How do you weight multiple 1:1 NAT Rules on a Flex 500 for Redundancy Scenarios?

Philodendrin
Philodendrin Posts: 4
First Comment First Anniversary
edited June 3 in Security

My customer is using a USG Flex 500. We have multiple WAN connections. When one WAN fails, we have the Flex 500 setup to failover to the secondary WAN 2 connection. The failover works, but routing on any device that has a 1:1 NAT rule set to apply a static public address to a specific device/server fails, even if there's a rule set for WAN 1 and WAN 2.

In other words, we have a 1:1 NAT rule set to hand out a public IP address in WAN 1's block to Server A. We also have a 1:1 NAT rule set to hand out a public IP address to Server A from WAN 2's block of IPs.

When WAN 1 fails over to WAN 2, server A stops routing (can't be accessed and can't ping out) because the NAT rule for WAN 1 takes precedence over the NAT rule for WAN 2 and the public IP from WAN 2 never gets applied. We have to manually disable the 1:1 NAT rule for WAN 1, or move it to a lower priority, to get the rule for WAN 2 to apply.

So… I'm assuming there's no way to weight the NAT rules and we'll have to configure a policy route for this. But, I'm at a loss as to how we should set these or if there's a better solution.

Basically, we only want the WAN 2 1:1 NAT rule to apply when/if a failover to the passive connection on WAN 2 occurs.

On the public DNS side, we're using dnsmadeeasy.com to ping the servers on their public IP addresses and handle the public routing of the servers to the correct available and up address. That also works fine. We just can't automate the provisioning of the applicable IP to the public facing server when a failover occurs, due to there not being a corresponding way to weight the NAT rules (aka - only apply this rule when the WAN is up and actively in use).

All Replies

  • zyman2008
    zyman2008 Posts: 219  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary

    Hi @Philodendrin,

    Policy route takes precedence over 1-1 NAT return route.

    You need a policy route to overwrite the 1-1 NAT return rotue.

    image.png
    1. Create a WAN Trunk, with WAN1 as active and WAN2 as passive interface.
    2. Create a policy route, source IP: private IP of your server, destination IP: any, service: any, Next-hop: the WAN trunk, SNAT: none

  • Philodendrin
    Philodendrin Posts: 4
    First Comment First Anniversary
    edited June 10

    So, based on your flow chart, we'd create the Policy Route and leave the 1:1 NAT rules in place? If so, then the same non-weighted behavior would apply and the 1:1 NAT rule for WAN 2 would never apply since it can't be weighted or placed above the 1:1 NAT rule for WAN 1.

    Otherwise, how will the firewall know how to apply the correct public IP address to a device unless you configure SNAT from the Policy Route itself and abandon the 1:1 NAT rules. You have SNAT set as none in the route?

  • PeterUK
    PeterUK Posts: 3,388  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Is your LAN using like 192.168.0.x or public IP's?

  • Philodendrin
    Philodendrin Posts: 4
    First Comment First Anniversary
    edited June 10

    LAN is using private addresses like 192.168.x.x and 10.0.x.x

    WAN is obviously using public IPs and we currently assign specific public IPs from our ISP block to devices/servers that are contacted from the outside via the 1:1 NAT rules. Server A is on public IP x.x.x.x …server B is on public IP y.y.y.y. Each will have a unique assignable public IP per WAN, so that when one WAN fails, the address corresponding to the active WAN becomes assigned to the device that needs to remain contactable from the outside.

  • PeterUK
    PeterUK Posts: 3,388  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited June 10

    So the DNS is the same for both server A and B then?

    So this is how I think you should set this up

    1st routing rule

    incoming LAN of server Server A

    source address Server A

    advanced

    source port of the service Server A like port 80

    service any

    nexthop WAN 1

    SNAT public IP x.x.x.x

    Disable policy route automatically while Interface link down

    Enable Connectivity Check

    next rule below

    incoming LAN of server Server B

    source address Server B

    advanced

    source port of the service Server B like port 80

    service any

    nexthop WAN 2

    SNAT public IP y.y.y.y

    But if DNS is the same you need something to update the DNS to fail over?

  • zyman2008
    zyman2008 Posts: 219  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    https://community.zyxel.com/en/discussion/comment/66460#Comment_66460

    In your case, there only one active interface and one passive interface.

    So that the trunk don't care the load balance algorithm. It run for failover/fallback.

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)