anav_ds
2012-01-09, 10:21 PM
I have a dual wan zyxel USG100 router currently handling FibreOP internet via the bridge mode set in the ActionTech Router and a standard cable connection. After reading FIles fine posts I was inspired to try and remove the Action Tech from the picture. I should caveat that I do not use IPTV or any TV signals (strictly phone and internet).
The second wan connection, the cable connection is to maintain a small backup capability 1.5down, 0.768up plus continuity for email addresses, long association with provider.
Wan1 Cable
Wan2 FibreOP
For the Dual Wan part I chose SpillOver method for the dual wans, basically use only one connection until its saturated and only then switch to WAN1. Since that never occurs it really is a case of (if WAN2 goes down) ensuring connectivity is switched to WAN1. This rule was assigned in the Interface menu sub selection TRUNKs. There is a default rule automatically generated when you have a dual wan (least load first sharing) but I created my own Trunk to replace it using spillover based setup as follows
Primary interface WAN 2
Secondary interface WAN 1
For my main ethernet interface settings I basically had WAN2 act like a standard ethernet client ie get dhcp automaticall.. I would plug in wan 2 to the action tech lan port and get an IP. (no cloning in this setup).
One other setup piece to be aware of was a policy route I had created so as to be able to send emails to the Cable email server. It basically told the router that when any packets on the LAN were destined for Cable SMTP IP address they should be routed through WAN1.
Steps to Remove Action Tech.
(1) After learning about how Vlans worked in the FibreOP setup, the first step was to setup a VLAN interface in the USG,
I created VLAN35, with the ID number of 35, associated the zone it was going to be associated with ie the WAN zone, and the base port (translation = interface it was running on), in this case WAN2
(2) Changing the Ethernet interface of WAN2. I statically put in 0.0.0.0 for ip and subnet mask (no longer get dchp automatically). I also cloned the mac address of the Action Tech.
(3) Changing TRUNK interface. The spillover Trunk I created was modified such that it read
Primary - VLAN35
Secondary - WAN1 (Cable)
I made these changes and ran into non-connectivity issues on the internet and email side. I was stuck for some time. Here is what was happening. I could easily grab an IP with VLAN35 interface active (even if my WAN2 interface was inactive). So the router was communicating with the ONT effectively in that regard. Unfortunately I could get no internet activity, nor get emails. Furthermore when I deactivated WAN2 or the VLAN or both, the router did not switch to WAN1 and thus could not get internet or email in any scenario.
Solution:
The primary cause after realizing that the Router could talk to the ONT no problem but my LAN had no access, or simply the packets were not getting routed out the WAN properly. A colleague opined that the packets from LAN to vlan35 are forwarded with source ip and port of the LAN hosts and the responses are not coming back to the USG router. The LAN packets were not getting NATed or in the USG we say SNAT was not being applied. (should all appear to Bell as coming from the DHCP client (the router IP) and not the LAN Ips etc etc).
(a). The fix was to create a policy route to tell the router all packets originating in the router (be it LAN1 LAN2 DMZ etc) should be SNATted and forwarded to the next hop (interface) VLAN35.
I put this new SNAT policy rule before the Email policy rule. Voila I now had internet access from all my PCs behind the router, but no email access. I moved the rule second behind the email rule and I now had internet access and email access. This makes sense as the VLAN rule handled all packets whereas I wanted the email ones parsed out first. As an additional example if I wanted to RDP out WAN1 I would place such a rule before the VLAN policy routing rule.
You may ask why did I not need this in the bridge mode setup. In this case the Ethernet Interface (an external interface in USG jargon) has SNAT automatically applied as a default rule. There was no VLAN it was a standard ethernet scenario.
BUT.......... when I turned WAN2 off, expecting the router to switch to WAN 1, I was disappointed as I could no longer get internet traffic nor email traffic. Both were what appeared to be blocked.
b. The final adjustment was to to change the next hop in the SNAT from Interface (sub selection VLAN35), to TRUNK (sub-selection my spillover one). What this did in effect was to tell the router to SNAT all packets going the trunk (VLAN 35 and if that is not there then do it on WAN1). What I had told it previously was only apply snat to packets going out VLAN 35
That was the icing on the cake and I typed out the good news while on my cable connection with WAN2 down.
