Best Method of Denying Traffic from Specific LAN IPs to Secondary(Failover) WAN
BrianVST
Newbie ✭
Good evening Community,
So here's the situation: We have a site setup to failover to a service with a monthly cap on data usage on X1.
Concern exists that backup appliances on site could cause the site to hit that cap in short order during failover, rendering it useless as a backup.
Needless to say the goal is utilizing the best method to block traffic from those specific devices to the failover WAN port in the event of a failover, if possible.
Now, full disclosure, I have limited experience/knowledge when it comes to Sonicwalls as I've really only been working with them for a couple years. So please pardon any naivety on my part here.
Am I mistaken in thinking that this can be accomplished by setting up an Address Group containing the addresses of the devices we want to deny traffic from and then creating an Access rule set to deny traffic from that Address Group to the failover WAN port?... or am I missing/forgetting something critical?
Thanks!
Best Answer
-
CORRECT ANSWER
preston
All-Knowing Sage ✭✭✭✭
Hi BrianVST, you will need to use the policy based routing for that address group out of the Primary WAN Interface and un tick the option to disable route if Interface is disconnected, then only everything that is not in the group will use the Primary connection when a WAN failover happens,
so Route would be presuming X1 is the Primary WAN
Source (custom address object group)
Service - ANY
Destination -ANY
Interface X1
Gateway X1 Default Gateway
Metric 10
Untick the box for the disable route if interface is disconnected
Also make sure in the WAN Failover and Loadbalancing you are using logical probing also otherwise it won't know the main interface is down unless someone unplugs it
0
Answers
but what exactly do you need?
For me firewall rule would be the best option.
Morning Preston, this makes sense to me. Currently we're deciding between something like that or dedicating the failover to just VPN traffic.