Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Ahmad Awad]

Hi, I have 2 wan connections (wan1 and wan2) I am using Route Load Balancing (Destination Algorithm) to balance my trafic over the 2 ISP (wan1 and wan2) it works fine with one issue , I can only use port forwarding (or vpn) through one wan interface (the one with the lower Metric in the main routing table) but I want to use both of them.

I want to setup the firewall to route the connection through the same wan interface which the data already came from.

thanks in advance

[FurryNutz]

I recommend that you phone contact your regional D-Link support office and ask for help and information regarding this. We find that phone contact has better immediate results over using email.
Let us know how it goes please.

[Ahmad Awad]

the regional D-Link support office after 1 hour of troubleshooting the problem didn't come up with any solution to my problem and i think it's fairly universal as it depend on the firewall configurations and if you need anything from my configuration just tell me
thanks in advance

[Ahmad Awad]

Anything?

[FurryNutz]

What region are you located?

[PacketTracer]

Hi,

I can only use port forwarding (or vpn) through one wan interface (the one with the lower Metric in the main routing table) but I want to use both of them.

You didn't tell why this is the case.

If <forw-port> denotes the port to be forwarded, and <forw-ip> denotes the internal IP address that packets shall be forwarded to, please check if the following rule set does what you want:


# | Action | Src Iface | Src Net  | Dest Iface | Dest Net | Service     | SAT Translate
---------------------------------------------------------------------------------------
1 | SAT    | wan1      | all-nets | core       | wan1_ip  | <forw-port> | <forw-ip>
2 | SAT    | wan2      | all-nets | core       | wan2_ip  | <forw-port> | <forw-ip>
3 | Allow  | wan1      | all-nets | core       | wan1_ip  | <forw-port> |
4 | Allow  | wan2      | all-nets | core       | wan2_ip  | <forw-port> |

[Ahmad Awad]

Here are my configurations

http://www.sehely.com/it/firewall.png
If I make wan 1 Metric lower (as in the circle) I can port forward and vpn through wan1 but not wan 2 and if I made wan2 Metric lower I can vpn and port forward from wan 2 but not wan 1
PS: WANS is a group interface for Wan1 and wan2, I tried and make the rules with the individual interface but with the same results

[PacketTracer]

I suppose if an external client connects to the WAN ip address which is assigned to the interface with the default route with the higher metric value, the response will be sent through the other WAN interface due to its preferred metric. Hence, due to outgoing NAT the external client will see the response coming from another IP address and discard it. I further assume that a connection initiation by an external client via a SAT rule does not create "state", that is a NAT session, which would cause the router to send reply traffic back through the WAN interface which is associated with the NAT session. Hence I draw the conclusion that port forwarding by principle will only work with one WAN interface (the one with the lower metric default route).

EDIT: Saying this brings me to the idea if it is possible not only to do SAT for the destination address of incoming connection requests but also to do dynamic NAT (many to one) for the source address, thus creating the state information needed for routing return traffic back the right way...

[Ahmad Awad]

EDIT: Saying this brings me to the idea if it is possible not only to do SAT for the destination address of incoming connection requests but also to do dynamic NAT (many to one) for the source address, thus creating the state information needed for routing return traffic back the right way...

Ok , In my case how to do that??

[PacketTracer]

Hi, according to chapter 7.2 of your device's manual (which you could read as well...), you can add the following two NAT rules, one per WAN interface:

Action: NAT
Src If: wan1 (wan2)
Src Net: all-nets
Dest If: lan
Dest Net: lannet
Service: Mail-Publishing

Under the NAT tab, make sure that the "Use Interface Address" option is selected (default).

[Ahmad Awad]

Ok, thank you PacketTracer for replying, and I did read the  manual and I did tried NAT without success, and I tried it again and here the result

and I can vpn/port forwarding from wan1 but not wan 2 and here are my log

please help
and thanks in advance

[PacketTracer]

Hi,

maybe my original suggestion ...

Action: NAT
Src If: wan1 (wan2)
Src Net: all-nets
Dest If: lan
Dest Net: lannet
Service: Mail-Publishing

... was not the right way to do source nat. Please try if the following modified NAT rules will work:

Action: NAT
Src If: wan1 (wan2)
Src Net: all-nets
Dest If: core
Dest Net: wan1_ip (wan2_ip)
Service: Mail-Publishing

Please note that I'm not an owner of such a device (and never was it in the past), hence all I can do is think about your problem and try to make suggestions that hopefully might help you to solve it.

PT

[FurryNutz]

If the problem can't be solved here,I recommend that you phone contact your regional D-Link support office and ask for help and information regarding this. We find that phone contact has better immediate results over using email.
Let us know how it goes please.

[Ahmad Awad]

PacketTracer .... thanks for even taking the time to replying to me, but still I tried what you suggested without luck,
I believe my problem lies here

because If I make wan 1 Metric lower (as in the circle) I can port forward and vpn through wan1 but not wan 2 and if I made wan2 Metric lower I can vpn and port forward from wan 2 but not wan 1

[PacketTracer]

Yes, I understood that. And that was why I have suggested to also do source nat so that the route metrics become irrelevant. My theory behind that is that for reply traffic from your Mail-Publishing service back to the Internet the router would choose the outgoing WAN interface not due to the metrics but instead would select the one, the NAT session for the source nat is bound to (and hence the one, the connection initiating request came in).

But as we can see now, either you didn't manage to establish those additional NAT sessions, or you did, but it didn't help, because my theory is wrong. Anyway I'm running out of ideas.