Port forwarding stops if load balancing dual WAN enabled

[ScratchMonkey]

ASUS RT-AC66U running stock 3.0.0.4.376_1123.

I have several port forwards configured to allow me to access my internal Linux box via SSH, IMAP, and Submission (port 587). This works fine using the standard WAN setup.

When I enable dual WAN with a second cable modem on LAN port 1, I can no longer reach the internal server from outside, nor can I ping the router on either WAN interface from outside. I can access external sites from the LAN just fine.

I'll be downloading the Merlin sources today to see how dual WAN is implemented and to see if that makes it obvious why port forwarding might stop working. I'm guessing it's some netfilter/iptables misconfiguration. (Which isn't that hard to do, given that this is a complicated setup.) Note that I'm using the stock firmware, not Merlin, so downloading the latter is just so I can familiarize myself with the code. (Where would I download the stock sources? I didn't see that on the ASUS site. It was easier for me to find the Merlin git repo via Google.)

 

[ScratchMonkey]

Turned out I forgot to enable ping so that explains that issue.

If I unplug the cable modem plugged into the WAN port, I can once again use port forwarding. My suspicion now lies with the connection tracking module that should be remembering which WAN port to send replies to. Perhaps that needs special attention.

 

[ScratchMonkey]

Aha. I found this nice article on multiple WAN interfaces that shows the needed trick:

http://linux-ip.net/html/adv-multi-internet.html

The internal server should define a second interface (alias) with a different IP. Packets from this IP address are NAT'd to the alternate interface, and the port forward rules need to be aware of which interface a packet came in on so they can be forwarded to the internal server's alternate interface.

Now the question becomes how to arrange that with the ASUS router. I don't see options for that in the default firmware's web configuration, so I suspect I'm going to need to flash the Merlin firmware and add JFFS scripts to accomplish this.

Ideally Advanced_VirtualServer_Content.asp would include a new column to select the WAN port for which a port forwarding rule applies and then add the necessary inbound/outbound NAT rules for the appropriate WAN interface.

 

[ScratchMonkey]

Where's the logic that implements load balancing decisions? What marks a connection for diversion to the alternate WAN interface? For the present, that needs to be suppressed for any IPort in the port forwarding list when in load balancing mode.

 

[veletron]

Did you solve this?

Hi

Did this get solved on any version of the firmware. I was going to enable dual-wan on my 66u, but not if it breaks the port forwarding!

Nigel

 

[ScratchMonkey]

I figured out the problem(s).

1) I'd neglected to enable ICMP in the firewall so ping from the remote system wasn't working.

2) I needed a dual WAN rule to insure the server always used the same external interface.

There's a trick if you want your server to use both interfaces, but I haven't tried it yet: Give your server two internal interfaces (ie. an alias or a second NIC). Forwards from each external interface must go to the associated internal interface, and a dual WAN rule for each internal interface will make sure the reply goes out on the associated external interface.

 

[ScratchMonkey]

Alas, when I plug the second interface in, my World of Warcraft connection drops after a few minutes of play. I want to try the Merlin firmware to see if it fixes this but haven't had a chance to flash it.

 

[veletron]

webserver configuration?

Dual wan config - This is config in the webserver rather than config in the router?

One of my 'webservers' is a webcam over which I have no such control :-(

Would be interested to hear how you get on with merlin.

Nigel

 

[ScratchMonkey]

If you're willing to serve only through one interface, then you don't need to do anything on your webcam. In the router's web configuration, go to WAN, Dual WAN, then down at the bottom add a rule for your webcam. Set the source IP to that of your webcam, leave destination blank (it will become "All" when you commit it), and set the WAN unit to the external interface that will be your webcam's public address, the one from which you forwarded the port.

If you need to serve from both external WAN interfaces, then you'll need to add an alias interface to your webcam, and it sounds like your webcam can't do that. As dual WAN support becomes more popular, we should lobby for our appliances to acquire the ability to manually set more than one IP address. But this is a rare need, so I wouldn't hold my breath.