hfnet
asked on
Unable to connect inbound traffic through 2nd WAN of firewall
We have a very odd problem with an SBS 2011 server system.
We have a ZyXel USG-50 firewall connected to two ADSL lines. Line 1 works perfectly, and SMTP, PPTP etc route inbound to the server.
However WAN 2 is configured with identical rules but does not work properly. If we disable WAN 1 interface then we can connect inbound using SMTP, VPN, FTP, whatever we like. As soon as WAN 1 is enabled, the firewall reports ACCESS FORWARD in the logs when we try to VPN on WAN 2, but nothing appears to hit the server. It seems that we have a NAT issue but I am at a loss on this.
Can anyone throw some ideas this way? I have tried everything I can think of!
We have a ZyXel USG-50 firewall connected to two ADSL lines. Line 1 works perfectly, and SMTP, PPTP etc route inbound to the server.
However WAN 2 is configured with identical rules but does not work properly. If we disable WAN 1 interface then we can connect inbound using SMTP, VPN, FTP, whatever we like. As soon as WAN 1 is enabled, the firewall reports ACCESS FORWARD in the logs when we try to VPN on WAN 2, but nothing appears to hit the server. It seems that we have a NAT issue but I am at a loss on this.
Can anyone throw some ideas this way? I have tried everything I can think of!
Rick_O_Shay
It sounds like the firewall is set up in some knid of active/standby mode for the WAN and either not configured for or not able to load balance with the two links.
Some of these Zyxel USG's only use the WAN2 as a failover and when WAN1 is active it takes all of the incoming requests/sessions. I'm not positive on your model. One thing I'm sure of is that Zyxel has probably the best tech support team I've ever dealt with. They are willing to remote into the USG and troubleshoot your problems for you and fix it. Your best bet would be to call them and make sure it is possible and if it is they can help you accomplish it.
Zyxel Support
Good Luck HTH.
Zyxel Support
Good Luck HTH.
ASKER
It's set up in active/active mode and we're using WRR (Weighted Round-Robin), having tried LLF (Least Load First) with no luck. 
ASKER
Well I've been on the phone with ZyXel for over half an hour and they have not been able to offer any advice except to upgrading the firmware...
So why wouldn't you upgrade your firmware? They upgrade their firmware to fix problems with it. Maybe it is a problem...
ASKER
It's not a problem updating the firmware, but I am not onsite at the moment to do it. However, if WAN 2 works when you disable WAN 1, that would say that there is possibly a problem with routing that someone may have seen before. But I am quite happy closing the question off.
I wouldn't close the question until you get it fixed. If the firmware upgrade fixes it then go ahead and close it. We are here to help. I have seen the problem you are talking about and it is usually because the gateway is set to failover mode and basically pushes everything through the primary WAN1. But as you've shown that it isn't then maybe there is a problem with the firmware. That is all. I do still think Zyxel's support is really good.
ASKER
Well I am hopefully going onsite tomorrow morning, so we'll see what happens.
Thanks all for your help so far.
Thanks all for your help so far.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.