Routing specific port traffic out incoming WAN



  • I have two WAN gateways for two ISP's. We have an incoming port request for SSO on port 636 that gets redirected to our internal server fine. The trouble is if I change the default gateway when we have problems with the new ISP (router 192.168.1.3), while outgoing traffic gets pushed out the old ISP  gateway (192.168.1.1) instantly when I changeover the default gateway, if there is a request on GW 192.168.1.3:636, it goes back out 192.168.1.1, and hence is not seen by the outside authenticator. The rule is defined as coming from a specific public IP, and until that source picks up our DNS change (it can take up to an hour), we can't get authentication.

    The traffic needs to be NAT'd, so it is seen coming from our new ISP's public IP if it has come through that gateway, as the port traffic is often still there when our ISP fails, it's just their web filtering keeps bombing out and we loose web traffic.

    So what I need is a rule that says:

    Source IP = 203.x.y.z
    Incoming gateway is 192.168.1.3
    Nat to internal server 10.1.1.1:636
    return path gw is 192.168.1.3 (default GW is 192.168.1.1)

    and another that says:

    Source IP = 203.x.y.z
    Incoming gateway is 192.168.1.1
    Nat to internal server 10.1.1.1:636
    return path gw is 192.168.1.1 (default GW is 192.168.1.1)

    That way, when I change our external A record for our authentication back to our old ISP, it will still work instantly, even though the authenticator is temporarily working off the new IP until it's own DNS lookup gets updated.


Log in to reply