Yeah, I was hoping to keep it abstract.
The reason I ask is because I am playing with my multi-router configuration and the secondary router will only populate the active sessions (transit) if the traffic comes across as VPN. I have a direct connection (wan to wan) between a Balance One and a balance 30.
I can live without the client list, but seeing the active sessions going through the router is important to me. It is super weird seeing the throughput numbers on the dashboard indicating traffic going through, but nothing in the active sessions. I don’t fully understand why the vpn is required for these sessions to show up in this table.
My goal is to use both routers on my network. I want one WAN on each for outbound traffic that is accessible to my Lans and VLans. I have tried all kinds of different layouts and the current one is the most performant. I basically want the Balance30 to act as a bridge to my second internet connection without requiring double NAT. Wan to LAN doesn’t work as expected with IP Forwarding due to the B30 not allowing an ALL trunk (traffic can go out tagged, but isn’t recognized on the way back). LAN to LAN won’t allow me to use outbound policies. Wan to wan with a direct connect, IP forwarding, and PepVPN allows me to see the active sessions, but then I can’t properly balance traffic across the links. Aaaargh. Two pices of hardware sharing the load has to better than a single device - it just has to.
I am also concerned that since it is not in the active sessions table - the firewall is being bypassed. I had an issue where 169.254 addresses were making it out to the internet, I tried to block it on the source router- didn’t work. I tried to block it at the destination router - didn’t work. I tried to block it at the destination router WAN - didn’t work. I had to force the traffic through the vpn to get the firewalls to block it. I ended up building a VLan for 169.254, since the devices spewing this crap can’t do VLan tagging) and excluded that VLan from my trunk ports. That seems to work best as it is dropped before it ever traverses the first router. What am I missing here? Why is a non-encrypted vpn required to get these sessions to show up in active sessions?