Balance drop-in mode and multiple published services on firewall


#1

I have configured my peplink 2500 in drop in mode, the drop-in mode isp is working. however, the secondary WAN isp isn’t working.

my setup is INTERNET - balance - FIREWALL

on the firewall we have multiple published services on a block of ip addresses.

my question is:

how do i enable the services published on the secondary ISP block ip addresses to be accessible from internet ?

can this be done without removing the public ip addresses from the firewall itself ?

i would also like to know if it is necessary to make changes in published dns to point my services to the ip address of the peplink.

For the secondary ISP published services.


#2

Hi,

Please refer here to have an overview of Drop-in mode with multiple WANs.

Please refer to the diagram from the provided link, PC’s IP will be NAT as below if traffics are going out to WAN2:-
192.168.1.x > 210.10.10.x > 22.2.2.x

So there is not an issue to publish your services over WAN2 and firewall still maintain it own public IP.

Hope this help.


#3

Thanks for the response, however i haven’t yet understood how to resolve my issue.

let me attempt to diagram my situation as follows:

ISP 1 Block : 172.172.172.1 - 5

ISP 2 Block : 44.33.22.1 - 5

Block 1 works fine for me.

Now assuming i have the following nats on firewall. ( FOR ISP 2 )

192.168.0.1 - 44.33.22.1
192.168.0.2 - 44.33.22.2
192.168.0.3 - 44.33.22.3
192.168.0.4 - 44.33.22.4
192.168.0.5 - 44.33.22.5:80
192.168.0.6 - 44.33.22.5:9000

Lets say that i gave WAN2 Interface the ip address 44.33.22.6

My external DNS has the block registered 44.33.22.1 - 5 with different public host names.

how do i map the incoming traffic from ISP to reach the block 44.33.22.1 - 5 through peplink ?

do i use nat(for ISP2) on peplink ? if so, what kind of nat rules ?

My deployment is as follows.

ISP ----- PEPLINK ------ FIREWALL

when i put peplink inline, ISP 1 is Okay, ISP 2 outgoing traffic is okay when i put default gateway on firewall as Peplink but incoming from internet through ISP 2 to published servers isn’t working.


#4

Hi,

Your firewall just need to do NAT from LAN IP to 172.172.172.x or vice versa. Make sure firewall gateway is point to ISP router/modem, not Peplink.

For inbound access from WAN2 (44.33.22.x), You need to do following steps:-

  1. Peplink - Please go Network > Inbound Access or NAT Mappings.
  • This will NAT 44.33.22.x to 172.172.172.x.
  1. Firewall - Perform static NAT.
  • This will NAT 172.172.172.x to LAN IP.

Hope this clear your doubts.


#5

hi Tk,

Thanks for the insight.

i still have some questions.

  1. does this mean all outbound nat on firewall has to be towards ISP 1 block ? e.g 172.172.172.x in my case ?
    what if i do not have enough Public ip addresses on ISP 1 block ? but i have some on my ISP 2 block, how do i use them ?

  2. when you said “This will NAT 44.33.22.x to 172.172.172.x.” does this mean i have to put the nat mapping for
    44.33.22.1, 44.33.22.2, 44.33.22.3, 44.33.22.4
    on peplink to ISP block on firewall ? or i just nat interface ISP2 ip network interface address on peplink (44.33.22.6) to ISP1 network interface ip address on firewall ( 172.172.172.1 ) ?

  3. what if i have a secondary block on ISP 1 ( 172.172.173.x) ? how do i make it work ? it wasn’t working in drop in mode.


#6

Hi,

  1. Yes. Ideally WAN1 IP block should be equivalent or greater than WAN2 IP block when you wish to do Drop-in.

  2. This is depend. If you want to do 1 to 1 NAT, then you may use NAT Mapping in Peplink then NAT to Firewall IP block. If you want to do Port Forwarding, then you may NAT WAN2 interface IP on Peplink to Firewall interface with specific port.

  3. This is working when you enable Drop-in mode. I assume your connection as below:-
    ISP1 > Router > Peplink (Drop-in) > Firewall.
    The network segment between router and firewall is 172.172.172.0/30 with floating IP 172.172.173.x which given by ISP1.
    In this scenario, you may enable Drop-in with Shared IP (Network > LAN > Click ? in Drop-In Mode Settings) with setting below:-

  • Management IP Address: <Configure 1 of the floating IP>
  • Shared IP Address: <Configure Firewall IP>
  • WAN Default Gateway: <Configure router IP>

#7

Thanks for the response.

This is my actual scenario

WAN1
ISP1 — ROUTER ---- DROP-IN/PEPLINK ------ FIREWALL

ISP1 BLOCK 1 – 172.172.172.0/28
ISP1 BLOCK 2 – 172.172.173.0/28

ISP2 BLOCK 1 – 44.33.23.0/30
ISP2 BLOCK 2 – 44.33.22.0/27 (FLOATING)

What if i don’t want to make changes to current NAT in firewall

can this work for both incoming and outgoing traffic ?

  1. Put route on peplink for ISP1 BLOCK 2 to firewall external IP

e.g destination (ISP1 BLOCK 2) gateway (FIREWALL_IP)

  1. Put route on peplink for ISP2 BLOCK 2 to firewall external IP

#8

Hi Zaviye,

Would you mind to open a support ticket here? So our support team could take a closer look at your deployment.

Thanks and regards,
Wei-Ming


#9

done. awaiting response.