Backhauling Traffic via a Socket's WAN Interface IP Address

This article discusses how to configure a site as a backhauling gateway and create network rules to egress traffic to the Internet via the Socket's WAN interface IP address.

Overview

In some scenarios, such as migrating to Cato, you may want to keep using an existing public IP address to access specific Internet applications. For example, the IP address is allowlisted in various SaaS applications, and you are not ready to change it yet. You can configure a gateway site to egress the backhauled traffic directly to the Internet from the Socket WAN interface. In this case, the Socket performs source NAT on the traffic to the WAN interface IP address.

Each backhauling gateway site can be configured for one of the following destinations:

  • Local gateway IP - Sends the backhauled traffic to a LAN device

  • Internet breakout - Egresses the backhauled traffic via the Socket WAN interface

Prerequisites for Internet Traffic Backhauling

  • The backhauling gateway site must be Socket version 16.0 or higher

    • There is no minimum Socket version for the source sites

Diagram of Internet Traffic Backhauling via a Socket WAN IP Address

This is an example of Internet traffic backhauling from sites and SDP users, to egress to the Internet using the WAN interface IP address of the primary or secondary gateway site.

InternetBreakoutDiagram.png

Configuring Internet Backhauling for the Account

This section shows the overview of configuring your account to backhaul Internet traffic to a gateway site.

  1. Define one or more backhauling gateway sites.

  2. Create Internet network rules that backhaul Internet traffic to the gateway sites.

Defining a Site as a Backhauling Gateway for Internet Breakout

Define an existing Socket site as the backhauling gateway site where the Internet traffic is egressed using the IP address for the WAN Socket port. Make sure that this site meets the prerequisites above.

For each gateway site, enable the site as a backhauling gateway. Then set the destination as Internet breakout and select the Socket WAN Port that egresses the Internet traffic.

GW_Internet_breakout.png

To define a site as a backhauling gateway for Internet breakout:

  1. From the navigation menu, select Network > Sites, and select the site.

  2. From the navigation menu, select Site Settings > Backhauling.

  3. Select Use this site as backhauling gateway.

  4. In Select the destination for the traffic, select Internet breakout.

  5. Select the Preferred Socket Port for the Internet traffic.

  6. Click Save.

Configuring Network Rules to Backhaul Traffic via a Socket WAN IP Address

Create an Internet network rule and configure the routing setting to route the traffic to the backhauling gateway. We recommend that you configure more than one backhauling gateway site, so in case the primary gateway site loses connectivity, the Cato PoP backhauls the traffic to the secondary gateway site (and so on if the secondary gateway site is also unreachable).

When you define a domain for the App/Category of a network rule, only the traffic for that specific domain is backhauled. Other related traffic flows for different domains aren't backhauled.

Note

Note: For users and sites located in China, make sure that the network rules for the backhauled traffic don't violate China's Internet regulations.

For more about the settings for network rules, see Configuring Network Rules.

For more information about routing options, you can also watch this video tutorial.

Was this article helpful?

0 out of 0 found this helpful

3 comments

  • Comment author
    Oscar Cuevas

    If I have a 10Gb circuit w/ a pair of x1700 sockets with the 4 port 10Gb module connected at the 10Gb on WAN1 and my license is for 2Gbs, Does the traffic that breaks out locally count against my 2Gb license?

     

  • Comment author
    Yaakov Simon

    Oscar Cuevas I checked with the Product team and this information should answer your question:

    • Traffic over the Cato Cloud is part of the site license, so the traffic from a site to the backhauling gateway site is part of the license. 
    • The traffic that egresses from the backhauling gateway site to the public Internet is not considered as part of Cato’s license, but is still shaped to the upstream bandwidth value for that site. Please contact your Cato representative for questions about the upstream bandwidth for the backhauling gateway site.
  • Comment author
    EITS T3

    I set up the backhauling gateway, but the download is still being blocked...

Add your comment