Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 4216 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to selectively route traffic through 2 X WAN

Flancer
I have 2 WAN interfaces, WAN1 and WAN2 and just one internal LAN. I am using an ASG120 (with 512MB RAM) with the 7.101 firmware.

I have done the following:
a) Created masquerading rules for WAN1 and WAN2.

b) Created DNAT rules to forward the necessary ports

c) Created the necessary packet filter rules

d) Create the necessary policy routes

However the DNATted services only work with the WAN line that has been assigned as the default gateway. Services DNAtted over the WAN line that is not the default gateway will not work.
I have however confirmed through packet filtering logs that whenever I try to establish connection to the non default WAN line, the packet filter did allow it to through.
I have also tried the setup shown at 

https://community.sophos.com/products/unified-threat-management/astaroorg/f/54/t/38639

 but I still cannot get it to work.

I have verified that the gateway for WAN2 is correct through a traceroute and as it is a fact that WAN2 works without problems when set as the default gateway (this is when WAN1 wont work).
Please help.


This thread was automatically locked due to age.
Parents
  • 0
    I've tinkered around with it a bit and I noticed a bug in the ASG 120.

    Somehow it had tied the WAN2 gateway to the wrong interface earlier. 
    Through the console login I manually deleted that route.

    Now by setting up the policy routing as per the following: 




    Route Type:                       Gateway Route

    Source Interface:                 Any

    Source Network:                   Your WAN #2 IP

    Service:                          Any

    Destination:                      Any

    Gateway:                          Your WAN #2 Gateway


    I am able to SSL VPN to the unit over the WAN#2 IP and even ping the WAN2 IP.

    However, it seems I am still unable to DNAT over the WAN#2 IP.

    What else am I missing? I have checked the packet filter logs and they do not show any problems. For example I want to DNAT service port 20000 to WAN#2 IP to 192.168.0.44. Through the packet filter logs, it shows that the traffic is successfully passed to 192.168.0.44.

    Again DNAT seems to work only if I DNAT through WAN#1.
  • 0 in reply to Flancer
    Alright I got a bit further by creating the following POLICY ROUTE: 


    Route Type:                       Gateway Route

    Source Interface:                 Any

    Source Network:                   192.168.0.44

    Service:                          Any

    Destination:                      Any

    Gateway:                          Your WAN #2 Gateway


    Through this I was able to DNAT any service to 192.168.0.44 over WAN #2.

    However, this is currently not acceptable as I only need to DNAT a few services over WAN #2 and the rest over WAN #1.

    For example, if I want to DNAT the PPTP service to WAN#2 only and the HTTP service to WAN#1. How should I do it?

    I have tried the following settings for PPTP 



    Route Type:                       Gateway Route

    Source Interface:                 Any

    Source Network:                   192.168.0.44

    Service:                          PPTP

    Destination:                      Any

    Gateway:                          Your WAN #2 Gateway




    Route Type:                       Gateway Route

    Source Interface:                 Any

    Source Network:                   192.168.0.44

    Service:                          GRE

    Destination:                      Any

    Gateway:                          Your WAN #2 Gateway


    but it does not work.
Reply
  • 0 in reply to Flancer
    Alright I got a bit further by creating the following POLICY ROUTE: 


    Route Type:                       Gateway Route

    Source Interface:                 Any

    Source Network:                   192.168.0.44

    Service:                          Any

    Destination:                      Any

    Gateway:                          Your WAN #2 Gateway


    Through this I was able to DNAT any service to 192.168.0.44 over WAN #2.

    However, this is currently not acceptable as I only need to DNAT a few services over WAN #2 and the rest over WAN #1.

    For example, if I want to DNAT the PPTP service to WAN#2 only and the HTTP service to WAN#1. How should I do it?

    I have tried the following settings for PPTP 



    Route Type:                       Gateway Route

    Source Interface:                 Any

    Source Network:                   192.168.0.44

    Service:                          PPTP

    Destination:                      Any

    Gateway:                          Your WAN #2 Gateway




    Route Type:                       Gateway Route

    Source Interface:                 Any

    Source Network:                   192.168.0.44

    Service:                          GRE

    Destination:                      Any

    Gateway:                          Your WAN #2 Gateway


    but it does not work.
Children
No Data