cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2190
Views
0
Helpful
10
Replies

RV340 Policy Based Routing for IP address inside a sub LAN

ANISHMOHAN77358
Level 1
Level 1

My router is RV340 bearing Firmware 1.0.03.22. I have a weird problem with the router.


I have 2 ISPs providing me internet. Both the ISPs have provided their proprietary router.
I have hooked the 2 ISP routers in 2 WAN ports and set them up as DHCP clients (IP provided by router ISP). However, all the DNS are set as 8.8.8.8 and 8.8.4.4
In Multi WAN setting, the precedence is set up as WAN1=1 and WAN2=2.
Network Service Detention is Switched ON for both the Multi WANs
I have Antivirus switched ON and Intrusion Prevention System switched ON under Security Menu.

 

From the LAN Port of RV340, there is another downstream which renders WiFi connection to a host of clients. This downstream router is not in AP mode. I have intentionally set it up as router mode as this network is like a public WiFi and the Firewall and content filtering are set ON to restrict any unwarranted websites. This restricted network renders WiFi connection to a bunch of students.

 

So, ISP1=WAN1 + ISP2 = WAN2 renders the LAN network as 192.168.32.0 and then the router LAN is 192.168.75.1. The RV340 renders the LAN address to the router as 192.168.32.100 (which is effectively the WAN address for Router 2).

 

I have a specific requirement. There is a Linux server in the LAN 192.168.75.0 with a specific IP of 192.168.75.10.

 

All traffic emanating out of 192.168.75.0 is getting routed via WAN1 since WAN1 is set as precedence=1. I want to make an exception here.

 

How do I make a configuration so that any traffic generated on 192.168.75.10 gets routed via WAN2 only.

I know there is a policy based routing under multi WAN but it would not recognize the network 192.168.75.0 since the LAN is 192.168.32.0.

Is there any way that I can make the traffic generating from 192.168.75.10 inside the 2nd router's LAN be passed through WAN2 ?

I have achieved a part of it so that Amazon Workspace Traffic generating out from the Linux sever is passed through WAN2. For that I have made policy based routing as Any,Any, then the specific Port of AWS(after defining in Service Management) and then Interface WAN2. But I want to do this for ALL traffic for that machine.

10 Replies 10

balaji.bandi
Hall of Fame
Hall of Fame

Look at the video explains you how you can achieve that :

 

https://www.youtube.com/watch?v=PoRiD7aojn8

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

In this latest Cisco Tech Talks, we'll explain how to configure policy routing on your Cisco RV Dual WAN Router.

nagrajk1969
Spotlight
Spotlight

Hi

 

>>>I know there is a policy based routing under multi WAN but it would not recognize the network 192.168.75.0 since the LAN is >>>192.168.32.0.

 

1. Why wont it recognize 192.168.75.0 network?....is it already not routing traffic between "192.168.75.x <> internet" via wan1?

2. Are you able to route traffic from hosts 192.168.75.x (other than say for example 192.168.75.10) via wan1?

 

The RV345 is "routing" traffic to 192.168.75.x network via the router2...so it does recognize the traffic coming from each of the 192.168.75.x hosts (with their src-ipaddr as 192.168.75.x)..

 

So now what you should do is to change/edit the existing policy-route you have added with "any any aws-port via wan2" as below (also shown correctly in attached screenshot)

 

src: 192.168.75.10/32

dst: any

service: all traffic 

via: wan2

 

It should work (it does work, as i have checked this completely in same routing scenario, before mentioning here)

 

 

 

 

 

 


Thanks for your prompt reply. Helpful as always. Please see my answers below in green text.
@nagrajk1969 wrote:

Hi

 

>>>I know there is a policy based routing under multi WAN but it would not recognize the network 192.168.75.0 since the LAN is >>>192.168.32.0.

 

1. Why wont it recognize 192.168.75.0 network?....is it already not routing traffic between "192.168.75.x <> internet" via wan1?

Very true .. This is routing traffic via WAN1. Thing is, I thought that once the packets of the sub-LAN cross the router, RV340 considers these packets as if it is emanating from its own network LAN of 192.168.32.100. The mapping of internal Sub-LAN IP on network 192.168.75.0 converging to the external WAN 192.168.32.100 is held on the NAT table of 2nd router. And that is why RV340 would not know which sub-LAN IP has generated the packet as everything will be obfuscated as a packet from its LAN IP 192.168.32.100.

