USG Flex 500: WAN failover and virtual server won't work

Jack_LS

Hello everybody

I have an USG Flex 500 with 2 wan and 2 lan connected, and i'm trying to make a server inside a wan to respond to two NAT (Virtualserver), one on each wan.

I should use virtualserver NAT because i need to redirect different ports on same external IP to different internal servers.

This is the simplified layout of my network configuration that causes the problem:

USG Flex 500 configuration:

Interfaces:
LAN1: 192.168.1.1/24
LAN2: 192.168.2.1/24
WAN1: 1.1.1.2/29 GW 1.1.1.1 (Connectivity Check enabled)
WAN1.1: 1.1.1.3/29
WAN2: 2.2.2.2/30 GW 2.2.2.1 (Connectivity Check enabled)

Policy route:
1: LAN1 to ANY, Next-hop: WAN1 SNAT: outgoing-interface (1.1.1.2)
2: LAN1 to ANY, Next-hop: WAN2 SNAT: outgoing-interface (2.2.2.2)
3: LAN2 to ANY, Next-hop: WAN2 SNAT: outgoing-interface (2.2.2.2)
4: LAN2 to ANY, Next-hop: WAN1 SNAT: WAN11_ADDRESS (1.1.1.3)

NAT:
1: VirtualServer, Interface: WAN2, src: any; External IP: WAN2_ADDRESS; Internal IP: 192.168.2.5, Port 80
2: VirtualServer, Interface: WAN1, src: any; External IP: WAN11_ADDRESS; Internal IP: 192.168.2.5, Port 80

Security policy:
1: From LAN1 to ANY: permit
2: From LAN2 to ANY: permit
3: From WAN1 to ANY: permit (just for the test...)
4: From WAN2 to ANY: permit (just for the test...)

Now,
if I navigate from internet to http://2.2.2.2, 192.168.2.5 serves the page successfully
if I navigate from internet to http://1.1.1.3, responses from 192.168.2.5 comes out from the wrong WAN because of policy route 3: If I enable logging to security policies, i see everything permitted and with tcpdump on 192.168.2.5 I see the incoming request.

I have tried using trunks but in this case i cannot configure policy route 4 to use an IP different from WAN1_ADDRESS

How can I make the server to respond to both addresses while each WAN act as failover for the other?

Thank you

PeterUK

Is 1.1.1.3 a real WAN IP for your place holder? is not it can NAT loopback

Jack_LS

1.1.1.x and 2.2.2.x are placeholders for our public IP addresses.
192.168.x.x are private IPs.

All NATs have NAT Loopback enabled, but the problem is present when the call comes from the internet.

PeterUK

I think I have seen this problem before not sure if it was resolved

One fix might be to have the device with port 80 have another LAN IP to which you NAT to each IP and routing rule from src IP and src port 80

Or fix two might be to not use VirtualServer but 1:1 NAT rule

Jack_LS

The production environment is not easy as the example: we have multiple services on a single WAN ip (Mail, Web, Xmpp, Voip…).
This prevent the "1:1 Nat" solution and make the "two LAN IP" solution quite hard to implement….

PeterUK

1:1 NAT is like VirtualServer but I think it tracks incoming to out the given WAN it came in on.  

Or remove rule 3 and 4 and try

make trunk with WAN1 and WAN2

one routing rule

incoming LAN2

src IP 192.168.2.5

src port 80 Advanced

next hop trunk WAN1 and WAN2

Jack_LS

the "trunk" solution would work… but only using WAN1 IP and not WAN1.1 one.

If i set outgoing SNAT to anything different than "outgoing-interface", when the primary wan fails, the traffic would not failover on the other.

It would work if trunk configuration would allow to add "virtual" interfaces, but this don't seem to be possible.

This was my first try, before to switch to policy route.

About 1:1 Nat, i've just tried switch "virtual server" to "1:1 Nat" leaving all policy routes as is, and anything seems to ha changed.

I think I'll apply the 2 IP solution as first step, then i'll try other solutions….

Thank you

Jack

PeterUK

What if you VLAN the other WAN IP's then untag to the modem this would make them their own interface WAN.

Jack_LS

I don't have access to the network operator's router. They provide us a /29 class without any VLAN or anything more…