How to Configure SD-WAN to Ensure All Phone System Traffic Uses the Same External Interface?
Hello,
I'm setting up a new WatchGuard Firebox, and the final step is configuring SD-WAN to ensure that all outbound traffic from our on-premises phone system (which has two specific internal IP addresses) always uses the same external WAN interface.
Firebox Setup:
- 2 External WAN Interfaces (each connected to a different ISP router). Multi-WAN working fine.
- 1 Internal/Trusted Interface (the LAN, where the phone system resides).
- I've reviewed the SD-WAN configuration documentation on the WatchGuard help site, but I couldn't find clear guidance on forcing specific internal hosts to always use a designated outbound WAN interface.
Could someone guidance on how to achieve this?
Thanks in advance!
0
Sign In to comment.
Comments
You can create 1 or more outgoing policies for the phone subnet/IP addrs and apply an appropriate SD-WAN action to those policies.
Thanks Bruce,
Could you elaborate?
For the outgoing firewall policies, let's say the phone system IP addresses are 192.168.0.1 and 192.168.0.2. How would the From: and To: sections of the policy need to be configured?
For the SD-WAN action, would I just add the required external interface and leave it at that? I noticed on the SD-WAN action you have to choose between Failover and Round-robin, with the default being Failover.
We use Round-robin for the Multi-WAN so as to split traffic between each of the two external interfaces based on weights, but I presume the multi-WAN round-robin has no bearing here?
SD-WAN action should be failover, since you want all traffic to go out a specific WAN interface.
Policy example:
From: IP addrs of the phones To: Any-external or the IP addr(s) of the external phone service
Thanks Bruce,
Adding the SD-WAN action was straight-forward (assuming I have done it correctly).
However when creating the new firewall policy, I am unclear on what options/settings to put in choose. There are choices for Packet Filter, Proxies and Custom, along with Port and Protocol.
My requirement is to ensure that outbound traffic originating from the internal LAN (trusted interface) is always routed via the same external interface if the internal source device IP address is either 192.168.1.5 or 192.168.1.6.
There are no specific port numbers or protocols. Just if the source IP matches one of the two above then use a specific external interface.
Presumably your current outgoing phone traffic is being allowed by your default Outgoing policy.
So you could add a TCP-UDP packet filter to allow the phone traffic.
If you want to see what type of packets are being allowed by this policy, you can select Logging -> "Send log message" on it which will show allowed packets in Traffic Monitor.
Your eternal phone provider or phone brand may have documents indicating what protocol/ports are needed to allow VoIP connections though a firewall.
Commonly VoIP traffic needs UDP ports 5060 and 5061 for SIP signaling and a range of UDP ports for Real-time Transport Protocol (RTP) media streaming.
The device hasn't been put onto the live LAN yet whilst we are still configuring it.
We have the incoming port forwards all configured (to the best of our knowledge) via SNATs and Firewall policies.
The final piece which is eluding us is how to configure the box to force all outbound traffic that comes from the phone system hardware (IPs 192.168.1.5 and 192.168.1.6) out via a specific external interface.
With our existing Untangle firewall appliance this is configured as a Route Rule, whereby it simply has a 'Condition' setting and a 'Destination WAN' setting. The condition is if the internal LAN device source address is 192.168.1.5 or 192.168.1.6 then the Destination WAN is EXTERNAL-FIBRE.
I was anticipating just having to set up a simple rule/setting to allow this, but alas it is proving to be more complicated than I thought.
SD-WAN is much more powerful and flexible than your previous method, but is a little more difficult for simple implementations such as yours.