Dual WAN IIS Setup

P4Colin
P4Colin Posts: 9
First Comment

We have a customer with a ZyWall 110 that has 2 ISPs, coax for primary with a block of 5 IPs and cellular for backup with a single static IP. They host a server on site that uses one of the secondary IPs in the coax range for communication (hosts IIS, mail, etc.). We also need to set this up so that at least the web ports (80/443) are accessible through the backup connection, however it looks like it will default to sending the traffic out the primary connection with any setup due to the rules in place to use the secondary IP on the coax connection (even did some packet captures that show routing the traffic out the primary WAN with a source address of the secondary WAN).

We have tried to use both 1:1 NAT and a NAT rule above this for 80/443 coming in on the cellular connection, or a virtual server NAT rule for the couple of incoming ports needed along with some routing rules for any outbound traffic to SNAT out the secondary WAN IP. Is there a way to use one of these methods or some other way to do this so that any traffic that originated from the cellular connection will be routed back out the cellular connection while still having traffic from the server normally sent out the secondary IP? I understand that in a failover situation, the policy route would be disabled since we have this option checked using the second method mentioned above, however we sometimes run into situations with an intermittent connection so we are hoping to have both connections able to be used in a case like this. Appreciate any help or insight.

«13

All Replies

  • Zulgrib
    Zulgrib Posts: 27  Freshman Member
    First Comment Friend Collector Third Anniversary
    edited July 2023

    When a request comes from a specific IP, the USG should reply with the same IP by default.

    To control how your server exit from your network to internet when the session initiator is your server, it's up to your policy route to manage that. It means internet traffic arriving on the cellular WAN should exit by there too, even if the default route for your server is to use the coax WAN.

    Routes can be dynamic, enable a connectivity probe and create a second rule to allow your server to use the cellular WAN for outgoing sessions when coax is down.

    See example below.

  • PeterUK
    PeterUK Posts: 3,389  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Maybe you enabled Use IPv4 Policy Route to Overwrite Direct Route?

  • P4Colin
    P4Colin Posts: 9
    First Comment

    I believe the issue is that we have no way to allow it to use the default route since it is not using an ip directly assigned to a WAN interface, and we have to instead use a Policy Route or 1:1 NAT in order to get the IP of the server to show properly. Unless there is another way to do this?

  • PeterUK
    PeterUK Posts: 3,389  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    draw out the network

  • P4Colin
    P4Colin Posts: 9
    First Comment

    Simple version of the network - coax connection into WAN1, LTE connection into VLAN 1001, VM for the server is on VLAN 5 off of LAN1.

    2 potential issues occur:

    We want all traffic to be routed out the coax connection normally, and only use the LTE connection as a backup. So in this case we have a Trunk setup for the 2 WAN connections with WAN1 as active and VLAN 1001 as passive. We did attempt to change these both to active, but this did not resolve the routing issues. So I do not believe this is the cause of the issue, and instead is it the Policy route that is setup (more info below).

    Due to the application server needing to not use the primary WAN IP, we have a policy route setup to route this traffic out the WAN using a secondary IP (Incoming VLAN 5, next hop WAN1, SNAT a different IP, set to disable if the interface goes down). I believe this policy is what is preventing the return traffic from the cellular connection to return out the cellular connection. When this policy route is disabled temporarily, we can access the site over the LTE address confirming this is in fact the issue.

    When we perform packet captures, we are showing the incoming traffic on the LTE connection, but then it attempts to route out the coax/WAN1 connection using the LTE IP (assuming the traffic is captured is before the policy route).

    Incoming from my location to the server:

    Server receiving traffic and sending back to router:

    Router sending traffic out WAN1 instead of sending this out VLAN 1001 due to policy route:

    This all being said, is there a way to use the policy route to SNAT using a secondary IP on the coax connection ONLY if this traffic originated from WAN1, and keep the traffic originating from the LTE connection going out that connection? Or is there another way to route this traffic appropriately so that we can have the traffic that originates from the LTE connect returned back out that interface?

  • PeterUK
    PeterUK Posts: 3,389  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited July 2023

    Do you have "Use IPv4 Policy Route to Overwrite Direct Route" enabled?

    what routing rules do you have? list them?

  • P4Colin
    P4Colin Posts: 9
    First Comment
    edited July 2023

    Yes, "Use IPv4 Policy Route to Overwrite Direct Route" is enabled

    2 Policy routes

    1st one for internal IPs:

    2nd is for SNAT which is the one that is causing the issues, but we need this in place since it has to use a different external IP than what is assigned to WAN1:

    I am looking to see if there is a different way to have this server use this IP for outgoing traffic on WAN1, but not have this affect traffic from the LTE connection.

  • PeterUK
    PeterUK Posts: 3,389  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited July 2023

    Disable Use IPv4 Policy Route to Overwrite Direct Route its a powerful option when used right but in you case can cause problems.

    In detail when Use IPv4 Policy Route to Overwrite Direct Route is disabled and you NAT to your server from LTE routing is Direct Route so that the TCP SYN goes to server and the TCP SYN, ACK follows the Direct Route back to LTE but with Use IPv4 Policy Route to Overwrite Direct Route is enabled NAT rule is followed for TCP SYN but the TCP SYN, ACK then follows Overwrite Direct Route by your rule.

    You don't need the 1st rule should not be needed likely needed when you have Use IPv4 Policy Route to Overwrite Direct Route enabled

    You can vote for me Overwrite Direct Route per rule

  • P4Colin
    P4Colin Posts: 9
    First Comment

    Attempted to disable this and it looks like it is in the same situation where all traffic is going back out the WAN connection showing the LTE address like in the packet capture posted before.

  • PeterUK
    PeterUK Posts: 3,389  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited July 2023

    Is your NAT rule for LTE Virtual Server or 1:1 NAT? and is "Use Static-Dynamic Route to Control 1-1 NAT Route" unchecked or checked?

Security Highlight