USG Flex 500: WAN failover and virtual server won't work

Jack_LS
Jack_LS Posts: 4  Freshman Member
First Comment
in Security

Hello everybody

I have an USG Flex 500 with 2 wan and 2 lan connected, and i'm trying to make a server inside a wan to respond to two NAT (Virtualserver), one on each wan.

I should use virtualserver NAT because i need to redirect different ports on same external IP to different internal servers.

This is the simplified layout of my network configuration that causes the problem:

USG Flex 500 configuration:

Interfaces:
LAN1: 192.168.1.1/24
LAN2: 192.168.2.1/24
WAN1: 1.1.1.2/29 GW 1.1.1.1 (Connectivity Check enabled)
WAN1.1: 1.1.1.3/29
WAN2: 2.2.2.2/30 GW 2.2.2.1 (Connectivity Check enabled)

Policy route:
1: LAN1 to ANY, Next-hop: WAN1 SNAT: outgoing-interface (1.1.1.2)
2: LAN1 to ANY, Next-hop: WAN2 SNAT: outgoing-interface (2.2.2.2)
3: LAN2 to ANY, Next-hop: WAN2 SNAT: outgoing-interface (2.2.2.2)
4: LAN2 to ANY, Next-hop: WAN1 SNAT: WAN11_ADDRESS (1.1.1.3)

NAT:
1: VirtualServer, Interface: WAN2, src: any; External IP: WAN2_ADDRESS; Internal IP: 192.168.2.5, Port 80
2: VirtualServer, Interface: WAN1, src: any; External IP: WAN11_ADDRESS; Internal IP: 192.168.2.5, Port 80

Security policy:
1: From LAN1 to ANY: permit
2: From LAN2 to ANY: permit
3: From WAN1 to ANY: permit (just for the test...)
4: From WAN2 to ANY: permit (just for the test...)

Now,
if I navigate from internet to http://2.2.2.2, 192.168.2.5 serves the page successfully
if I navigate from internet to http://1.1.1.3, responses from 192.168.2.5 comes out from the wrong WAN because of policy route 3: If I enable logging to security policies, i see everything permitted and with tcpdump on 192.168.2.5 I see the incoming request.

I have tried using trunks but in this case i cannot configure policy route 4 to use an IP different from WAN1_ADDRESS

How can I make the server to respond to both addresses while each WAN act as failover for the other?

Thank you

All Replies

  • PeterUK
    PeterUK Posts: 3,536  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited 1:47AM

    Is 1.1.1.3 a real WAN IP for your place holder? is not it can NAT loopback

  • Jack_LS
    Jack_LS Posts: 4  Freshman Member
    First Comment

    1.1.1.x and 2.2.2.x are placeholders for our public IP addresses.
    192.168.x.x are private IPs.

    All NATs have NAT Loopback enabled, but the problem is present when the call comes from the internet.

  • PeterUK
    PeterUK Posts: 3,536  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    I think I have seen this problem before not sure if it was resolved

    One fix might be to have the device with port 80 have another LAN IP to which you NAT to each IP and routing rule from src IP and src port 80

    Or fix two might be to not use VirtualServer but 1:1 NAT rule

  • Jack_LS
    Jack_LS Posts: 4  Freshman Member
    First Comment

    The production environment is not easy as the example: we have multiple services on a single WAN ip (Mail, Web, Xmpp, Voip…).
    This prevent the "1:1 Nat" solution and make the "two LAN IP" solution quite hard to implement….

  • PeterUK
    PeterUK Posts: 3,536  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited 3:35PM

    1:1 NAT is like VirtualServer but I think it tracks incoming to out the given WAN it came in on.  

    Or remove rule 3 and 4 and try

    make trunk with WAN1 and WAN2

    one routing rule

    incoming LAN2

    src IP 192.168.2.5

    src port 80 Advanced

    next hop trunk WAN1 and WAN2

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)