I will post some screen shots next to illustrate the web gui menus I was using.
Thanks to File for patience for my 1001 questions.
The second wan connection, the cable connection is to maintain a small backup capability 1.5down, 0.768up plus continuity for email addresses, long association with provider.
Wan1 Cable
Wan2 FibreOP
For the Dual Wan part I chose SpillOver method for the dual wans, basically use only one connection until its saturated and only then switch to WAN1. Since that never occurs it really is a case of (if WAN2 goes down) ensuring connectivity is switched to WAN1. This rule was assigned in the Interface menu sub selection TRUNKs. There is a default rule automatically generated when you have a dual wan (least load first sharing) but I created my own Trunk to replace it using spillover based setup as follows
Primary interface WAN 2
Secondary interface WAN 1
For my main ethernet interface settings I basically had WAN2 act like a standard ethernet client ie get dhcp automaticall.. I would plug in wan 2 to the action tech lan port and get an IP. (no cloning in this setup).
One other setup piece to be aware of was a policy route I had created so as to be able to send emails to the Cable email server. It basically told the router that when any packets on the LAN were destined for Cable SMTP IP address they should be routed through WAN1.
Steps to Remove Action Tech.
(1) After learning about how Vlans worked in the FibreOP setup, the first step was to setup a VLAN interface in the USG,
I created VLAN35, with the ID number of 35, associated the zone it was going to be associated with ie the WAN zone, and the base port (translation = interface it was running on), in this case WAN2
(2) Changing the Ethernet interface of WAN2. I statically put in 0.0.0.0 for ip and subnet mask (no longer get dchp automatically). I also cloned the mac address of the Action Tech.
(3) Changing TRUNK interface. The spillover Trunk I created was modified such that it read
Primary - VLAN35
Secondary - WAN1 (Cable)
I made these changes and ran into non-connectivity issues on the internet and email side. I was stuck for some time. Here is what was happening. I could easily grab an IP with VLAN35 interface active (even if my WAN2 interface was inactive). So the router was communicating with the ONT effectively in that regard. Unfortunately I could get no internet activity, nor get emails. Furthermore when I deactivated WAN2 or the VLAN or both, the router did not switch to WAN1 and thus could not get internet or email in any scenario.
Solution:
The primary cause after realizing that the Router could talk to the ONT no problem but my LAN had no access, or simply the packets were not getting routed out the WAN properly. A colleague opined that the packets from LAN to vlan35 are forwarded with source ip and port of the LAN hosts and the responses are not coming back to the USG router. The LAN packets were not getting NATed or in the USG we say SNAT was not being applied. (should all appear to Bell as coming from the DHCP client (the router IP) and not the LAN Ips etc etc).
(a). The fix was to create a policy route to tell the router all packets originating in the router (be it LAN1 LAN2 DMZ etc) should be SNATted and forwarded to the next hop (interface) VLAN35.
I put this new SNAT policy rule before the Email policy rule. Voila I now had internet access from all my PCs behind the router, but no email access. I moved the rule second behind the email rule and I now had internet access and email access. This makes sense as the VLAN rule handled all packets whereas I wanted the email ones parsed out first. As an additional example if I wanted to RDP out WAN1 I would place such a rule before the VLAN policy routing rule.
You may ask why did I not need this in the bridge mode setup. In this case the Ethernet Interface (an external interface in USG jargon) has SNAT automatically applied as a default rule. There was no VLAN it was a standard ethernet scenario.
BUT.......... when I turned WAN2 off, expecting the router to switch to WAN 1, I was disappointed as I could no longer get internet traffic nor email traffic. Both were what appeared to be blocked.
b. The final adjustment was to to change the next hop in the SNAT from Interface (sub selection VLAN35), to TRUNK (sub-selection my spillover one). What this did in effect was to tell the router to SNAT all packets going the trunk (VLAN 35 and if that is not there then do it on WAN1). What I had told it previously was only apply snat to packets going out VLAN 35
That was the icing on the cake and I typed out the good news while on my cable connection with WAN2 down.
I will post some screen shots next to illustrate the web gui menus I was using.
Thanks to File for patience for my 1001 questions.