 MattAll noise, no signal.Premium
join:2003-07-20
Jamestown, NC
kudos:12 | Dual-WAN Router - Traffic Control? For those of you with Dual-WAN routers, what sort of control do you have over your traffic? For example, can you send HTTP across one link but FTP across another without resorting to manual firewall rule creation? |
|
| Most of the dual wan port routers i have used (linksys and Netgear) have a protocol binding feature that lets you force certains protocols or ports over specific wan links. Works quite well from what i can remember. This was all done through the GUI interface, and was pretty simple to do. |
|
jimbopalmerTsar of all the Rushers
join:2008-06-02
Greenwood, MS
kudos:2 Reviews:
 ·Windjammer Cable
| reply to Matt
As you see, VNC is allowed via WAN1 |
|
 drewAutomaticPremium
join:2002-07-10
Port Orchard, WA
kudos:6
·wavebroadband
| He's referring to a way of making sure, for example, VNC traffic goes out WAN1 rather than WAN2.
More likely VoIP traffic than VNC, but you get the idea.
Interestingly enough, I think he might be purchasing a RV042 here soon 
--
Come play Mafia! | My Picture Blog |
|
MattAll noise, no signal.Premium
join:2003-07-20
Jamestown, NC
kudos:12 | said by drew:Interestingly enough, I think he might be purchasing a RV042 here soon hax0r! r u in mi internets? |
|
keeskaPremium
join:2007-04-06
Sedona, AZ | reply to Matt
quote:
For those of you with Dual-WAN routers, what sort of control do you have over your traffic?
Limit specific IP address and/or ports and/or types of traffic (deep packet inspection) to a single link.
Specify what percentage of traffic is sent over each outgoing link based on src and/or destination ip address and/or port
Load balance each link based on static bandwidth.
Load balance each link based on actually measured bandwidth.
Detect upstream blackhole and reroute all traffic to the remaining link.
Use QoS to route traffic to the least used link or to separate traffic keeping high priority traffic in the front of the queue on a given link.
There are a few more features but I have not really used them. |
|
 NightfallMy Goal Is To Deny YoursPremium,MVM
join:2001-08-03
Grand Rapids, MI
 ·Site5.com
·Comcast
 ·Callcentric
| reply to Matt
Matt,
I have done this before. In one example, I had HTTPS traffic flowing through one of the two connections. Mainly because load balancing HTTPS traffic is hard to do. Most secure sites remember one IP address for a transaction or when you are filling out a form. Having that data load balance may trip the security and cause a HTTPS error.
So it is possible yes. 
--
My domain - Nightfall.net |
|
|
|
 tubbynetreminds me of the danse russePremium,MVM
join:2008-01-16
Chandler, AZ | reply to Matt
while i don't use a dual-wan router myself, i've configured up quite a few of them in the medium-business/school district space using cisco routers.
nothing is more powerful than an acess-list and route-maps!
q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..." |
|
Bink
join:2006-05-14
Denver, CO
kudos:4 | reply to Matt
I have to concur with tubbynet  . Even the consumer-class devices still use some kind of rule-based or ACL-based method to point the traffic to where you want it to go—it just might be hidden behind a “friendly” GUI. |
|
MattAll noise, no signal.Premium
join:2003-07-20
Jamestown, NC
kudos:12 | Thanks guys. It looks like the RV042 does what I need. For clarification, I don't mind creating say, one rule for all HTTPS traffic. I absolutely wanted to avoid having to create a hackish rule for each website I wanted to visit. |
|
 LeathalPremium
join:2002-02-09
M1S0G4
kudos:2 | reply to Nightfall
Re: Dual-WAN Router - Traffic Control? that's why Matt needs to find a router that does IP binding on the load balancing if he want's to still be able to use NLB. Something which the linksys doesn't support...
Leathal |
|
LeathalPremium
join:2002-02-09
M1S0G4
kudos:2 | reply to Matt
You may have to look at something more expensive to do IP binding on NLB such a Zywall, or SonicWALL, I am sure there other products with at the same hardware/software level as those who support IP binding.
Leathal |
|
NightfallMy Goal Is To Deny YoursPremium,MVM
join:2001-08-03
Grand Rapids, MI Reviews:
·Site5.com
·Comcast
·Callcentric
| reply to Leathal
said by Leathal:that's why Matt needs to find a router that does IP binding on the load balancing if he want's to still be able to use NLB. Something which the linksys doesn't support... Leathal Actually, the Linksys RV082 does support that. I have set that up before and its not hard to setup.
