Dual WAN routing questions

StefanZ
StefanZ Posts: 190  Master Member
First Anniversary 10 Comments Friend Collector First Answer
edited May 2023 in Security

Setup:
- FLEX200
- WAN1 – 1GBit / 100MBit VDSL Line. 1 static IP
- WAN2 – another VDSL Line. Less powerful, but has SIP, 5 static IPs, etc.
- LAN infrastructure is Level3 HP switches

WAN2 is the "original" line, as in "this worked for years, but got a bit narrow for the age of Cloud®".

WAN2 comes in via a OneAccess 420 modem/router, preconfigured by the ISP. It used to be connected to a simple switch that then fanned out the IPs to 4 cables. Connecting a device to one of those cables got you the IP (oddly always the right one, even if modem or switch restarted).

I configured WAN2 in Network > Interface > Ethernet and added virtual interfaces for all the static IPs. The helpdesk at the ISP confirmed, that those IPs now belong to that device. I cannot see those infos, the OneAccess is a blackbox and there is no ISP page to see the stats either.

Questions

#1 In general all works well now, but I was wondering how to put those IPs onto certain interfaces or route them to dedicated LAN devices.

For example the SIP server had its own IP, as did the "VPN gateway" – quotes, because it was an ancient FritzBox :-)

#2 I also want those devices to exclusively use the WAN2 interface and IPs for SIP and some other services.

#3 Force certain FQDNs / servers to always be accessed via a certain WAN and not failover or fall under BWM. That would be our cloud connection from the Synology NAS or other external backup tasks that are now meant to always use the faster upload WAN1 and thus not disturb the SIP server on WAN2.

Accepted Solution

  • mMontana
    mMontana Posts: 1,300  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    For most of the questions, answers are NAT and Static/Policy Routing.
    NAT for incoming connections, Static/Policy Routing for outgoing connections.


    "FDQN" do not get to be routed. IPs get. So IMHO, you should narrow down from FDQN to IPs that need specific routing than consider Static or Policy Routing case to case. IF your service provider (the FDQN owner) don't provide the corrispondency list, I think that manual DNS digging is due diligence.

All Replies

  • mMontana
    mMontana Posts: 1,300  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    For most of the questions, answers are NAT and Static/Policy Routing.
    NAT for incoming connections, Static/Policy Routing for outgoing connections.


    "FDQN" do not get to be routed. IPs get. So IMHO, you should narrow down from FDQN to IPs that need specific routing than consider Static or Policy Routing case to case. IF your service provider (the FDQN owner) don't provide the corrispondency list, I think that manual DNS digging is due diligence.

  • StefanZ
    StefanZ Posts: 190  Master Member
    First Anniversary 10 Comments Friend Collector First Answer

    Thanks for clarifying.

    I dug a little deeper and tested policy routes for binding FQDN objects (or whatever criteria you pick) to certain IP addresses on a WAN port.

    My ISP / WAN IP settings
    Yours might differ – call your ISP when in doubt…

    Modem/Router IP xxx.xxx.xxx.13 (this is also my gateway)
    IP #1 xxx.xxx.xxx.14
    ···
    IP #5 xxx.xxx.xxx.18
    Subent Mask 255.255.255.248

    #1 Add IPs to the WAN interface
    Go to Network > Interface > Ethernet > select your WAN port and click "Create Virtual Interface".
    Fill in Name, IP, Netmask and Gateway (at least that works for me) and maybe change Metric to something higher than the default 0 if you want your main IP to be used per default.

    #2 Create IP objects
    Go to Object > Address/Geo IP and add objects of the type INTERFACE IP for all your virtual WAN interfaces.

    #3 Add Policy Route
    Go to Network > Policy Route and click "Add".
    Configure your criteria for the Route. I chose "Any" for all and set the Destination Address to a FQDN for testing. Just like any other Policy.
    Set Next Hop to "Interface" and pick the WAN interface.
    Then comes the important part: Switch "Source Network Address Translation" from "Outgoing Interface" to one of your newly added IP objects.

    For testing I use this PHP one-liner: echo $_SERVER["REMOTE_ADDR"];

Security Highlight