Options

SDWAN and VLANs

I have several internet lines installed, I have always used multiwan for failover but thought I would use some of our extra external connections for different departments. During test, setting up an SDWan policy to use one of this lines "appears" to work. If I check my external IP its all fine and works as expected...

My problem though it that any devices that are using this other external inface can no longer communicate with any device on other vlans. They are fine on their own vlan and communicate with other devices fine but everything else times out. Checking the firewall traffic log, it shows the connection going out via the external interface instead of simply routing directly.

Any idea what might be wrong with the setup. Surely the firebox shouldn't try and route non routable IPs via an external interface? I mean the clue is in the name it is called SD-WAN not SD-LAN

Comments

  • Options

    Could be that you need 2 different policies - 1 for internal access & 1 for external access.
    SD-WAN should only be used on policies where the traffic is expected to go out an external interface.

  • Options

    I don't have any layer3 switches, so all my vlan routing is managed by the firewall.

    Policy based routing back before it became SD-WAN worked fine.

    So how would I go about creating a policy for example ro route HTTP traffic down a specific SD-WAN interface, apart from if its traffic to a specific vlan ?

  • Options

    If you want to have outgoing HTTPS traffic from specific VLAN use a specific WAN interface, you create a SD-WAN action to select the specific WAN interface, and apply it to an outgoing HTTPS policy for that VLAN.

  • Options
    edited May 20

    If you have needs for HTTPS traffic to also go to internal destinations, then add a HTTPS policy From: that VLAN To: the desired internal destinations, such as other VLANs etc.

  • Options
    edited May 20

    Note: a SD-WAN action should only be applied to an outgoing policy (traffic to an external interface.
    It should not be applied to a policy that includes any internal to internal traffic or incoming from an external interface traffic.

Sign In to comment.