Dual networks - where WAN2 is simply the LAN of the other network - cant talk
Two companies in the same office both have their own networks, and their own (different) ISPs. Neither company is paying for static IPs from the ISPs, so they each only get only 1 dynamic IP. Thus, to have a backup Internet connection, I connected WAN2 of each company's firewall to the LAN of the other. These companies also agree to share printers on each-others networks.
ISP fail-over works great…
Side A can access the printers in Side B's network without issue…
However Side B cannot access anything in Side A's network (the only connection is WAN2 of the USG is connected to the LAN of the opposite company)
I have made no special rules for this, side A to B just works.
However side B to A does not work in the same way, as I would have expected.
How can I solve this?
All Replies
-
I found a problem with LAN2 on my FLEX200 not sure if that could cause a problem maybe try reserved and not LAN2
maybe you added a routing rule or miss a Policy Control?
I think their is another way to do this I have a think….
0 -
here is the other way
On side A
Make zone WAN2 move WAN2 to zone WAN2
WAN2 IP 10.255.255.1/24 gateway 10.255.255.2
routing rule
incoming LAN of 192.168.22.0/24
destination 10.0.0.0/24
next hop gateway 10.255.255.2
SNAT none
Policy Control
LAN zone of 192.168.22.0/24 to WAN2
WAN2 to LAN zone of 192.168.22.0/24
On side B
Make zone WAN2 move WAN2 to zone WAN2
WAN2 IP 10.255.255.2/24 gateway 10.255.255.1
routing rule
incoming LAN of 10.0.0.0/24
destination 192.168.22.0/24
next hop gateway 10.255.255.1
SNAT none
Policy Control
LAN zone of 10.0.0.0/24 to WAN2
WAN2 to LAN zone of 10.0.0.0/24
connect side A WAN2 and side B WAN2
0 -
I appreciate the help - in troubleshooting this I determined the switch port that goes over to the other office WAN2 port was tagged the wrong VLAN, meaning effectively that WAN2 on the B side was not connected, hence the real reason for this problem. Everything works correctly now.
0 -
Good that your way works but you might find that if you go from 192.168.22.22 to 10.0.0.11 that what 10.0.0.11 see is from 10.0.0.2
0 -
Yes, you are correct, the traffic from the other LAN all appears as from the single IP assigned to the WAN2 interface - in my case I'm OK with that.
0 -
You might be able to do a routing rule to stop that along with a static route but if you happen with what you got go with it.
0
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
