Author Topic: Suggested deployment between two firewalled sites  (Read 748 times)

blazarov

  • Member
  • ***
  • Posts: 5
    • View Profile
Suggested deployment between two firewalled sites
« on: May 08, 2018, 02:07:18 PM »
Hello,
I am a network engineer and a customer of mine likes WANOS and is looking for a deployment.
The environment is much more complex than all the examples in the documentation, so i am still wondering what would be a good approach and will it even work at all.

the objective is to implement WAN optimization between two sites connected by a long fat pipe (300+ Mbps; 20+ ms latency).
Currently the sites run IPSec VPN.

Now my question is on the actual WANOS appliances deployment. The customer requires virtual appliances.

Attaching a sample topology diagram.

Initially i though i would deploy the two appliances in Tunnel mode and put their WAN directly in Internet and totally replace the IPSec on the firewalls.
From my quick research it seems WANOS can not encrypt the traffic, so this is not acceptable - we should still retain the current IPSec and just use the optimization of the WANOS.

Since it will be a virtual appliance bridge deployment makes little sense to me, because there are too many VLANs on both sides and VLAN configuration will be very tricky and fragile.
so we're left with router/tunnel mode. obviously we need to route both directions of the traffic through the appliance - how would you suggest to do that?
changing servers default gw is not acceptable (critical environment) so are we looking at some sort of PBR?

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 622
    • View Profile
Re: Suggested deployment between two firewalled sites
« Reply #1 on: May 08, 2018, 04:27:27 PM »
Just checking, 300Mbps and 20ms? That would be a short fat pipe, unless the 20 should be 200+?

PBR sounds like the way to go, with some IP Track SLA type of config for redundancy.

Wanos has IPsec, but if you have the infrastructure already, go with what is working now and just add Wanos for Optimization.
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs

blazarov

  • Member
  • ***
  • Posts: 5
    • View Profile
Re: Suggested deployment between two firewalled sites
« Reply #2 on: May 09, 2018, 06:46:20 AM »
Hi,
My calculations result in bandwidth-delay product for this particular link is > 750KB, so it definitely qualifies as LFN as per RFC1072 :)
Aside from theory, real life shows the typical undesirable LFN effects, such as poor TCP performance, also very dependent on the endpoint OS'es, hence the use case for WANOS.

Regarding PBR - what bothers me is the right-hand network. As you can see all subnets are directly connected to the firewall which acts as their default GW for the segment. The same firewall terminates the IPSec to the remote site, no hops in between. In this case I dont see any good PBR implementation, am I missing something?

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 622
    • View Profile
Re: Suggested deployment between two firewalled sites
« Reply #3 on: May 09, 2018, 09:48:06 AM »
It depends on the firewall capability. In similar scenarios we use an additional Interface on the firewall where Wanos connects to and the FW PBR is set to redirect traffic from the local subnets (Internal Interface) to the Wanos interface. Wanos has the firewall as default gateway, so traffic flow looks as follows:

LAN Subnets -> (Internal)-FW  -> Wanos -> FW-(external) -> VPN

What is the max speed per TCP session that you get over the 20ms?
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs

blazarov

  • Member
  • ***
  • Posts: 5
    • View Profile
Re: Suggested deployment between two firewalled sites
« Reply #4 on: May 09, 2018, 10:59:05 AM »
Thanks for the suggestion, i imagined similar approach as well. That would probably work, however i should verify if that will not break the stateful firewall session mapping in terms of ingress/egress interface for each session.
I just hoped i can get around with something with less overall impact, so i can first test it and introduce it in a phased approach.
IPSec directly on the WANOS suits better the overall architecture design, but since its purely software on VM i have no idea will it perform good enough in terms of throughput.
Max speed per TCP session varies a lot depending mostly on end-host OSes. Usually, worst case is newer (2016) Windows server versions where i believe their intelligent TCP stack features are intervening. With careful TCP tuning on the end-hosts, even on windows 2016 server I am able to achieve the desired speed even in a single session, but there are too many hosts on both sides, not all of them under my control, so OS tuning is not a solution.
All the Linuxes usually perform excellent too.

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 622
    • View Profile
Re: Suggested deployment between two firewalled sites
« Reply #5 on: May 09, 2018, 12:04:02 PM »
One thing to check with this design is whether the FW will allow the subnets from the remote site, to be the source IP when Wanos sends it back to the FW once the traffic gets off the tunnel. What happens is the FW sees the remote site subnets source IP coming from the Wanos/DMZ/Additional LAN section, when the routing table says the traffic should come from the External interface. What we sometimes need to do is disable Reverse Path Check or Asymmetric routing checks on the FW interface going to Wanos.

More info available at: http://kb.fortinet.com/kb/documentLink.do?externalID=FD30543
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs

blazarov

  • Member
  • ***
  • Posts: 5
    • View Profile
Re: Suggested deployment between two firewalled sites
« Reply #6 on: May 09, 2018, 12:10:04 PM »
Yep, RPF was exactly what i was worried for. I know how to do it (Palo Alto on left side, Fortigate on right side), butf or now i really dont want to disable RPF.

Also usually stateful firewalls (esp. NGFW) track ingress and egress interfaces for each session and set them during initial session establishment. This deployment approach, i believe, will mess up that logic too.

One extra question on licensing:
Customer bought "Plus 10/100" license. What will this license give us in terms of maximum bandwidth and how does it measure it - before or after optimization?

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 622
    • View Profile
Re: Suggested deployment between two firewalled sites
« Reply #7 on: May 09, 2018, 01:14:07 PM »
Outbound/Transmit optimization, after optimization/compression, excluding pass-through = 10Mbps (Typically the links speed TX rate)
Outbound/Inbound pass-through, QoS, Path-Selection, TCP acceleration = 100Mbps
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs

blazarov

  • Member
  • ***
  • Posts: 5
    • View Profile
Re: Suggested deployment between two firewalled sites
« Reply #8 on: July 30, 2018, 03:31:33 PM »
Hi Again,
since disabling RPF check and enabling Asymmetric flows was not acceptable solution we have delayed the implementation.
Meanwhile another migration took place and the now the infrastructure on both ends, i believe, allows for better integration with WanOS.

Please look at the attachment.

Currently the connection works as in the diagram, except for the WANOS appliances. On both sides there is a separate VPN router and there is a /24 transport network between the firewall and that VPN router. Currently there is a static routing between the VPN router and the firewall in that transport network.
i was thinking of deploying the WANOS in the transport network and force the traffic to traverse the appliance using static routes and probably tracking for bypass in case of failure.
Will this work? WIll all optimization features work that way?
Will the two WANOS correctly discover themselves?
Thanks in advance! Will appreciate your responses and suggestions!

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 622
    • View Profile
Re: Suggested deployment between two firewalled sites
« Reply #9 on: July 30, 2018, 08:30:32 PM »
Hi,

Yes, tunnel mode should work fine in that configuration as long as the redirect config is applied both sides.
Traceroute from both sides to the other should show the path going over Wanos, then all should be good to go.
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs