Title: 2 LAN, 2 WAN, basically, two routers in one. Post by: trymes on Thursday 15 September 2011, 02:22:34 am For various reasons, I have two separate LANS, each of which currently has its own WAN connection and its own non-Endian router.
I am now replacing the existing routers with Endian and would prefer to avoid having two routers and simply have one machine serve these functions: 1.) Router for LAN1 2.) Router for LAN2 3.) Route between LAN1 and LAN2 I was thinking that I would put LAN1 on Green, LAN2 on Blue, and use two uplinks, and then adjust the firewall rules to keep LAN1 devices from using LAN2's uplink, etc. Static routes would provide the routing functionality between LANs. Is this reasonably feasible, or am I asking for trouble? Tom Title: Re: 2 LAN, 2 WAN, basically, two routers in one. Post by: mrkroket on Thursday 15 September 2011, 04:25:05 am Without using HTTP proxy, yes.
When using HTTP proxy you lose control con HTTP routing, all HTTP/S traffic goes thru the main interface. About routes between LAN1 and LAN2, I don't think you need static routes, just configure the inter-zone firewall. As long as all machines have Endian as the main gateway, Endian itself knows how to route between their zones. Static routes are meant for reaching external LAN's via 3rd party routers. Title: Re: 2 LAN, 2 WAN, basically, two routers in one. Post by: trymes on Thursday 15 September 2011, 10:22:10 am OK, thanks. I don't generally use the proxy anyway.
Just to confirm, I would have a Green, Blue, and two Red interfaces? The Outbound Firewall would be used to control outbound traffic (even if it was only two rules, one for each LAN)? Then Inter-zone would limit traffic between the LAN segments. Presumedly, the inter-zone firewall could be turned off, and then any traffic would be free to flow between the LANs, if you so wished. Unfortunately, it appears that IPSec for Net-to-Net communication is limited to one interface only, whereas I need multiple tunnels over both WAN links. Oh well... Tom Title: Re: 2 LAN, 2 WAN, basically, two routers in one. Post by: mrkroket on Friday 16 September 2011, 01:20:57 am Yes, you need Green, Blue and two Red's.
To send traffic for an specific WAN, you must use Network->Routing->Policy Routing. Create 2 rules: 1- Source: Green Dest: ANY Route Via: WAN1 (check the failover option) 1- Source: Blue Dest: ANY Route Via: WAN2 (check the failover option) This way you'll send Green via WAN1 and Blue via WAN2. You also have failover, so if WAN2 fails, it auto-switch to WAN1. Then on the outgoing firewall you can filter any traffic you want. About the inter-zone, do not turn off (i think this cut off any traffic). Simple create an allow all rule. About IPSec, I dont use it. I use OpenVPN and you can create routes to reach BLUE and ORANGE from remote sites. Title: Re: 2 LAN, 2 WAN, basically, two routers in one. Post by: trymes on Tuesday 20 September 2011, 12:25:00 am Thanks for the information, mrkroket. I can confirm that enabling the inter-zone firewall and adding a rule that permits any information to send any service to any other interface allows traffice to be properly routed. I am currently using the ORANGE zone for the second LAN, and I cannot figure out what sort of rule I can craft that will simply allow routing between green and blue without resorting to ANY/ANY/ANY, but I have had no luck thus far.
Any ideas? Tom Title: Re: 2 LAN, 2 WAN, basically, two routers in one. Post by: trymes on Thursday 22 September 2011, 04:09:40 am To supply further information, it looks like an IPSec can be used with multiple interfaces. Each tunnel, however, can only use on uplink.
In other words, it is not possible to have one tunnel that uses multiple uplinks, but it is possible to have multiple tunnels, half of which use one uplink, and half of which use another. Luckily, this is exactly what I was looking for. I have not yet tried this, but I will give it a go this evening and report back on how it works. Lastly, I have found that, if you try to route between two subnets, GREEN and BLUE, where BLUE is NOT the main router for its subnet, you MUST specify an inter-zone firewall rule that allows traffic from those specific subnets, or from all subnets. For example: Endian: GREEN=10.0.0.0/16 BLUE=192.168.1.43 Other Router: LAN=192.168.1.0/24 Default GW for clients on this LAN = 192.168.1.1 Static Route for 10.0.0.0/16 with GW of 192.168.1.43 This works fine, just so long as you leave the inter-zone FW on and specify a rule that allows traffic between 192.168.1.0/24 and 10.0.0.0/16. Just allowing traffic from GREEN to BLUE does not work for some reason. Tom |