Fun with ping fail over

PeterUK

So no problem just me trying to work out a solution to problem and the many way I want about.

So what did I really need? A way to have a routing rule come on line when fail ping fail to which you can't do...or at least not easily.

I need this to happen on VPN300 where by when my main internet goes down (but ARP stays up which was causing a problem) I would DNS to my bind on a given view to do DNS out the 4G backup network.

This is how that works

ge5 192.168.255.49 255.255.255.240 Virtual IP 192.168.255.60

VLAN443 192.168.44.5 255.255.255.240

NAT

incoming ge5

source IP 192.168.255.55

external IP 192.168.255.60

internal IP 192.168.255.62

service DNS

routing

incoming ge5

source 192.168.255.55

service DNS

next hop auto

SNAT IP 192.168.255.60

So the above is needed for PC 192.168.255.55 to DNS over 4Gby my bind server but I only want it enabled when ping fails. So one way was to make a fake route above this rule being.

incoming ge5

source 192.168.255.55

destination 192.168.255.62

service DNS

next hop 192.168.44.1

SNAT IP 127.0.0.1

Connectivity Check 1.1.1.1

DNS is blocked by this rule until ping fails that the route below work...and that all works fine...But I want to be better (in my mind) so change that fake route to.

incoming ge5

source 192.168.255.55

destination 192.168.255.62

service DNS

next hop ge4 my 4G router

SNAT outgoing-interface

Connectivity Check my main IP

so the idea was to ping my main IP from 4G which works... but then not I wanted to only allow ICMP from what my 4G IP is SNAT from so I set up DDNS and on USG FLEX 200 allow ICMP from source DDNS. But it seems my 4G ISP changes the SNAT the ping comes from so thats no good but the one thing my 4G ISP can't do is change the SNAT all the time for UDP so I build a tunnel.

VPN300

ge5 192.168.255.49 255.255.255.240 Virtual IP 192.168.255.60

VLAN443 192.168.44.5 255.255.255.240 gateway 192.168.44.1

USG FLEX 200

VLAN443 192.168.44.7 255.255.255.240 gateway 192.168.44.1

ZyWALL 110

VLAN443 192.168.44.1 255.255.255.240 Virtual IP 192.168.44.4 gateway 192.168.44.2

VPN300

Site-to-site

local policy 192.168.254.24/29

remote policy 192.168.254.32/29

USG FLEX 200

Site-to-site with Dynamic Peer

local policy 192.168.254.32/29

remote policy 192.168.254.24/29

what I was hope was to do a fake route like

incoming ge5

source 192.168.255.55

destination 192.168.255.62

service DNS

next hop link_to_flex200_4G

Connectivity Check IP 192.168.254.33

errr. Greyed out for the ping Connectivity Check

So I now need a route that pings down the tunnel and when ping fails and tunnel to the right route is used.

Welcome to my madness!

fake route to.

incoming ge5

source 192.168.255.55

destination 192.168.255.62

service DNS

next hop gateway 192.168.44.4

SNAT outgoing-interface

Connectivity Check 192.168.44.4

Then ZyWALL 110

NAT

incoming VLAN443

source IP 192.168.44.5

external IP 192.168.44.4

internal IP 192.168.254.33

service any

routing

incoming VLAN443

source 192.168.44.5

destination 192.168.254.33

service ping

next hop gateway 192.168.44.5

SNAT outgoing-interface

Static route

192.168.254.32

255.255.255.248

gateway 192.168.44.5

back to VPN300

routing

incoming VLAN443

source 192.168.44.1

destination any

service ping

next hop link_to_flex200_4G

Over the internet back to me on USG FLEX 200 and get replied on 192.168.254.33 but the reply does not go back down the tunnel but Direct Route on VLAN443 to gateway 192.168.44.1 Zywall 110 which get the reply then NAT it back to 192.168.44.5 from 192.168.44.4 and Connectivity Check is complete.😉

Zyxel_Jeff

Hello @PeterUK

Thanks for sharing this test scenario. Could you share a picture of the topology with us? Perhaps it is easier to understand your test scenario. Thank you😎.

PeterUK