Hot!Internal PC how to use Internet line to access virtual IP in the same firewall?

Author
qqh452821000
Bronze Member
  • Total Posts : 25
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/12/19 16:34:45
  • Status: offline
2021/02/24 00:20:34 (permalink)
0

Internal PC how to use Internet line to access virtual IP in the same firewall?

Hi everyone,
 
PC use ISP2 access Internet.
PC how to use ISP2 to access VIP??

Here are my debug output:
 
Normal situation:
FW # id=20085 trace_id=60 func=print_pkt_detail line=5622 msg="vd-VDOM1:0 received a packet(proto=6, Public-IP:24789->ISP1:443) from port6. flag , seq 217229777, ack 0, win 64240"
id=20085 trace_id=60 func=init_ip_session_common line=5792 msg="allocate a new session-2109884f"
id=20085 trace_id=60 func=fw_pre_route_handler line=181 msg="VIP-Server:443, outdev-port6"
id=20085 trace_id=60 func=__ip_session_run_tuple line=3412 msg="DNAT ISP1:443->Server:443"
id=20085 trace_id=60 func=vf_ip_route_input_common line=2595 msg="find a route: flag=00000000 gw-Server via Corp VLAN10"
id=20085 trace_id=60 func=fw_forward_handler line=777 msg="Allowed by Policy-36:"
id=20085 trace_id=60 func=np6_hif_nturbo_build_vtag line=996 msg="np6_hif_nturbo_build_vtag: vtag->magic d153beef, vtag->coretag 140, vtag->vid 10
vtag->sip[0] 0, vtag->sip[1] 0, vtag->sip[2] 0, vtag->sip[3] 0
vtag->sport 0, vtag->mtu 1500, vtag->flags 10, vtag->np6_index 961"
 
Abnormal situation:
id=20085 trace_id=75 func=print_pkt_detail line=5622 msg="vd-VDOM1:0 received a packet(proto=6, PC:51088->ISP1:443) from Guest VLAN5. flag , seq 4275213868, ack 0, win 64240"
id=20085 trace_id=75 func=init_ip_session_common line=5792 msg="allocate a new session-210a6b39"
id=20085 trace_id=75 func=fw_pre_route_handler line=181 msg="VIP-Server:443, outdev-unknown"
id=20085 trace_id=75 func=__ip_session_run_tuple line=3412 msg="DNAT ISP1:443->Server:443"
id=20085 trace_id=75 func=vf_ip_route_input_common line=2580 msg="Match policy routing id=1: to ISP2 via ifindex-9"
id=20085 trace_id=75 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-ISP2 via port1"
id=20085 trace_id=75 func=fw_forward_handler line=630 msg="Denied by forward policy check (policy 0)"
 
 
Thank you for any answers..
Regards,
Tim
 
post edited by qqh452821000 - 2021/02/24 00:22:31

Attached Image(s)

#1
sw2090
Expert Member
  • Total Posts : 923
  • Scores: 76
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Internal PC how to use Internet line to access virtual IP in the same firewall? 2021/02/24 00:56:54 (permalink)
0
why do you want to go over theinternet if both is at the same firewall?
All you need is a policy that allows traffic from PC to the server.
As the firewall has in interface in both subnets the routing is implicitely alredy there.
You would only need vip if you wanted to be able to connect coming from the internet.
#2
qqh452821000
Bronze Member
  • Total Posts : 25
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/12/19 16:34:45
  • Status: offline
Re: Internal PC how to use Internet line to access virtual IP in the same firewall? 2021/02/24 01:04:00 (permalink)
0
Hi sw2090
 
 PC cannot access server directly, it must go through the ISP, because they are two separte networks..
 
I have already created vip, but I use PC access VIP from ISP2, it fail..
but when I use another PC from Internet , It can access Server through ISP1
#3
sw2090
Expert Member
  • Total Posts : 923
  • Scores: 76
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Internal PC how to use Internet line to access virtual IP in the same firewall? 2021/02/24 01:12:00 (permalink)
0
yes they are but if you picture is correct they are still connected to the same firewall.
So if both use the Firewall as default gateway the can connect via the Firewall and just need a policy.
The firewall does know a route to both subnets.
No need to go through ISP with VIP.
#4
qqh452821000
Bronze Member
  • Total Posts : 25
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/12/19 16:34:45
  • Status: offline
Re: Internal PC how to use Internet line to access virtual IP in the same firewall? 2021/02/24 01:17:26 (permalink)
0
Yes, I know just create a policy from pc-to-server can slove the problem..but that is not what I want… what I want is pc must go through ISP2 to access vip
#5
lobstercreed
Platinum Member
  • Total Posts : 393
  • Scores: 45
  • Reward points: 0
  • Joined: 2018/11/28 14:57:58
  • Location: Sedalia, MO
  • Status: offline
Re: Internal PC how to use Internet line to access virtual IP in the same firewall? 2021/02/24 12:34:14 (permalink)
0
That's simply not going to happen because the firewall is going to receive the packet destined for the server on the other interface, see that there's no policy allowing that traffic and drop it. 
 
The only way I could imagine around this is for the PC and ISP2 to be in a different VDOM (or at least a different VRF) than the server and ISP1. 
 
But as Sebastian said, I don't know why you'd want to introduce additional hops and latency for this traffic when it's connected to the same firewall and can simply be handled in policy.
#6
emnoc
Expert Member
  • Total Posts : 6055
  • Scores: 404
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Internal PC how to use Internet line to access virtual IP in the same firewall? 2021/02/24 12:59:33 (permalink)
0
Correct, and I do not see how that could even remotely work and your going to get the same error  deny due tp reverse path lookup. It's a firewall and that is what a firewall does check uRPF
 
Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#7
Jump to:
© 2021 APG vNext Commercial Version 5.5