Multiple WAN Interface Setup, different zones

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Multiple WAN Interface Setup, different zones

L0 Member

Hi all

 

I'm struggling to configure a VM-200 with multiple WAN interfaces. I've read a few forum posts on the subject and I understand the suggestions (PBF, 1:1 vs 1:Many NAT, etc) but the situation I'm in is a little different.

 

We are running the VM-200 on a cloud platform, which has provided us two WAN IP addresses. These addresses are contiguous (1.1.1.5 & 1.1.1.6), with the same gateway (1.1.1.1).

 

1.1.1.5 is attached to Ethernet1/1, and 1.1.1.6 to Ethernet1/2. I was planning on dedicating the 1.1.1.6 for an LSVPN Portal/Gateway, so it has been placed in a differnet zone. 1.1.1.5 is in zone "L3-Untrust", 1.1.1.6 in zone "LSVPN-Tunnel"

 

Both are set to a Management Profile that allows ping, but I can only ping one at a time externally. There's a static default route for 0.0.0.0/0, and if I select Ethernet1/1 as the interface, I can ping 1.1.1.5 externally, but not 1.1.1.6. If I change the default route interface to Ethernet1/2, I can ping 1.1.1.6 externally but not 1.1.1.5. I can't remove the interface from the default route, as the subnet of both WAN connections (/24) causes an overlap. So I have to set the interface address to the /32, and specify which interface to use in the static default route

 

So the question is, how can I have a VM-200 respond to ping on two WAN connections at the same time, when they have overlapping subnets and the same gateway and are in different zones? PBF doesn't help as the interfaces are in different zones and NAT isn't a factor as the Management Interface ICMP echo should happen pre-NAT. I've tried fiddling with route metrics, but that doesn't get me anywhere.

 

Do I need different virtual routers for this? If so, how would that affect my ability to have an LSVPN portal/gateway operate on one interface, with internet access on the other interface, and 'route' between them (so users of the LSVPN satellites will get internet access through Ethernet1/1)?

 

I'm aware that ping isn't neccessarily required to get an LSVPN gateway functioning, but the test satellite is saying 'connection failed'. My first debug operation was a ping, which failed, and led me down this path. I may be able to get LSVPN working withouth ping, but I'd prefer to get ping operational on both interfaces at the same time before troubleshooting any further.

 

Any help would be appreciated, thanks

Dennis

1 REPLY 1

L3 Networker

I want to make sure I understand what you're trying to accomplish.

Both E1/1 and E1/2 are internet facing, one interface specifically being allocated (by you) for LSVPN the other for internet access.

You were allocated 2 public IP addresses on the same subnet so both have the same gateway.

 

It does sound like you can use different virtual routers for this, putting one interface in each VR. In the LSVPN VR, you could specifiy a default route and point to the Internet VR. In the internet VR, you would need to define all the destination subnets accessible over LSVPN to route back to the LSVPN VR. If the destinations can be summarized easily, that might not be too much work.

Or you could run a dynamic routing protocol between the VRs to exchange prefixes.

  • 2745 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!