D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: Ahmad Awad on December 08, 2015, 10:50:25 AM

Title: NLB and (vpn or port-forwarding) Product : DFL-860E
Post by: Ahmad Awad on December 08, 2015, 10:50:25 AM

Hi, I have 2 wan connections (wan1 and wan2) I am using Route Load Balancing (Destination Algorithm) to balance my trafic over the 2 ISP (wan1 and wan2) it works fine with one issue , I can only use port forwarding (or vpn) through one wan interface (the one with the lower Metric in the main routing table) but I want to use both of them.

I want to setup the firewall to route the connection through the same wan interface which the data already came from.

thanks in advance

Title: Re: NLB and (vpn or port-forwarding) Product : DFL-860E
Post by: FurryNutz on December 08, 2015, 11:16:51 AM

I recommend that you phone contact your regional D-Link support office and ask for help and information regarding this. We find that phone contact has better immediate results over using email.
Let us know how it goes please.

Title: Re: NLB and (vpn or port-forwarding) Product : DFL-860E
Post by: Ahmad Awad on December 08, 2015, 03:55:14 PM

the regional D-Link support office after 1 hour of troubleshooting the problem didn't come up with any solution to my problem and i think it's fairly universal as it depend on the firewall configurations and if you need anything from my configuration just tell me
thanks in advance

Title: Re: NLB and (vpn or port-forwarding) Product : DFL-860E
Post by: Ahmad Awad on December 09, 2015, 11:00:07 AM

Anything? ???

Title: Re: NLB and (vpn or port-forwarding) Product : DFL-860E
Post by: FurryNutz on December 09, 2015, 11:06:01 AM

What region are you located?

Title: Re: NLB and (vpn or port-forwarding) Product : DFL-860E
Post by: PacketTracer on December 09, 2015, 01:03:48 PM

Hi,

Quote

I can only use port forwarding (or vpn) through one wan interface (the one with the lower Metric in the main routing table) but I want to use both of them.

You didn't tell why this is the case.

If <forw-port> denotes the port to be forwarded, and <forw-ip> denotes the internal IP address that packets shall be forwarded to, please check if the following rule set does what you want:


# | Action | Src Iface | Src Net  | Dest Iface | Dest Net | Service     | SAT Translate
---------------------------------------------------------------------------------------
1 | SAT    | wan1      | all-nets | core       | wan1_ip  | <forw-port> | <forw-ip>
2 | SAT    | wan2      | all-nets | core       | wan2_ip  | <forw-port> | <forw-ip>
3 | Allow  | wan1      | all-nets | core       | wan1_ip  | <forw-port> |
4 | Allow  | wan2      | all-nets | core       | wan2_ip  | <forw-port> |

Title: Re: NLB and (vpn or port-forwarding) Product : DFL-860E
Post by: Ahmad Awad on December 10, 2015, 06:33:18 AM

Here are my configurations
(http://www.sehely.com/it/firewall.png)
http://www.sehely.com/it/firewall.png
If I make wan 1 Metric lower (as in the circle) I can port forward and vpn through wan1 but not wan 2 and if I made wan2 Metric lower I can vpn and port forward from wan 2 but not wan 1
PS: WANS is a group interface for Wan1 and wan2, I tried and make the rules with the individual interface but with the same results

Title: Re: NLB and (vpn or port-forwarding) Product : DFL-860E
Post by: PacketTracer on December 11, 2015, 01:21:47 PM

I suppose if an external client connects to the WAN ip address which is assigned to the interface with the default route with the higher metric value, the response will be sent through the other WAN interface due to its preferred metric. Hence, due to outgoing NAT the external client will see the response coming from another IP address and discard it. I further assume that a connection initiation by an external client via a SAT rule does not create "state", that is a NAT session, which would cause the router to send reply traffic back through the WAN interface which is associated with the NAT session. Hence I draw the conclusion that port forwarding by principle will only work with one WAN interface (the one with the lower metric default route).

EDIT: Saying this brings me to the idea if it is possible not only to do SAT for the destination address of incoming connection requests but also to do dynamic NAT (many to one) for the source address, thus creating the state information needed for routing return traffic back the right way...

