Pushing local traffic over Wifi

  • Hi there,

    I have a site, that is connected back to my main office via a directed wifi link.
    Normally the link would service all domain traffic such as internal DNS, exchange mail and another bit of software. Then all the internet traffic comes out through a IPSEC tunnel to my main HQ firewall over the DSL line.

    What I was to achieve is to be able to fail it over to push all internet traffic back over the Wifi link and to my head office in the event of a DSL failure. I know it must be possible as all exchange+domain traffic comes back to my HQ.

    Having looked at the settings it has static routes setup for those HQ networks to go through the Wifi interface. But I can't do that with the LAN network for that site as it would then route all traffic for that site to HQ instead of to the local LAN. At least that is what it seemed to do when I tried it.

    Any suggestions on how I would achieve this? Would creating a unique exit point on my HQ firewall and then having the Ipsec tunnels go to there over the Wifi adapter be the solution?

  • Managed to resolve this myself in the end.

    It required me to disable/delete all the Ipsec tunnels. Keep the DSL interface as the WAN interface and the Wifi interface as an additional interface. Then set the default route as the Wifi's Gateway (though I didn't actually have to set a gateway on any of the interfaces for this to work).

    The bit that brought it all together was having a policy based forwarding rule back at my main office that said any traffic to any of those networks on the other end, to re-direct it to the interface with the Wifi's gateway on it, with the next hop being the Wifi interface on the other end.

    Also needed a NAT rule on my main HQ Firewall to say that all traffic going to the outside world from those networks on the other side to be NAT'ed through an adapter with a route out (in this case an external IP configured on an interface on the main HQ firewall).

    Anyway, I hope that helps anyone trying to do this same thing.

Log in to reply