 DrTCPYours trulyPremium,ExMod 1999-04
join:1999-11-09
Round Rock, TX | reply to Anav
Re: Using USG with an ONT modem said by Anav:First picture is current status quo....... the 14 is fibre op, the 20 is cable.
Second picture is with vlan activated and all associated changes made.
What is very interesting is that when I try to connect thru the vLAn, the router is NOT able to get to my cable WAN1 at all. It doesnt switch to WAN1
So, you have the proper routes added automatically. You do not need any manual route additions.
Since your wan1 metric is higher than wan2 (and also vlan35). So, your setup gives precedence to wan2/vlan35 over wan1. I think the connectivity check on vlan35 says vlan35 is up. So, there is no reason to use wan1 (except for directly connected subnets)
Can you go back to USG console and type ping both of your gateways. (you have to enable since ping is privileged mode command)
Your cable gateway: ping 20x.x.252.1
Your ONT network gateway: ping 14x.x.188.1
Next, disconnect wan1 cable and ping DSLReports IP: ping 209.123.109.175
Plug wan1, make sure it has IP again and disconnect wan2 cable and ping 209.123.109.175
Did you get responses for all of these pings? |
|
 AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3 | I use WAN1 in case WAN2 is down (backup).
I also have mail accounts on wan1. Therefore I have a policy route that forwards email requests to WAN1. Same for an RDP function from time to time.
Yes concur, the router shows vlan35 is up even when I am not getting any internet and thus it will not switch to wan1.
In maintenance menu there is a packet flow explore feature set for SNAT and routing status wonder if those would be of any help? |
|
AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3 | reply to Anav
Ping responses.
Both up regular settings, no worries full internet.
With WAN1 UP, WAN2 down, I can ping both the cable and the Fibre OP successfully. BUT, I have no internet on wan2 and the router does not push requests to WAN1. If I deactive the VLAN then the router kicks me to WAN1.
Now for DSLREPORTS pinging
WAN1 disabled ping went fine to dslreports
WAN2 disabled ping went fine BUT NO INTERNET.
WAN2 and VLAN disabled ping WENT Fine.
Basically in standard configurations could ping all and internet would work regardless of which WAN was down.
In our new configuration I could ping dls reports regardless of the setup wan 1 down or wan 2 down vlan up or down.
I could not get internet connectivity to my lan via fibre op at all. I could not get it via cable-WAN1 unless VLAN was down. The state of the WAN2 interface seemed to have no bearing.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"
LlamaWorks Equipment |
|
DrTCPYours trulyPremium,ExMod 1999-04
join:1999-11-09
Round Rock, TX | reply to Anav
said by Anav:I use WAN1 in case WAN2 is down (backup).
I also have mail accounts on wan1. Therefore I have a policy route that forwards email requests to WAN1. Same for an RDP function from time to time. What does this policy route cover? SMTP, POP3, IMAP? Can you still access (ping) them by IP from LAN when vlan35 is up?
In maintenance menu there is a packet flow explore feature set for SNAT and routing status wonder if those would be of any help? |
|
|
|
DrTCPYours trulyPremium,ExMod 1999-04
join:1999-11-09
Round Rock, TX | reply to Anav
said by Anav:Ping responses.
Both up regular settings, no worries full internet.
With WAN1 UP, WAN2 down, I can ping both the cable and the Fibre OP successfully. BUT, I have no internet on wan2 and the router does not push requests to WAN1. If I deactive the VLAN then the router kicks me to WAN1. Your vlan has priority over wan1 (and your wan2 has priority over wan1 when vlan is not there). Normally if wan2 or vlan35 is down, ZyWALL would switch over to wan1 but in this case your ZyWALL considers your vlan35 is fully operational.
Now for DSLREPORTS pinging
WAN1 disabled ping went fine to dslreports
WAN2 disabled ping went fine BUT NO INTERNET.
WAN2 and VLAN disabled ping WENT Fine. |
|
AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3 | Okay so I have to make a manual snat rule to connect VLAN 35 and LAN1 ? Not sure how to do that one.
No the two policy routes I have are for the two following purposes
(1) to ensure I can send email to Cable Company email servers. Receiving email works, but sending does not without a policy route in place (BELL cannot handle emails going to another companies smtp server)..
(2) to direct a specific PC on the lan when using RDP to go out LAN1.
THis works fine with the regular setup (bridge mode on actiontech to USG) so its not a suspect here. But doing those policy routes without setting SNAT right buggered up my initial attempts. Its certainly seems to be the case that the default SNAT the USG provides for WAN interface selection WAS NOT intended for VLAN type connections. Help with a SNAT rule...... heck where do you even find those LOL
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"
LlamaWorks Equipment |
|
AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3 | reply to Anav
Perhaps this is policy route time where I set SNAT to be on either the outgoing-interface or lan1-Subnet ????? |
|
DrTCPYours trulyPremium,ExMod 1999-04
join:1999-11-09
Round Rock, TX
1 edit | reply to Anav
said by Anav:Okay so I have to make a manual snat rule to connect VLAN 35 and LAN1 ? Not sure how to do that one. There is always a first time.  Start with the manual and support notes dealing with SNAT. I think you need a policy route such as the following:
Configuration:
[x] Enable
Description: vlan35 snat rule
Criteria:
User: any
Incoming: any
Source Address: any
Destination Address: any
DSCP Code: any
Schedule: none
Service: any
Next-Hop:
Type: Interface
Interface: vlan35
[x] Auto-Disable
Address Translation:
Source Network Address Translation: outgoing-interface
Port Triggering: (none defined)
Bandwidth Shaping:
Maximum Bandwidth: 0 Kbps
First try this at the top of the policy route list and later move to the bottom if it is working. In the next-hop section, you can also try Type: Trunk and select the trunk you have created. Selecting the trunk might be needed for load balancing between vlan35 and wan1.
