Can't Saprate Network Between Peplink


#1

Hi, I am facing an issue with the peplink 390, i have 2 ISP both connected to the peplink 1st ISP is in drop in mode and the 2nd one is connected too wan port, recently i was having an issue with the vpn where my users get connected to the firewall, i needed those users traffic to go out through the 2nd ISP which it fails to do, as to my understanding any of my servers have inbound & outbound nat they will leave through the default ISP rest all will go through the 1st ISP,

too eliminate the issue before the peplink i connected a switch a cable coming from the 2nd ISP router going to the switch - connected the peplink n pulled a cable and connected it to the firewall.

I hope so far i am clear in what i am trying to explain! the reason i am doing this is to have my users come over the 2nd ISP independent so that they can utilize the full bandwidth, now the problem is the moment i connect the cable from the switch to peplink i am unable to access the firewall coming over the 2nd ISP once i disconnect the peplink it starts to work fine with out any issue.

I would appreciate if any one could suggest what shall I do.


#2

That is a problem with the firewall routing. The firewall receives the connection request over the 2nd ISP connection, however, the firewall itself is sending the reply back over the first interface (which connects to Peplink in drop-in mode). The Peplink being configured with a default outbound rule to priorities 2nd ISP connection, will NAT the reply source address to Peplink’s address from 2nd ISP range and sends it out. Of course this will break the connection. However, when you disconnect the Peplink’s 2nd ISP connection, the reply will now go over the 1st ISP connection unchanged (because Peplink is in drop-in mode on this direction), and that is why you see it works. My suggestion, you have two options: Option-1: Configure the second firewall interface with an address from the 2nd ISP range (as already done), but make sure this interface is put under a new “Virtual Router”, to isolate the traffic between the two firewall interfaces, and to be able to define multiple Default Gateways (one per each virtual router). Option-2: configure a virtual secondary IP address on the firewall’s 1st interface (example: 192.192.192.192/32), and use Peplink to NAT this address to a free IP from 2nd ISP, and force it to communicate only over 2nd ISP connection.
Good Luck!