Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[adelme]

I don't understand well the PBR .....

I have 2 internet access, public IP on WAN1 and other router on WAN2.
Server (rdp and http) is on LAN
I want RPD inbount/outbound ONLY on WAN1
I wand other services (http, ftp …. service group in/out) on WAN2

WAN1 (arp publish, nat, sat, ip rule) is okay, I can RDP'in to my server

Here is resumed the current config :

Interfaces
WAN1 : wan1_ip, wan1_net, wan1_gw - auto route creation disabled (enabled first time to check the WAN1 rdp alone)
WAN2 : idem (of course with wan2 ips !)

IP rules :
WAN1toLAN :
SAT : wan1/allnets - core/wan1ip (rdp protocol)
ALLOW : wan1/allnets - core/wan1ip (rdp protocol)
(note this config works well with only wan1)

LANtoWAN1 :
NAT : lan/lannet – wan1/allnet (rdp only)

WAN2toLAN
SAT : wan2/allnets - core/wan2ip (other protocols)
ALLOW : wan2/allnets - core/wan1ip (other protocol)

LANtoWAN2 :
NAT : lan/lannet – wan2/allnet (other protocols)


But I don't understand how to configure the other route and the PBR (necessary to separate rdp traffic and other traffic) .... and how to set the metrics for the interfaces and routes ??

Thank’s for your help !
Gilles

[danilovav]

First, fix your IP rules
In WAN2toLAN, allow rule, destination network is wan2ip

Next, PBR
You need
1) Routing > Routing tables
Add table alt_wan1
Add into this table route wan1 all-nets (wan1_gw) 100
2) Routing > Routing rules
Add rule
wan1/all-nets any/all-nets, forward main, return alt_wan1
3) Do the sane for wan2

[adelme]

Hi Danilovav !

Yes of course, keyboard error on WAN2toLAN rule ...

But it does'nt works.... I think the problem is in the routing tables :

With only the main following routing table :
route wan1 - wan1net 100
route wan1 - all-nets - wan1gw 90
route wan2 - wan2net 100
route wan2 - all-nets - wan2gw 80

all traffic is okay through wan2 (low metric on wan2)
if I switch the 80/90 metrics between wan1 and wan2 route, all traffic is okay through wan1

So I think the IP rules and interfaces  are okay.

But when I remove the 2 routes (wan1 all-nets wan1gw) and (wan2 all-nets wan2gw) from the main, and I add the 2 alternate routing tables and the 2 routing rules there is no more traffic through wan1 nor wan2

Any idea?

ps : alt_wan1 and alt_wan2 should be "default" or "only" ?

I should have :
inbound AND outbound RDP on WAN1
inbound and outbound HTTP/SMTP... on WAN2
no failover

[danilovav]

You don't need to remove default routes from main! Keep it and add for fisrt (with least metric) monitoring by ICMP
Alternative routing tables should be "only" and will be used only to pass inbound traffic, not outbound

[adelme]

Hi Danilo !
Thank you for the default routes ....

finaly, after many config, here is the good configuration I currently use and wich seems to be ok (again, wan1 is exclusively reseved for rdp) :
- ONLY rdp in and out pass thru wan1
- ONLY http and smtp can go from wan2 to my exchange server on lan
- all other outgoing traffic pass from lan to wan2

Any remark ? (I think the drop rdp rule is unnecessary)

[danilovav]

If you not need to use favorier (use another interface for outbound traffic in case of first down), you can remove route wan2/all-nets from main routing table

From other side, you can keep default route in main (in this case, remove wan1/all-nets) and make alt_wan1 routing table. In this case you will not need wan2_rule_out PBR

[scrubsguy]

won't that effect the routing?

[danilovav]

It's incorrect to have two default routes in main routing table with the same metric

[scrubsguy]

so yes?

[lingnau]

I'm having a similar situation and described the problem in this thread:

http://forums.dlink.com/index.php?topic=37456.0

After reading this thread I've created a route for my WAN2 interface and a Routing rule but that didn't do the trick. Any tips?


Edit: Reading trough old topics i've found the solution to my problem:

http://forums.dlink.com/index.php?topic=15614.0

[adelme]

I was on holidays ....
But I'm back and I can confirm that my config works very well, with the last modification of Alexander. (removing one of the default routes)