Welcome, Guest. Please login or register.
Did you miss your activation email?
Saturday 21 December 2024, 01:54:46 pm

Login with username, password and session length

The Latest Endian Firewall is now available for download HERE
14262 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  2 LAN, 2 WAN, basically, two routers in one.
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: 2 LAN, 2 WAN, basically, two routers in one.  (Read 18230 times)
trymes
Full Member
***
Offline Offline

Posts: 36


« on: Thursday 15 September 2011, 02:22:34 am »

For various reasons, I have two separate LANS, each of which currently has its own WAN connection and its own non-Endian router.

I am now replacing the existing routers with Endian and would prefer to avoid having two routers and simply have one machine serve these functions:

1.) Router for LAN1
2.) Router for LAN2
3.) Route between LAN1 and LAN2

I was thinking that I would put LAN1 on Green, LAN2 on Blue, and use two uplinks, and then adjust the firewall rules to keep LAN1 devices from using LAN2's uplink, etc. Static routes would provide the routing functionality between LANs.

Is this reasonably feasible, or am I asking for trouble?

Tom
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #1 on: Thursday 15 September 2011, 04:25:05 am »

Without using HTTP proxy, yes.
When using HTTP proxy you lose control con HTTP routing, all HTTP/S traffic goes thru the main interface.

About routes between LAN1 and LAN2, I don't think you need static routes, just configure the inter-zone firewall.
As long as all machines have Endian as the main gateway, Endian itself knows how to route between their zones.
Static routes are meant for reaching external LAN's via 3rd party routers.
Logged
trymes
Full Member
***
Offline Offline

Posts: 36


« Reply #2 on: Thursday 15 September 2011, 10:22:10 am »

OK, thanks. I don't generally use the proxy anyway.

Just to confirm, I would have a Green, Blue, and two Red interfaces? The Outbound Firewall would be used to control outbound traffic (even if it was only two rules, one for each LAN)? Then Inter-zone would limit traffic between the LAN segments.

Presumedly, the inter-zone firewall could be turned off, and then any traffic would be free to flow between the LANs, if you so wished.

Unfortunately, it appears that IPSec for Net-to-Net communication is limited to one interface only, whereas I need multiple tunnels over both WAN links.

Oh well...

Tom
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #3 on: Friday 16 September 2011, 01:20:57 am »

Yes, you need Green, Blue and two Red's.

To send traffic for an specific WAN, you must use Network->Routing->Policy Routing.

Create 2 rules:
1- Source: Green  Dest: ANY   Route Via: WAN1 (check the failover option)
1- Source: Blue     Dest: ANY   Route Via: WAN2 (check the failover option)

This way you'll send Green via WAN1 and Blue via WAN2. You also have failover, so if WAN2 fails, it auto-switch to WAN1.
Then on the outgoing firewall you can filter any traffic you want.

About the inter-zone, do not turn off (i think this cut off any traffic). Simple create an allow all rule.

About IPSec, I dont use it. I use OpenVPN and you can create routes to reach BLUE and ORANGE from remote sites.
Logged
trymes
Full Member
***
Offline Offline

Posts: 36


« Reply #4 on: Tuesday 20 September 2011, 12:25:00 am »

Thanks for the information, mrkroket. I can confirm that enabling the inter-zone firewall and adding a rule that permits any information to send any service to any other interface allows traffice to be properly routed. I am currently using the ORANGE zone for the second LAN, and I cannot figure out what sort of rule I can craft that will simply allow routing between green and blue without resorting to ANY/ANY/ANY, but I have had no luck thus far.

Any ideas?

Tom
Logged
trymes
Full Member
***
Offline Offline

Posts: 36


« Reply #5 on: Thursday 22 September 2011, 04:09:40 am »

To supply further information, it looks like an IPSec can be used with multiple interfaces. Each tunnel, however, can only use on uplink.

In other words, it is not possible to have one tunnel that uses multiple uplinks, but it is possible to have multiple tunnels, half of which use one uplink, and half of which use another. Luckily, this is exactly what I was looking for.

I have not yet tried this, but I will give it a go this evening and report back on how it works.

Lastly, I have found that, if you try to route between two subnets, GREEN and BLUE, where BLUE is NOT the main router for its subnet, you MUST specify an inter-zone firewall rule that allows traffic from those specific subnets, or from all subnets. For example:

Endian:
GREEN=10.0.0.0/16
BLUE=192.168.1.43

Other Router:
LAN=192.168.1.0/24
Default GW for clients on this LAN = 192.168.1.1
Static Route for 10.0.0.0/16 with GW of 192.168.1.43

This works fine, just so long as you leave the inter-zone FW on and specify a rule that allows traffic between 192.168.1.0/24 and 10.0.0.0/16. Just allowing traffic from GREEN to BLUE does not work for some reason.

Tom
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.078 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com