Title: Re: NLB and (vpn or port-forwarding) Product : DFL-860E
Post by: Ahmad Awad on December 12, 2015, 11:07:59 AM

Quote

EDIT: Saying this brings me to the idea if it is possible not only to do SAT for the destination address of incoming connection requests but also to do dynamic NAT (many to one) for the source address, thus creating the state information needed for routing return traffic back the right way...

Ok , In my case how to do that??

Title: Re: NLB and (vpn or port-forwarding) Product : DFL-860E
Post by: PacketTracer on December 14, 2015, 02:50:14 AM

Hi, according to chapter 7.2 of your device's manual (ftp://ftp2.dlink.com/PRODUCTS/DFL-860E/DFL-860E_MANUAL_2.60.02_EN_US.PDF) (which you could read as well...), you can add the following two NAT rules, one per WAN interface:

Action: NAT
Src If: wan1 (wan2)
Src Net: all-nets
Dest If: lan
Dest Net: lannet
Service: Mail-Publishing

Under the NAT tab, make sure that the "Use Interface Address" option is selected (default).

Title: Re: NLB and (vpn or port-forwarding) Product : DFL-860E
Post by: Ahmad Awad on December 19, 2015, 04:55:19 AM

Ok, thank you PacketTracer for replying, and I did read the  manual and I did tried NAT without success, and I tried it again and here the result

(http://www.sehely.com/it/firewall2.jpg)

and I can vpn/port forwarding from wan1 but not wan 2 and here are my log

(http://www.sehely.com/it/firewall.jpg)

please help
and thanks in advance

Title: Re: NLB and (vpn or port-forwarding) Product : DFL-860E
Post by: PacketTracer on December 19, 2015, 07:57:33 AM

Hi,

maybe my original suggestion ...

Action: NAT
Src If: wan1 (wan2)
Src Net: all-nets
Dest If: lan
Dest Net: lannet
Service: Mail-Publishing

... was not the right way to do source nat. Please try if the following modified NAT rules will work:

Action: NAT
Src If: wan1 (wan2)
Src Net: all-nets
Dest If: core
Dest Net: wan1_ip (wan2_ip)
Service: Mail-Publishing

Please note that I'm not an owner of such a device (and never was it in the past), hence all I can do is think about your problem and try to make suggestions that hopefully might help you to solve it.

PT

Title: Re: NLB and (vpn or port-forwarding) Product : DFL-860E
Post by: FurryNutz on December 19, 2015, 09:28:29 AM

If the problem can't be solved here,I recommend that you phone contact your regional D-Link support office and ask for help and information regarding this. We find that phone contact has better immediate results over using email.
Let us know how it goes please.

Title: Re: NLB and (vpn or port-forwarding) Product : DFL-860E
Post by: Ahmad Awad on December 19, 2015, 11:13:59 PM

PacketTracer .... thanks for even taking the time to replying to me, but still I tried what you suggested without luck,
I believe my problem lies here
(http://www.sehely.com/it/firewall3.jpg)
because If I make wan 1 Metric lower (as in the circle) I can port forward and vpn through wan1 but not wan 2 and if I made wan2 Metric lower I can vpn and port forward from wan 2 but not wan 1

Title: Re: NLB and (vpn or port-forwarding) Product : DFL-860E
Post by: PacketTracer on December 20, 2015, 09:12:46 AM

Yes, I understood that. And that was why I have suggested to also do source nat so that the route metrics become irrelevant. My theory behind that is that for reply traffic from your Mail-Publishing service back to the Internet the router would choose the outgoing WAN interface not due to the metrics but instead would select the one, the NAT session for the source nat is bound to (and hence the one, the connection initiating request came in).

But as we can see now, either you didn't manage to establish those additional NAT sessions, or you did, but it didn't help, because my theory is wrong. Anyway I'm running out of ideas.

Title: Re: NLB and (vpn or port-forwarding) Product : DFL-860E
Post by: FurryNutz on February 08, 2016, 07:01:39 AM

Any status on this?  ???

Quote from: Ahmad Awad on December 08, 2015, 10:50:25 AM

Hi, I have 2 wan connections (wan1 and wan2) I am using Route Load Balancing (Destination Algorithm) to balance my trafic over the 2 ISP (wan1 and wan2) it works fine with one issue , I can only use port forwarding (or vpn) through one wan interface (the one with the lower Metric in the main routing table) but I want to use both of them.

I want to setup the firewall to route the connection through the same wan interface which the data already came from.

thanks in advance