D-Link Forums
The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: ioccy on February 05, 2013, 12:05:57 PM
-
Hello!
I'm trying to make some internet traffic go via IPSec tunnel instead of sending it directly to the internet. Here's a diagram of my networks:
(http://s7.postimage.org/msian77jv/net.png)
I'll omit 192.168. to keep it simple. Router 4.1 is DFL-210, router 2.1 is DFL-800.
There's no connectivity problem between networks 4.0/24 and 2.0/24: all ICMP TCP and UDP traffic goes ok. Network 4.0/24 uses Provider 1 to access the internet, network 2.0/24 uses Provider 2. IPSec tunnel is made via the internet.
What I am trying to achieve is to make traffic from net 4.0/24 to some host (e.g. 8.8.8.8) go to Provider 2 instead of Provider 1.
On 4.1 i've made the following:
– Route: Interface IPSec, network 8.8.8.8, gateway: 192.168.2.1, with metric lower than others
– IP Rule: Allow from lan/lannet to IPSec/all-nets traffic all_tcpudpicmp, below Allow rules for local IPSec traffic.
On 2.1 i've made the following:
– IP Rule: NAT from IPSec/IPSec-net to wan1/all-nets traffic all_tcpudpicmp; IPSec-net here is 192.168.4.0/24. The rule is similar to one used to access the internet from network 2.0/24
What I got:
If I try to ping 8.8.8.8 from my host in 4.0/24 network (it is 192.168.4.65), ping fails. I see my Allow rule works on 4.1, but I see completely nothing at 2.1. If i try to ping 192.168.2.30 (some online host in 2.0/24), everything works ok, like before. Access from 4.0/24 to other internet hosts is not affected, everything works ok, apart from 8.8.8.8.
What am I doing wrong?
Thanks in advance!
-
Found a solution
Set Local Network and Remote Network in IPSec settings on both DFLs to 0.0.0.0/0 (all-nets). Then routes and IP rules work the way they should. Additionally manual route and IP address for IPSec tunnel on both sides is required.
This way any number of networks can be routed via IPSec.