2. Are you able to route traffic from hosts 192.168.75.x (other than say for example 192.168.75.10) via wan1?

Yes, all traffic from network 192.168.75.x including all the devices connected to second router are able to get the internet from WAN1

The RV345 is "routing" traffic to 192.168.75.x network via the router2...so it does recognize the traffic coming from each of the 192.168.75.x hosts (with their src-ipaddr as 192.168.75.x)..

 

So now what you should do is to change/edit the existing policy-route you have added with "any any aws-port via wan2" as below (also shown correctly in attached screenshot)

 

src: 192.168.75.10/32

dst: any

service: all traffic 

via: wan2

 

It should work (it does work, as i have checked this completely in same routing scenario, before mentioning here)

Yes, I have also attempted this method earlier. I re-done this configuration now as well. Then I went to the Linux server on 192.168.75.10 and ran a traceroute dns.google to see where the traffic routes to. I found that the hop is like below

192.168.75.10 --> 192.168.75.1 --> 192.168.32.1 --> Gateway of WAN1

Hence, I am unable to force the traffic emanating out of 192.168.75.10 to move to Gateway of WAN2

 

 

 

 

 


 

nagrajk1969
Spotlight
Spotlight

Hi

 

So, yes an additional step would be to simply disable NAT on the Router2.

- then the src address of each of the 192.168.75.x hosts/server will not change....

-  and there will be NAT done anyways on RV34x WAN interfaces, before being routed to internet.

 

Note: In my earlier post i had simply assumed that there was no NAT on router2...


@nagrajk1969 wrote:

Hi

 

So, yes an additional step would be to simply disable NAT on the Router2.

- then the src address of each of the 192.168.75.x hosts/server will not change....

-  and there will be NAT done anyways on RV34x WAN interfaces, before being routed to internet.

 

Note: In my earlier post i had simply assumed that there was no NAT on router2...


I made a lot of attempts with this method but unfortunately could not make it work.

 

1. Disabled NAT : Unfortunately the clients in the Sub-Net 192.168.75.0 lost internet connection completely. Failed

2. Enabled NAT and made it Full-cone from Symmetric in the hope that the Private IP 192.168.75.10 will map with a IP outside the network, but it did not. I made all attempts to check if the Private IP's corresponding Outside IP is visible, but no, no luck.

3. Then I went to telnet mode. Gave the following entries on iptables

iptables -t nat -A INPUT -s 192.168.75.10 -j SNAT --to-source=192.168.32.179
iptables -t nat -A OUTPUT -d 192.168.32.179 -j DNAT --to-destination=192.168.75.10

 

I hoped that the internal IP is 192.168.75.10 will map as an external IP 192.168.32.179 and I can use this IP to make an entry into policy based routing, but unfortunately this too did not work as well.

 

The router which I am using after the Cisco RV340 is an ASUS AX router and it does not seem to provide a similar feature like Static NAT of RV340. That was the only hope where I could enforce an external IP for an internal IP and thus use the external IP in policy based routing table.

nagrajk1969
Spotlight
Spotlight

So there are 2 points to note here:

 

1. Disabling of NAT on the ASUS router (and make it simply work as a Router between the 192.168.32.x network and 192.168.75.x network) is NOT possible or not working as expected

 

2. where did you apply the below iptable rules?

iptables -t nat -A INPUT -s 192.168.75.10 -j SNAT --to-source=192.168.32.179
iptables -t nat -A OUTPUT -d 192.168.32.179 -j DNAT --to-destination=192.168.75.10

 

- on the ASUS router? I think so...

- if yes, is adding custom user-defined iptables rules allowed/supported on the ASUS-router?

- if yes, just applying iptables-rules for 1:1 SNAT/Static-NAT/DNAT will not work...the static-nat ip 192.168.32.179 has to be configured as a alias-interface on the wan interface of the ASUS-router....only then return traffic to 192.168.32.179 will be processed (and DNATed) on ASUS   properly,

 

- and also, the below rules make sense (to be applied in POSTROUTING/PREROUTING rather than input/output chains)

* assuming that the wan interface on router2 is eth0

 

the alias address:

root# ifconfig eth2:1 192.168.32.179 netmask 255.255.255.0 up

Note: This alias interface will now enable the router2 to reply to arp-requests for the ipaddr 192.168.32.179..with its mac-address of eth0/wan interface...and thus the return traffic from internet/rv340 to 192.168.32.179 will be sent to router2 accordingly

 

iptables -t nat -I POSTROUTING 1 -s 192.168.75.10/32 -o eth0 -j SNAT --to-source 192.168.32.179
iptables -t nat -I PREROUTING 1 -i eth0 -d 192.168.32.179/32 -j DNAT --to 192.168.75.10

 

---------------------------------------------------

 

 

ANISHMOHAN77358
Level 1
Level 1


Dear Sir

The routing entries did not work. even the ifconfig when put in Asus router broke the WAN access.

