This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

dual ISP routing issue

Hello,

I currently have two ISP gateways connected to my UTM appliance. Uplink balancing is working. One of the ISPs provides a Cable Modem with wireless built in. I would like to use the Cable Modem's internal ports and/or it's wireless to access the internet in my lab essentially bi-passing my UTM since i would not be connecting through the UTM's internal interface. Since my UTM is physically plugged into one of it's internal ports, as a router it has learned the IP address of of the WAN interface of the cable modem and shows this line in the routing table:

default via xxx.xxx.xxx.xxx (I have obscured the IP address) dev eth1 table 221 proto kernel onlink

When I connect using my computer to one of the Cable Modem's ports i have total access to the internet with the exception of the Additional Addresses on the Wan interface of my UTM for the other ISP.

I'm assuming that when I attempt to access any of the Public IPs on the other ISP interface, since it knows how to route to the source IP it sends it to directly to the Cable Modems internal port that it's connected to instead of back through the internet through the WAN interface. However I have been unable to confirm that. 

I have tried setting up a policy route that when traffic comes in for one of the specific addresses, it goes back out the same WAN interface hoping that would stop the routing out the wrong WAN interface. Does this make sense to anybody? Any suggestions as to what may be happening here and how i can fix the issue?



This thread was automatically locked due to age.
Parents Reply
  • Hello WRS,

    this is a classic asymmetric routing setup (different way for reply packets to lab computer). In my opinion the simplest solution is to add an extra route on the Lab Computer (route add "eth4 net" to "eth1 IP") with an appropiate fw-rule.

    bye Josef

    BERGMANN engineering & consulting GmbH, Wien/Austria

Children
  • Josef,

    I don't understand your solution. How will adding a route on the lab computer help? eth4 is the wan interface for one ISP, and eth1 is the wan interface for Comcast both interfaces being on the firewall, not the lab computer. I think i'm missing what your are telling me.

    Thanks

    WRS

  • Hi WRS,

    when your Lab Computer try to connect one of the Public IPs on eth4 the packets go according to his default route over the Comcast Cable Router, the Internet and the Fiber Provider Router to the eth4 on the Sophos UTM. You do then probably some DNAT on the UTM and finally the reply packets should go back. The UTM has an interface in the network of the source IP so it will route out the reply to eth1, but there is no entry in the connections table of the firewall so it will get dropped.

    I would try to avoid such setups, but with a dedicated route on the Lab computer you could route the packets always over the UTM.

    bye Josef

    BERGMANN engineering & consulting GmbH, Wien/Austria

  • Thanks for the explanation. I understand that it at first appears to be a configuration to avoid and maybe i have no other choice but what I'm really trying to do is to NOT go out the UTM with this traffic but rather the Comcast router thus creating a solid separation between the two. My example highlighted my lab but it's bigger than that. 

    In the past i have configured a number of wireless networks bound to separate vlans. Before Comcast upgraded their device and gave me this new router, i had a guest network tied to a vlan that trunked down to one port on one switch which was plugged into Comcast. Then when a guest connected to that ssid they received their configuration via DHCP on Comcast and went directly out Comcast thus completely circumventing our internal network. It worked well. If they needed to connect internally they would have to use our L2tp VPN. 

    Now with the new router, a member of that SSID can resolve our Public DNS record that resolves to our VPN but can't connect, or even ping that address, or any other address on our UTM. This is frustrating to those on my team that setup Laptops for employees because they like to use that Guest network to test the VPN which now they can't do. Maybe this is too unconventional and I should just give it up and accept the fact that there is no way to test our VPN from the inside or go out Comcast internal ports for any other reason. 

    Thanks for your input!