need help to find the best setup configuration for a new network

Options
DOK
DOK Posts: 9
First Anniversary Friend Collector First Comment
edited April 2021 in Security

due to some changes in our network configuration, i need to setup new routes and i'd like to have some hints to identify the best way to do it

this is the actual network map

1.jpg

and this is the new

Senza titolo-2.jpg

site A and B are now connected with a fiber channel line via layer 2 switches.

LAN 1 A and LAN 1 B clients have to reach eachother and share services

site B needs to reach internet via site A wan ( 1 or 2) but has to keep it's wan1 line as backup.

Whats' the best way to setup this ?

Accepted Solution

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,298  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @DOK,

    Create policy routes on site B.

    Rule 1

    From: any, To: any, Next-hop: fiberchannel interface of site B

    Healthy Check

    Disable policy route automatically while Interface link down

    Remember to enable connectivity check on the fiberchannel interface of site B.

     

    Rule 2

    From: any, To: any, Next-hop: vti interface

    Healthy check: enable Disable policy route automatically while Interface link down.

     

    Create policy routes on site A.

    Rule 1

    From: any, To: subnet of site B, Next-hop: fiberchannel interface of site A

    Healthy Check

    Disable policy route automatically while Interface link down

    Remember to enable connectivity check on the fiberchannel interface of site A.

     

    Rule 2

    From: any, To: subnet of site B, Next-hop: vti interface

     

    Rule 3

    From: any, To: any, Next-hop: Trunk (default WAN trunk)

All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,298  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @DOK,

    In order to use healthy check on policy route on site B, you need to use VTI to establish VPN.

    You can follow the FAQ to configure VTI on site A and site B.

    How can I configure IPSec site-to-site VPN by using VTI on the USG ?

    On both sites, remember to enable connectivity check on VTI interface.

    image.png

    Policy Route on site A

    Rule 1     

    Source: LAN of site B

    Next-hop: Gateway: system default wan trunk

    SNAT: outgoing-interface


    Rule 2     

    Incoming: ZyWALL

    Destination: LAN of site B

    Next-hop: vti interface

    SNAT: none


    Rule 3

    Source: any

    Destination: LAN of site B

    Next-hop: vti interface

    SNAT: none

    image.png

    Policy Route on site B

    Rule 1

    Source: LAN of site B

    Destination: any

    Next-hop: vti interface

    Healthy check: enable Disable policy route automatically while Interface link down.


    Rule 2

    Source: LAN of site B

    Destination: any

    Next-hop: wan1

    image.png

    In policy rule #1, enable Disable policy route automatically while Interface link down.

    image.png

    Result

    When vti interface is down (VPN is down), the policy route rule #1 on site B is disabled automatically because vti interface is detected as down.

    The traffic will go through policy route rule 2.

    image.png


  • DOK
    DOK Posts: 9
    First Anniversary Friend Collector First Comment
    Options

    thank you for your explanation but i think my picture wasn't clear enough.

    default route for site be should be the fibrechannel direct connection with site a, and, if that channel si offline, it should turn on wan1 and vpn.

    my idea was :

    SITE A :

    activate LAN2 with same subnet as site B (192.168.151.0/24) and assign let's say, 192.168.151.253 to USG110 A. Disable DHCP on LAN2

    allow traffic between LAN1 and LAN2

    connect via direct fibre link switch LAN2 A with LAN1 B

    so the two sites are connected

    then i should find a way to tell SITE B that default route is USG110A 192.168.151.253

    this way office B would get internet connectivity using wichever wan connection is online on SITE A.

    BUT

    i neet to find a way to "turn off" the wan 1 and relative vpn on SITE B, and activate them only if 192.168.151.253 is offline.

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,298  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @DOK,

    Create policy routes on site B.

    Rule 1

    From: any, To: any, Next-hop: fiberchannel interface of site B

    Healthy Check

    Disable policy route automatically while Interface link down

    Remember to enable connectivity check on the fiberchannel interface of site B.

     

    Rule 2

    From: any, To: any, Next-hop: vti interface

    Healthy check: enable Disable policy route automatically while Interface link down.

     

    Create policy routes on site A.

    Rule 1

    From: any, To: subnet of site B, Next-hop: fiberchannel interface of site A

    Healthy Check

    Disable policy route automatically while Interface link down

    Remember to enable connectivity check on the fiberchannel interface of site A.

     

    Rule 2

    From: any, To: subnet of site B, Next-hop: vti interface

     

    Rule 3

    From: any, To: any, Next-hop: Trunk (default WAN trunk)

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)