hope this help.


#7

Cool, thanks a lot.


#8

One more question for you. In the event that say Site A (380) is having packet loss and or latency and is affecting VoIP quality. But I already have WAN Smoothing enabled from B to A, how could I utilize WAN smoothing as well for Site A local phones? And what would my Outbound Policies look like? After thinking about this I think it would be good to know how to utilize WAN Smoothing for VoIP Subnets at every location and how you would set up your outbound policies in this event?

I understand sending VoIP from B or C back to A via Speedfusion and then outbound policies at A would be what was stated in the above statements but what about utilizing Speedfusion with WAN Smoothing for all sites including Site A (380)?


#9

Hi,

WAN Smoothing is unidirectional. So you need to enable WAN Smoothing on site A in this case. Again you need to ensure you have sufficient bandwidth if you enable WAN Smoothing.

In fact, WAN Smoothing doesn’t has direct relationship with Outbound Policy. WAN Smoothing is duplicating packet which send through SpeedFusion tunnel. So you can remain your Outbound Policy as usual.


#10

Ok so your saying if I have WAN Smoothing turned on at Site B then my outbound policy doesn’t have to be the speedfusion peer back to Site A?


#11

Hi,

In fact you don’t have to create Outbound Policy to route Site B traffic to Site A once SpeedFusion tunnel was up. Both Balance routers will take care the routes between site A and B automatically.

Fyi, SpeedFusion routes (We called PepVPN Routes, hidden by default. Unless you turn on Expert Mode) have highest priority if compare to the Outbound Policies you defined.

PS. Expert Mode can be turn on via Network > Outbound Policy > “?” of Rules > turn on Expert Mode

Hope this help.


#12

Ok here is where im a little stuck. Let me explain exactly what I am trying to accomplish.

  1. I am building a small “data center” with higher end Balance models. To Start, 2 Balance 380’s (good for 20 Speedfusion peers) according to the website. 3 ISP’s: Fiber 150/150, Cable 100/30, SLA Fiber 100/100.

  2. I want to offer my base the ability to have a speedfusion peer back to my “data center” to utilize WAN Smoothing mostly in the event that their local ISP is just sucking and I need to solution until issue is resolved completely in terms of their local ISP packet loss, latency, jitter, and so on.

*After some of the things you have said I am a bit confused because first you said to run all my VoIP traffic at customer site outbound the Speedfusion peer to the main location (380) to utilize the WAN Smoothing. When I did that for this particular customer in this threat I saw in the active sessions that the interface my VoIP traffic was running through was “VPN” which makes sense.

*Then when you said Speedfusion isnt actually related to the outbound policy and that I could enable expert mode, which I did that by default all traffic (My VoIP Traffic) will still be running through speedfusion and be utilizing the WAN Smoothing. When I made my first outbound policy under the Pepvpn in the outbound policy rules back to going out the local ISP and not the VPN for speedfusion, now my active sessions tell me that the interface my VoIP traffic is running through is Cablevision. I am stumped because I thought you said that the Speedfusion will always take priority.

***I just want to be able to make the peer to my customers as an emergency or added service for Qos from my “data center” and make sure that all of their VoIP traffic at their local site is utilizing the WAN Smoothing technology. Please show me how you guys would set up this scenario because I have a bolt load of customers I want to offer this to and use as an added service but am afraid until I know exactly how I should set this up. I eventually want to put in 2 1350’s or 2500’s in a few years or possibly less.


#13

Hi,

Let’s us use the below network design to further discuss your concerns:

Site A --> Balance 380–> LAN (Native 192.168.25.0/24) (VoIP VLAN 10, 10.20.20.0/24 Hosted) (Fiber 30/30, Cable 50/10) *Dedicated SLA Fiber (66 IP Phones, 66 Computers, 3 Servers)

Site B --> Balance 210 --> LAN (Native 192.168.30.0/24) (VoIP VLAN 15, 10.20.30.0/24 Hosted) (Fiber 20/20) *Dedicated SLA Fiber (12 IP Phones, 12 Computers)]

Site C --> Balance 210 --> LAN (Native 192.168.35.0/24) (VoIP VLAN 20, 10.20.40.0/24 Hosted) (Fiber 50/50) *FIOS (8 IP Phones, 8 Computers)

SpeedFusion B <–> A

  1. WAN smoothing is directional
  • if B to A having packet loss, WAN smoothing need to enable at the Balance 210 site B (SpeedFusion Profile)
  • if A to B having packet loss, WAN smoothing need to enable at the Balance 380 site A (SpeedFusion Profile)
  • if Both direction (B to A and A to B) having packet loss, WAN smoothing need to enable at both Balance 380 site A & B210 site B (SpeedFusion Profile)
  • WAN smoothing only applied to SpeedFusion traffics
  1. Outbound Policy (without Expert Mode Enabled)

