In this post is have reported (and solved) issues with our BGP configuration. There has been one thing however that I still havent been able to solve, so I'll need some help/suggestions again.
Our eBGP configuration is as follows:
Interface definition (eth4 and eth8 are going to be part of the eBGP Configuration):
The adresses here are the IP ranges that need to be transported via eBGP to the outside world.
Additional addresses set on those interfaces are:
The 213.126.x.x additonal addresses are for creating the eBGP connection.
We have two neighbors:
Both neighbors are part of the same ASN. Our local ASN is 65000.
As this is a connection between only two AS's, multiple AS is set off in the UTM. The eBGP Connection itself works succesfully:
The BGP1 and BGP2 networks have ranges 80.113.68.177/28 and 80.113.71.225/29 respectively.
As described in my other post, communication from any device behind the UTM is working succesfully, thanks to using masquerade and SNAT rules.
However, I am not able to communicate to the outside world from the UTM directly. For instance: If I set a DNS forwarder to 8.8.8.8, UTM is not able to connect to that DNS server and all requests outside our local domain cannot be resolved if UTM is used as a DNS server.
Same issue with proxy.
I can solve the DNS issue by pointing the forwarder in UTM to an internal DNS server and have that server communicate with external DNS (cringe...). However, I cannot do the same for proxy requests.
Checking the proxy logs, I can see that request for external sites are dropped because of connection timeouts.
I tried a traceroute from CLI and got the following response:
To me, it looks like UTM is trying to use the BGP connection addresses instead of the BGP IP ranges to reach the outside world. TCPDUMP confirms this. That would explain, but how can I change this behaviour?
On the CLI I can use traceroute -S or ping -I to change the originator address and this works perfectly:
But I cannot find a way (either in CLI or GUI) to have UTM use that address as an originating address for traffic that originates from UTM itself.
As this is the final puzzle piece in our configuration I hope that someone can give me a hint to get this working :)
Regards,
Karl-Heinz
This thread was automatically locked due to age.