Question on default route

Question

Hi all,

i have a firewall that has internet on port1 and also is used as a VPN user dialup using that same port. All works fine.

I have installed a new router on port 10.

so now I want the users inside the firewall to get their internet from port 10 instead of port 1, so I changed the default 0.0.0.0/0 static route to be port 10 with the IP of the router attached. Now the users are getting their internet from port 10, all is good? Not really...

now all the user vpn dialup are failing. they are not connecting when dialing up to port 1 even though the internet is still attached.

What I am thinking and correct me if im' wrong, but looks like the userdialup is calling into port 1, but since the user is dialing up from an unknown subnet, the firewall uses the default route to respond back to the user, hence is sending the return traffic via the other router (now the new default route) and since it has no clue of this transaction, the packets are dropped on the router and the client fails to connect.

is my statement above correct? If not, please correct me.

If it is correct, then how can I fix this, without having to move the publIC used for dialup vpn to the other router and doing a 1to1 nat via the router? Can i not have best of both worlds? Internet from port 10 and userdialup for public port 1?

Thanks for the help.

Toshi_Esumi · Answer

If you ran "flow debug", you would see errors and dropped packets due to "asymmetric route". The dialup vpn traffic comes in at port1 and tries going out through port10 based on your 0/0 route, which is not allowed by default.

Instead, what you can do is to set two default routes but different "priority" numbers. When you create the default route toward port 10, you didn't specified priority so it got '0'. You can configure another default route but higher priority number, like '10'. The higher the number is, the lower the priority is.

Then when internal users/devices generate traffic (sessions) toward the internet, it follows priority 0 default route. But return packets for the dialup vpn would go back to where the session was initiated from, which is port1 as long as the low priority (10) default route exist. The routing table would look like below. This is from one of our 1500D's vdom, which is doing exactly what you want to do.

xxx-fg1 (vdom-name1) # get router info routing-t all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default S* 0.0.0.0/0 [10/0] via 69.170.170.146, vlanxxxx-to-MPLS, [0/50] <- priority 0, another FW is in this direction [10/0] via 69.170.165.98, vlan-on-vdomlink-to-INET, [10/50] <- priority 10, VPNs come from this interface <snip>

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded