Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing specific port traffic out incoming WAN

    Scheduled Pinned Locked Moved NAT
    1 Posts 1 Posters 594 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      axessit
      last edited by

      I have two WAN gateways for two ISP's. We have an incoming port request for SSO on port 636 that gets redirected to our internal server fine. The trouble is if I change the default gateway when we have problems with the new ISP (router 192.168.1.3), while outgoing traffic gets pushed out the old ISP  gateway (192.168.1.1) instantly when I changeover the default gateway, if there is a request on GW 192.168.1.3:636, it goes back out 192.168.1.1, and hence is not seen by the outside authenticator. The rule is defined as coming from a specific public IP, and until that source picks up our DNS change (it can take up to an hour), we can't get authentication.

      The traffic needs to be NAT'd, so it is seen coming from our new ISP's public IP if it has come through that gateway, as the port traffic is often still there when our ISP fails, it's just their web filtering keeps bombing out and we loose web traffic.

      So what I need is a rule that says:

      Source IP = 203.x.y.z
      Incoming gateway is 192.168.1.3
      Nat to internal server 10.1.1.1:636
      return path gw is 192.168.1.3 (default GW is 192.168.1.1)

      and another that says:

      Source IP = 203.x.y.z
      Incoming gateway is 192.168.1.1
      Nat to internal server 10.1.1.1:636
      return path gw is 192.168.1.1 (default GW is 192.168.1.1)

      That way, when I change our external A record for our authentication back to our old ISP, it will still work instantly, even though the authenticator is temporarily working off the new IP until it's own DNS lookup gets updated.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.