Balancing Rules not respected anymore after 2.0RC2 upgrade?

Home Page Forums Network Management Networking Balancing Rules not respected anymore after 2.0RC2 upgrade?

This topic contains 1 reply, has 0 voices, and was last updated by  zgypa 5 years, 11 months ago.

Viewing 1 post (of 1 total)
  • Author
    Posts
  • #43537

    zgypa
    Member

    Hi,

    is this a bug, or is it a configuration issue? After i updated to 2.0RC2 keeping the same configuration from 2.0RC1 i was not able to access LAN services from the internet. I had granted access with Net Balancer. Maybe there is a better way to do this then to use Balancing Rules?

    Why does the below described configuration work with 2.0RC1, and not with 2.0RC2?

    Symptoms

    * LAN2LAN and HOST2LAN OpenVPN time out when trying to connect from remote site.
    * Connections time out when i try to access websites and ssh hosted inside the LAN from outside the LAN.
    * Clients inside LAN access outgoing internet without problems through FO.
    * I found 10.1.1.166 server was accessing internet through FO as well, until i disabled HTTP Proxy/HAVP

    Workaround

    What i discovered by running tcpdump and analyzing packets for incoming OpenVPN connections is that SYN packets correctly are received and replied to by ZS, but they go through the incorrect router. In other words, SYN come in from ADSL, and SYN,ACK go out through FO (see diagram).

    So for now, what i did was disable the FO router in the Net Balancer, forcing therefore ALL traffic through ADSL.

    Update Procedure

    I am running a stick (one-armed) router inside a VM. I permanently use the CD iso image to boot ZS, then i have Profiles stored /dev/sda. I find this configuration particularly appealing because when it’s time to upgrade all i have to do is point the Virtual Machine to the new CD iso image, and ZS boots and finds the old profiles. No need to backup and restore profiles.

    Network setup

    The ZS stick router in question is on the bottom left of the diagram.

    Here are the rules i have setup with Balancing Rules:

    * all traffic for 10.1.1.80 and .166 needs to go back out through the ADSL connection (because it’s the only one with a public IP address).

    * all traffic to and from OpenVPN ports needs go to through through the ADSL connection (because it’s the only one with a public IP address).

    * all other traffic needs to go through FO, since it has more bandwidth.[/b]

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.