Edit: One more thing.
On Trunk tab under Default WAN Trunk, you have your own custom WAN trunk is selected. If you click "Show Advanced Settings" you should also see a new setting "[x] Enable Enable SNAT". I assume this is selected for you right? It feels like if the above policy route works when added, and this is set here, I have the suspicion that it should have applied SNAT to vlan interface in the trunk as well. It may be considered a bug. |
|
AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3 | reply to Anav
Okay done, the only difference is that I used for incoming interface of LAN1 and NOT any. Also ued vlan35 for next hop interface vice trunk.
The policy router is the first rule and as I expected
Yahoo we have liftoff in a workin internet to bell. But also expected we are prevening outbound email traffic to wan1
An unknown error has occurred.
Subject 'test of email'
Server Error: 421
Server Response: 421 Cannot connect to SMTP server connect error 10060
Server: 'smtp.accesswave.ca'
Windows Live Mail Error ID: 0x800CCC67
Protocol: SMTP
Port: 25
Secure(SSL): No
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"
LlamaWorks Equipment |
|
AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3 | reply to Anav
I moved the policy route to the back and now I can access internet and email sends work.
Just wondering if I should try next hop as trunk or keep it as it is.
I have to test next what heppens if wan2 goes down..... to see if I can still access the internet. |
|
AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3
1 edit | reply to Anav
Okay I disabled wan2 by disconnecting the cable. the router detected that the wan and vlan went dead. Unfortunately Wan1 did not kick in for internet but also email also stopped working in terms of send or receive. So for some reason removing wan2 in this configuration is killing wan1 as well.
Do you th ink the answer is using trunk for next hop vice vlan35
okay changed to trunk email works and internet works fine thus far......
Now to deselect wan2 again.........
Bingo am typing this from LAN1. Using the trunk allows the router to apply the spillover rule............
Action Tech Removed
By the way deafult snat is enabled in the trunk setup, much like it is when you select wAN external interface and snat are default selected. Putting the trunk as the next hop did the trick to ensure that wan1 was accessible when wan2 went down.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"
LlamaWorks Equipment |
|
DrTCPYours trulyPremium,ExMod 1999-04
join:1999-11-09
Round Rock, TX
3 edits | said by Anav:okay changed to trunk email works and internet works fine thus far......
Now to deselect wan2 again.........
Bingo am typing this from LAN1. Using the trunk allows the router to apply the spillover rule............ Great! Persistence prevailed in the end.
Here is the summary of what was done so far:
1) Create a vlan for tagged wan traffic
2) Add the vlan to WAN zone
3) Create a new trunk. Make sure all wan interfaces in use and the newly created vlan are included. Make this new trunk as the user defined WAN trunk.
4) Create a policy route for enabling SNAT on vlan. (This was expected to happen since we selected use default SNAT for trunk but it did not work as expected)
Here is the policy route (placed at the end of the list after more specific policy routes):
Configuration:
[x] Enable
Description: SNAT rule
Criteria:
User: any
Incoming: Interface
Interface: select interface for LAN
Source Address: any
Destination Address: any
DSCP Code: any
Schedule: none
Service: any
Next-Hop:
Type: Trunk
Trunk: select name of the trunk created in step 3
[x] Auto-Disable
Address Translation:
Source Network Address Translation: outgoing-interface
Port Triggering: (none defined)
Bandwidth Shaping:
Maximum Bandwidth: 0 Kbps |
|
DrTCPYours trulyPremium,ExMod 1999-04
join:1999-11-09
Round Rock, TX
2 edits | reply to Anav
said by Anav:Okay done, the only difference is that I used for incoming interface of LAN1 and NOT any. Also ued vlan35 for next hop interface vice trunk. I would use "any" if possible because if you later try to access WAN from DMZ or WLAN, it may not work. Could you try with "any" to see if it works. Also need to test LAN->DMZ, DMZ->LAN to see if they are still working.
The policy router is the first rule and as I expected
Yahoo we have liftoff in a workin internet to bell. But also expected we are prevening outbound email traffic to wan1 |
|
AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3 | The only comment I would make is that I did not make a new trunk rule. I had one in effect already for spillover between WAN 2 to Wan 1 when necessary. What I did differently in the trunk is move the interface in the first rule from Wan2 to VLAN35.
What was key for the trunk was to point to it in the missing policy route discussed next.
Therefore the primary change that I was missing was a policy route for snat as you surmized nothing was getting translated.
Cant test now ppl are home LOL
THanks much for your help and patience!!!
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"
LlamaWorks Equipment |
|