I telnet-ed into the Asus router and made all the changes. This is getting as a real challenge for me.

nagrajk1969
Spotlight
Spotlight

Hi

 

1. So it means the ASUS router does not support any custom-changes/new-configs applied by via cli/telnet....so just leave it and revert it back to its original default config.

 

2. Now looking at your network-deployment, i suggest that you should apply configuration changes as given in the attached setup-schematic. Basically you have to do the below config-steps:

 

IMPORTANT NOTE:

- The key configuration that MUST be done is to configure the ASUS-router-wan with vlan2 ipaddress 192.168.33.2/24 (and default-gw: 192.168.33.1).

- DO NOT CONFIGURE IT IN VLAN1 AND ADD THE STATIC ROUTE...AS IS NORMALLY EXPECTED. THERE ARE SOME KNOWN ISSUES WITH ROUTING ON RV345...So my strongly recommended suggestion is to please configure the ASUS router in vlan2 network and add the static-route on RV345 as mentioned in steps below

 

step-1: On RV345

a) in addition to existing vlan1, configure another vlan2 with ipaddress 192.168.33.1/24.

b) Ensure that "Inter-vlan-routing" is enabled for both vlan1 and vlan2 interfaces...(it should be by default...but check it and confirm anyways)

b) add a static route (in Routing/Static-Routes) as below:

 

192.168.75.0/24 via 192.168.33.2  <dev/interface> vlan2

 

- apply and permanent-save

 

Step-2: On Asus-router

a) configure the wan interface with ipaddr: 192.168.33.2/24 (default-gw: 192.168.33.1)

b) configure the lan interface ipaddr as 192.168.75.1/24

c) keep the default config of NAT being enabled on the WAN interface...

d) connect your wifi hosts to/ this ASUS router as you have been doing all along

e) check that the  lan-hosts/wifi-hosts connected to this ASSUS router are with ipaddr in 192.168.75.x subnet and the default-gw is 192.168.75.1

 

Step-3: Important Step: Move the server (which was configured with 192.168.75.10 earlier in your existing topology) and connect it to the lan-port of RV345, AND configure it with the ipaddr in vlan1-subnet as 192.168.32.99/24 and def-gw as 192.168.32.1

 

Step-4: Now configure your policy-route for src-ip 192.168.32.99 to internet via wan2

 

- apply and do a permanent-save...

 

I think now it should be working as expected

 

 

  

 

Thank you very much for this direction.

A noob and silly question. I went to create a VLAN but found that the Add icon on VLAN is disabled !!! Why so ? Is my RV340 on a Evaluation mode ? Why would be the Add VLAN disabled for my case ?

 

Nevertheless, I think I achieved your method by another way.

 

1. Took out the Linux server from the LAN port of Asus and connected to the LAN port of RV340.

2. Assigned a static IP to the Asus router and another static IP to the Linux server.

3. Now went to policy based routing and configured the WAN as per the IP address , thus making the Linux server pass thru WAN2

 

 

 

nagrajk1969
Spotlight
Spotlight

 

>>> found that the Add icon on VLAN is disabled !!! Why so ? Is my RV340 on a Evaluation mode ?

>>>Why would be the Add VLAN disabled for my case ?

1. In case your present image version is not latest, I suggest that you should immediately download the latest image (if you dont have it with you now) from below link:

 

https://software.cisco.com/download/home/286287791/type/282465789/release/1.0.03.22

 

.a) And then do a upgrade image from the GUI (Adminstration/File-Mgmnt/....) BY ALSO SELECTING THE OPTION "Reset to factory default including certificates.." checkbox & clicking upgrade 

 

b) And after upgrade & reboot (done automatically during the upgrade process), access the router from lan-pc (using the now factory-default ipaddress of 192.168.1.1) and re-configure everything from scratch...

- i dont think there is too much to "re-configure".....so its not so complicated either...

 

- iam thinking that with the reset-to-factory-default, any of the glitches will go away and you can add vlans, etc...etc...

- fix the issue and dont be happy with some temporary alternative approach

 

2. In case the firmware is already v1.0.03.22...then go to Admin/Reboot section of GUI and do a reboot AND ALSO SELECT "Reset to factory-default including certificates"....and re-configure. Hopefully there will be no glitches