I just deployed an ERL to a customer site with Multi-WAN failover, and it's been working great. I used the Wizard to setup, checking eth1 as failover-only. After we confirmed internet was working I added the VPN tunnel to the vendor hosted data center. Now I can ping from the router to the data center server, and the data center server can ping my router LAN interface. But the server cannot get into the LAN workstations, and the workstations cannot ping the data center server. I have a feeling it is due to the modify balance firewall, but I'm not sure.
me@customer# show
firewall {
all-ping enable
broadcast-ping disable
group {
address-group MyRemoteSupport {
address 63.238.xxx.xxx
address 63.142.xxx.xxx
description ""
}
network-group PRIVATE_NETS {
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians disable
modify balance {
rule 10 {
action modify
description "do NOT load balance lan to lan"
destination {
group {
network-group PRIVATE_NETS
}
}
modify {
table main
}
}
rule 20 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth0
}
}
modify {
table main
}
}
rule 30 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth1
}
}
modify {
table main
}
}
rule 100 {
action modify
modify {
lb-group G
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 21 {
action accept
description "allow vpn"
destination {
address 10.5.202.0/24
}
ipsec {
match-ipsec
}
log disable
protocol all
source {
address 172.16.0.22
}
state {
established enable
invalid disable
new enable
related enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action accept
description "allow ping"
log disable
protocol icmp
state {
established disable
invalid disable
new enable
related disable
}
}
rule 30 {
action accept
description "allow MyRemoteSupport"
destination {
port 22,443
}
log disable
protocol tcp
source {
group {
address-group MyRemoteSupport
}
}
state {
established disable
invalid disable
new enable
related disable
}
}
rule 40 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 41 {
action accept
description "allow vpn hbs"
destination {
address 10.5.202.0/24
}
ipsec {
match-ipsec
}
log disable
protocol all
source {
address 172.16.0.22
}
state {
established enable
invalid disable
new enable
related enable
}
}
rule 42 {
action accept
description "allow vpn ike udp 500"
destination {
port 500
}
log disable
protocol udp
}
rule 43 {
action accept
description "allow vpn nat-t udp 4500"
destination {
port 4500
}
log disable
protocol udp
}
rule 44 {
action accept
description "allow vpn esp"
log disable
protocol esp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 216.74.xxx.xxx/28
description "WAN ISP1"
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 216.106.xxx.xxx/30
description "WAN ISP2"
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth2 {
address 10.5.202.1/24
description LAN
duplex auto
firewall {
in {
modify balance
}
}
speed auto
}
loopback lo {
}
}
load-balance {
group G {
interface eth0 {
}
interface eth1 {
failover-only
}
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 216.74.212.14 {
description "ISP1 Wireless"
}
next-hop 216.106.66.25 {
description "ISP2 DSL"
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 10.5.202.0/24 {
default-router 10.5.202.1
dns-server 208.67.222.222
dns-server 208.67.220.220
lease 86400
start 10.5.202.38 {
stop 10.5.202.243
}
static-mapping BRWACD1B84EB519 {
ip-address 10.5.202.103
mac-address ac:d1:b8:4e:b5:19
}
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth2
}
}
gui {
https-port 443
}
nat {
rule 5000 {
description "vpn-nat exclude"
destination {
address 172.16.0.22
}
exclude
log disable
outbound-interface eth0
protocol all
source {
address 10.5.202.0/24
}
type masquerade
}
rule 5001 {
description "masquerade for WAN ISP1"
log disable
outbound-interface eth0
protocol all
type masquerade
}
rule 5002 {
description "masquerade for WAN ISP2"
log disable
outbound-interface eth1
protocol all
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
host-name CPElamonte
login {
user me {
authentication {
encrypted-password $6$BJqkSTgtu3$/ApMIMtGujaqntmOj4f
}
level admin
}
}
name-server 8.8.8.8
name-server 208.67.222.222
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipsec enable
ipv4 {
forwarding enable
gre enable
pppoe enable
vlan enable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/Chicago
traffic-analysis {
dpi enable
export enable
}
}
vpn {
ipsec {
auto-firewall-nat-exclude enable
esp-group FOO0 {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption 3des
hash sha1
}
}
ike-group FOO0 {
lifetime 28800
proposal 1 {
dh-group 2
encryption 3des
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
site-to-site {
peer 66.xxx.xxx.98 {
authentication {
mode pre-shared-secret
pre-shared-secret hbssystems
}
connection-type initiate
description "to VENDOR cloud"
ike-group FOO0
local-address 216.xxx.xxx.2
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO0
local {
prefix 10.5.202.0/24
}
remote {
prefix 172.16.0.22/32
}
}
}
}
}
}