2 WAN interfaces, both active for different protocols and no load balancing

Raudi · ‎04-01-2018

Hello,

i want to replace a LANCOM 1781EF+ with a FG100D and have now a routing problem, i don't find how co configure the FG that i have the same features.

I have 2 cable business WAN lines, where i got a fixed public IPv4 via DHCP.

I want to use the WAN2 outgoing only for VPN connections and VoIP traffic. The WAN1 should be used for normal internet access. Both public IP addresses are used for publish internal services.

How can i configure 2 WAN interfaces and split the traffic?

Outgoing: Internet Access including Client IPSec VPN's -> WAN1 IPSec VPN's and VoIP -> WAN2

Published services - incoming: TCP 80,443 -> WAN1 TCP 21,25,53,443 -> WAN2

Is this possible?

I tryed already with policy routes, but every time when i try a new configuration, something else didn't work.

At the moment all is working, but outgoing client internet access is using both WAN interfaces.

Regards

Stefan

Sudarsan_Babu · ‎04-01-2018

Dear Stefan,

can you share below command result.

get router info routing-table all & get router info routing-table static

Regards,

Sudarsan Babu P

Toshi_Esumi · ‎04-01-2018

I assume you have two parallel default route going toward both WAN1 GW and WAN2 GW set by DHCP. For outgoing, you just need to set the internet policy pointing to WAN1 only (LAN -> WAN1), then no internet outgoing should go toward the WAN2. If it goes WAN2, you must have a policy allowing it.

Those VPNs should have interface specified in the config either WAN1 or WAN2 for outgoing. For incoming, you don't have much control but both have different IPs and the other ends should have proper peer IP configured so I wouldn't worry. You wouldn't need any policy routes.

Toshi_Esumi · ‎04-01-2018

Of course those VPNs need policies too.

fixerrorspdy · ‎04-02-2018

My problem is that when i using the chrome browser various errors or issues appears which cause hindrance to the working. Last day when i was surfing the internet an error of ERR_SPDY_PROTOCOL appears. It shows This webpage is not available message. I tried to solve it but unable to solve it.What should i do? Should i have to visit Err Spdy Protocol Error not responding to the help

Raudi · ‎04-02-2018

Hi,

here is te output of the both commands:

FG-HOME # get router info routing-table all

Routing table for VRF=0 Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default

S* 0.0.0.0/0 [5/0] via 90.xxx.4.170, wan2 [5/0] via 90.xxx.6.130, wan1, [5/0] S 10.1.1.0/24 [10/0] is directly connected, VPN-WORK C 90.xxx.4.168/30 is directly connected, wan2 C 90.xxx.6.128/30 is directly connected, wan1 S 192.168.4.0/23 [10/0] is directly connected, VPN-WORK S 192.168.24.0/24 [10/0] is directly connected, VPN-SITE2 S 192.168.88.0/24 [10/0] via 192.168.99.1, lan S 192.168.96.0/24 [10/0] is directly connected, VPN-SITE1 S 192.168.97.0/24 [10/0] via 192.168.99.1, lan C 192.168.99.0/24 is directly connected, lan S 192.168.168.0/24 [10/0] via 192.168.99.1, lan

FG-HOME # get router info routing-table static

Routing table for VRF=0 S* 0.0.0.0/0 [5/0] via 90.xxx.4.170, wan2 [5/0] via 90.xxx.6.130, wan1, [5/0] S 10.1.1.0/24 [10/0] is directly connected, VPN-WORK S 192.168.4.0/23 [10/0] is directly connected, VPN-WORK S 192.168.24.0/24 [10/0] is directly connected, VPN-SITE2 S 192.168.88.0/24 [10/0] via 192.168.99.1, lan S 192.168.96.0/24 [10/0] is directly connected, VPN-SITE1 S 192.168.97.0/24 [10/0] via 192.168.99.1, lan S 192.168.168.0/24 [10/0] via 192.168.99.1, lan

There is one default route entry with 2 interfaces, so the traffic will be distributed to both interfaces, some client uses wan1 and a other client uses wan2.

When i set policy routes for internet to wan1 i got many problems. I must set policy routes for all data that goes through a vpn. I must create a policy route that the VPN tunnel is using wan2. I must make a very complex building of policy routes. That can't be the only soloution...

I created a policy route from lan1 to internet wan1 for destination 443. After that client outgoing internet uses wan1, but i can't reach 443 destinations in a VPN destination and the published 443 service isn't accessible from internal. from extern i havn't testet.

I also created already static routes for the routes to wan1 and wan2, in the advanced options i set different values for priority but this have no effect. When i modify the distance only one is working...

Thanks for helping.

Regards

Stefan

Raudi · ‎04-02-2018

o.k. i think i'm a step further.

I get from my provider every time the same IP via DHCP, so the route will be automatically set, even when i create a manual default route the settings inside that manual routes have no effect.

So i switched from DHCP to manual with the IP infos from DHCP, then the manual route is working and it seems that the priority value has a effect...

Raudi · ‎04-02-2018

And to route VoIP to WAN2 i made policy routes with 5060 UDP and TCP to WAN2 and a additional with the destination of remote network through a VPN so i can use a VPN for VoIP also.

ede_pfau · ‎04-02-2018

If you set the distance for the DHCP inserted route higher than that of your intended default route the latter will have precedence. For PPPoE and DHCP (which both - can - insert an ISP provided default route) these settings are available in the CLI only.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

Raudi · ‎04-02-2018

Yes with the distance i can't work, when i set the distance for the WAN2 higher even the VPN's will not connect through WAN2...

Which values via CLI must i modify when i have 2 DHCP WAN interfaces and will give one of them a higher priority?

So the same result i got here, but i switched to manual and created a manual default route with different prioitys and same distance.