--
My domain - Nightfall.net |
|
LeathalPremium
join:2002-02-09
M1S0G4
kudos:2 | said by Nightfall:said by Leathal:that's why Matt needs to find a router that does IP binding on the load balancing if he want's to still be able to use NLB. Something which the linksys doesn't support... Leathal Actually, the Linksys RV082 does support that. I have set that up before and its not hard to setup. You shouldn't have to setup anything other than enabling it which is how it's done in the industry. The firewall itself should be smart enough to know how to use it otherwise you have a problem.
Leathal |
|
MattAll noise, no signal.Premium
join:2003-07-20
Jamestown, NC
kudos:12 | said by Leathal:said by Nightfall:said by Leathal:that's why Matt needs to find a router that does IP binding on the load balancing if he want's to still be able to use NLB. Something which the linksys doesn't support... Leathal Actually, the Linksys RV082 does support that. I have set that up before and its not hard to setup. You shouldn't have to setup anything other than enabling it which is how it's done in the industry. The firewall itself should be smart enough to know how to use it otherwise you have a problem. Leathal According to the manual, the RV042 supports this too. It's a simple firewall setting.
As far as "enabling it" since when did Zywall and Sonicwall obtain the ability to read minds? How do they know I want my streaming radio station to go out over WAN2 instead of WAN1? Why hasn't this technology been paraded? I think you're confusing my question with sticky sessions. They are two different things. |
|
NightfallMy Goal Is To Deny YoursPremium,MVM
join:2001-08-03
Grand Rapids, MI Reviews:
·Site5.com
·Comcast
·Callcentric
| said by Matt:According to the manual, the RV042 supports this too. It's a simple firewall setting. As far as "enabling it" since when did Zywall and Sonicwall obtain the ability to read minds? How do they know I want my streaming radio station to go out over WAN2 instead of WAN1? Why hasn't this technology been paraded? I think you're confusing my question with sticky sessions. They are two different things. Thats correct Matt.
Setting this up in the Linksys unit is so easy. In fact, you do have to setup a rule like this in ANY ROUTER that you want to have the flow of one specific kind of traffic go through one connection.
If you don't set this up, then the load balancing does as it was designed to do which is use the connection that is the least utilized. This can be bad in terms of secure connections like HTTPS which is why all secure connections should go through one of your two connections. Switching it over is a simple drop down selection in the router if you have a line outage.
All dual WAN routers I have setup have this ability and are just as easy to implement.
--
My domain - Nightfall.net |
|
LeathalPremium
join:2002-02-09
M1S0G4
kudos:2
1 edit | reply to Matt
said by Matt:According to the manual, the RV042 supports this too. It's a simple firewall setting. As far as "enabling it" since when did Zywall and Sonicwall obtain the ability to read minds? How do they know I want my streaming radio station to go out over WAN2 instead of WAN1? Why hasn't this technology been paraded? I think you're confusing my question with sticky sessions. They are two different things. It's simple you are confusing the basic principle of how IP binding works.
IP binding takes the destination IP address and binds it to the WAN port it connects through initially until the session is closed.
So if you are requesting a audio stream from di.fm through your winamp and the firewall talks to DI's servers on WAN2 initially it will automatically bind the IP to WAN2 until the session is closed. Not having IP binding enabled allows the load balance to randomly decide which WAN port it will request additional information from automatically.
Basically you have to remember, what goes out must come in. In the case of HTTPS connections servers bind your incoming connection to your IP address (like Nightfall said) if you are not binding the IP address on your firewall then the load balance "may" decide to use the opposite WAN port on the next request and the session will be terminated by the destination server.
Leathal |
|
MattAll noise, no signal.Premium
join:2003-07-20
Jamestown, NC
kudos:12 | That is called sticky connections. You may refer to it as IP binding, although I would disagree as that implies something completely different to me.
I was asking if I could tell the router to send all traffic out a specific WAN port. For example, if I ALWAYS wanted my streaming radio connection to go out WAN2 rather than load balance it and randomly assign it to a WAN port. You are misunderstanding what I am asking for. |
|
LeathalPremium
join:2002-02-09
M1S0G4
kudos:2
1 edit | said by Matt:That is called sticky connections. You may refer to it as IP binding, although I would disagree as that implies something completely different to me. I was asking if I could tell the router to send all traffic out a specific WAN port. For example, if I ALWAYS wanted my streaming radio connection to go out WAN2 rather than load balance it and randomly assign it to a WAN port. You are misunderstanding what I am asking for. I don't think you can do that without having load balance turned on because if you disable load balancing the 2nd WAN becomes a backup WAN which most firewall don't allow normal or otherwise configured traffic to pass-through it because it's in stand by mode.
And what you have load balance turned you have to make sure IP binding (as sonicwall calls it) sticky session is enabled.
Leathal
|
|