Balance 210 Site B

  • Default without expert mode enabled, network traffic below are going to SpeedFusion.
    Site B [LAN (Native 192.168.30.0/24) (VoIP VLAN 15, 10.20.30.0/24 Hosted)] --> Site A (Native 192.168.25.0/24) + (VoIP VLAN 10, 10.20.20.0/24 Hosted)]

Balance 380 Site A

  • Default without expert mode enabled, network traffic below are going to SpeedFusion.
    Site A (Native 192.168.25.0/24) + (VoIP VLAN 10, 10.20.20.0/24 Hosted)] --> Site B (LAN (Native 192.168.30.0/24) (VoIP VLAN 15, 10.20.30.0/24 Hosted)]
  1. Outbound Policy (With Expert Mode Enabled)
  • Customer can enforce more traffic to SpeedFusion traffics

Balance 210 Site B
For example:

  • Due to direct Internet access email Site B are slow, enforce all email traffic (Server Hosted at WAN) to SpeedFusion.
  • Email traffic are sent from Site B --> SpeedFusion --> Site A --> WANs

Summary:

  1. The above also explained the traffics flow for C <–> A
  2. WAN smoothing only applied when network traffics pass-through SpeedFusion.
  3. WAN smoothing are directional, you need to identified the direction for the packet loss and enable the the feature accordingly
  4. WAN smoothing & outbound policy are 2 different items
  5. Expert mode allow you to create outbound policy (route) that having higher priority than the default SpeedFusion route

Hope the above explained your concerns.

Thank You


#14

Thank you and that does explain a lot. But back to just the VoIP subnets at lets use Site B. Say B is having packet loss and latency and they are experiencing choppy calls. I want to be able to create a Speedfusion peer back to A to utilize WAN Smoothing. But I only want my VoIP subnet communicating through the Speedfusion tunnel from B to A. I don’t want site B’s Native Computer subnet to communicate through the tunnel. How would I create this? Would this be something in the Internal Firewall Rules that I would need to Deny both A and B Native subnets to not talk to each other?

*At this point in time I really just want to be able to utilize the Speedfusion for WAN Smoothing for VoIP networks.

I don’t mean to be a pain. I have also tried the layer 2 function from Site A Native LAN to Site B VoIP LAN and set up internal Firewall Rules and the only way they are able to communicate via a ping test between sites is if the Layer 2 function is disabled. I want to be able to send just my VoIP subnet traffic at Site B to Site A via Speedfusion Peer and not have that Speedfusion Peer connect at all to any other Speedfusion peer that is connected to Site A. Let me know if this makes sense.


#15




How can I ping 192.167.53.0/24 network if I blocked it internally?


#16


This is the 380 that I don’t want to be able to talk to the 210 native lan. It is also the 380 I am trying to send all my remote 210 VoIP traffic back to utilizing WAN Smoothing. And would you recommend this for my Outbound Polices?


Here are my Outbound Policies for the 210 where the VoIP 10.11.199.0/24 network is that I want to run through speedfusion peer back to the 380. Is this what you would recommend for Outbound Policies?


#17

Hi, you are right. You need to use Internal Network Firewall Rules to block unwanted network traffics.
Site B Native VLAN to access Site A networks & Site A Native VLAN to access Site B networks

Example:

B210 Site B:
LAN (Native 192.168.30.0/24)
VoIP (VLAN 15, 10.20.30.0/24 Hosted)

B380 Site A
LAN (Native 192.168.25.0/24)
VoIP (VLAN 10, 10.20.20.0/24 Hosted)

You should have the firewall rules as below:

B210 Site B

B380 Site A

Thank You


#18

Hi,

You can’t use the ping tools to test on the firewall blocking rules. The source IP for the ping test will use PepVPN IP that will not block by the defined Internal firewall rules.

Thank You


#19

Hi,

Outbound policies is not require for the SpeedFusion VPN connection as default PepVPN routes will be created for the communication. We have to use Internal Network Firewall Rules to block unwanted SpeedFusion traffics more than using the outbound policy.

Thank You


#20

Thanks Guys.

  1. I have made all neccessary internal firewall rules as provided above. How can I test to make sure traffic isn’t flowing through VPN that I denied.
  2. Are you saying I don’t need expert mode enabled? I don’t understand how I don’t need outbound polices in order to send Site B VoIP traffic through VPN tunnel and out the Site A end? Especially when I don’t send VoIP traffic through the VPN via an outbound policy then the VoIP traffi goes out the local ISP but when I do send it through the VPN via outbound policy then it shows that the interface the VoIP traffic is moving through is indeed the VPN.
  3. Can you please elaborate deeper into the point of expert mode?
  4. At the end of the day all I want to know how to do is:
    • Have 1 HQ Balance with for example purposes 5 speedfusion peers
    • Have 5 Remote Balance devices (Speedfusion Peers) that commnicate back to HQ, but have the ability to block these peers from communicating with each other.
    • Have the VoIP traffic at these remote sites run through the speedfusion peer utilizing the WAN Smoothing and bandwidth bonding with the correct outbound policies at each remote site going back to the HQ Balance.

***Let me know if this makes sense and is feasible.