2 WANs to different vlans

A Former User

@sintei, I need more information about firewall rules and firewall logs.

sintei

@silence

Ill try to write it all out:
Under gateways I have:

WAN_DHCP 	Default (IPv4)	WAN	78.82.x.x	78.82.x.x	Interface WAN_DHCP Gateway	 
LANGW		LAN	dynamic	dynamic	Interface lan Gateway	   
WEBSITESGW		WEBSITES	dynamic	dynamic	Interface lan Gateway	   
WAN2_DHCP		WAN2	78.82.x.x	78.82.x.x	Interface WAN2_DHCP Gateway

Interface assignments:

WAN	vtnet0 (xx.xx.xx.xx.xx)
LAN	vtnet1 (xx.xx.xx.xx.xx)
WAN2	vtnet2 (xx.xx.xx.xx.xx)
Websites	VLAN xx on vtnet1 - lan (WebsiteVLAN)

WAN2 rules:

States	Protocol	Source	Port	Destination	Port	Gateway	Queue	Schedule	Description	Actions
*	RFC 1918 networks	*	*	*	*	*		Block private networks	
*	Reserved Not assigned by IANA	*	*	*	*	*		Block bogon networks	
IPv4 TCP/UDP	*	*	WAN2 net	443 (HTTPS)	*	none	 	Any_incoming_wan2_443	    
IPv4 TCP/UDP	*	*	WAN2 net	80 (HTTP)	*	none	 	Any_incoming_wan2_80	    
IPv4 *	*	*	WEBSITES net	*	*	none	 	port80allow	    

WEBSITES rules:

States	Protocol	Source	Port	Destination	Port	Gateway	Queue	Schedule	Description	Actions

IPv4 *	*	*	LAN net	*	*	none	 	Block LAN	    
		  
IPv4 TCP/UDP	WEBSITES net	*	*	*	*	none	 	Default allow VLAN77 to any
	

I have one wordpress site. Its reachable on WAN2. But when I close down access from VLAN WEBSITES to LAN, the wordpress site looses access to gateway and can't perform checkups. It seems the gateway is located in LAN net. How do I utilize the second gateway and keep it in my subnet/VLAN?

viragomann

@sintei said in 2 WANs to different vlans:

LANGW LAN dynamic dynamic Interface lan Gateway
WEBSITESGW WEBSITES dynamic dynamic Interface lan Gateway

What are these gateways for?
Cannot think of any reason to have a gateway on LAN in your setup.

A Former User

@viragomann I don't understand its configuration either, but if what you need is to access a host from the internet through your wan 2, why simply don't you configure a porfowaring? and in the wan rule 2 allows access!

A Former User

@silence said in 2 WANs to different vlans:

and in the wan rule 2 allows access!

With this you don't have to create the rule yourself.

sintei

@silence said in 2 WANs to different vlans:

@viragomann I don't understand its configuration either, but if what you need is to access a host from the internet through your wan 2, why simply don't you configure a porfowaring? and in the wan rule 2 allows access!

What I'm trying to do is secure so that someone coming in via WAN2 only has access to my VLAN WEBSITES.
And that VLAN should be isolated from my LAN and other VLANs.
The VLAN WEBSITES is on the LAN NIC so it's somewhat tied?
Right now I can't block the VLAN WEBSITES from accessing LAN via rule as then the website looses connectivity to internet (for instance to check updates etc).
But I can access it FROM the internet.
Error in chrome says: gateway timed out when trying to update SEO, Themes etc . So that's why I'm investigating this direction.

@viragomann said in 2 WANs to different vlans:

@sintei said in 2 WANs to different vlans:

LANGW LAN dynamic dynamic Interface lan Gateway
WEBSITESGW WEBSITES dynamic dynamic Interface lan Gateway

What are these gateways for?
Cannot think of any reason to have a gateway on LAN in your setup.

I think I created these to try to resolve the issue. Since you say they are not needed then I will delete them.

sintei

@silence

Just to clarify:
I can access my website via domain name in chrome.
It resolves and also is secured with lets encrypt certificate using HAproxy

A Former User

@sintei, Ok now we are understanding each other then the question is that your website needs to go online? to be able to update certain?

In this case you should check your nat rules

sintei

@silence said in 2 WANs to different vlans:

@sintei, Ok now we are understanding each other then the question is that your website needs to go online? to be able to update certain?

In this case you should check your nat rules

Yes, exactly. The website needs to online.
So I checked and created some rules in NAT (tried both 1:1 and outbound) but can't get it to work either way.
Surely, an outbound rule should suffice?

A Former User

@sintei, publish the nat rules of your firewall.

and your firewall records the moment it receives the error.

viragomann

@sintei said in 2 WANs to different vlans:

Right now I can't block the VLAN WEBSITES from accessing LAN via rule as then the website looses connectivity to internet (for instance to check updates etc).
But I can access it FROM the internet.

The only reason for this, I can think of is that on the web server you are using a DNS server in the LAN subnet.

If that's not the case enable logging in the block rule and check the firewall log to see, which access from the web server to LAN is blocked.

sintei

@viragomann said in 2 WANs to different vlans:

@sintei said in 2 WANs to different vlans:

Right now I can't block the VLAN WEBSITES from accessing LAN via rule as then the website looses connectivity to internet (for instance to check updates etc).
But I can access it FROM the internet.

The only reason for this, I can think of is that on the web server you are using a DNS server in the LAN subnet.

If that's not the case enable logging in the block rule and check the firewall log to see, which access from the web server to LAN is blocked.

You my dear sir are correct!
I could find some DNS settings and changed them manually and it worked!
Thanks.

Also, big thanks to @Silence for helping me troubleshooting this. Have a good night!