Dual WAN Seperate NAT Paths Not Working

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

Dual WAN Seperate NAT Paths Not Working

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Dual WAN Seperate NAT Paths Not Working
Dual WAN Seperate NAT Paths Not Working
2023-02-05 16:18:17
Model: General Product   ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.1.1

I have set up dual WAN, fed from two different Modems. WAN1 is the fastest connection, and is marked as primary WAN. WAN2 is deemed backup. The internet load balancing and link backup is working as expected and is great.

 

Now comes the issue.

 

app1 DNS is the IP of WAN1. It has a NAT on a few different ports that translate to some servers internally.

app2 DNS is the IP of WAN2. It has a NAT on a few different ports that translate to some servers internally.

 

Only one of these will work at a time. If app1 is working, externally, then app2 is not, and vice versa. I'm not positive what makes them swap, but it's incredibly annoying. If I make all apps go to one of the WAN IPs, and NAT from that, all works fine.

 

I've tried disabling Application Optimized Routing:, didn't fix it. I've tried without Link Backup, no go. I've tried with Link Backup - no go.

 

I've tried creating policy routing to make the one server always go out the WAN IP that it's NATed from, and the other to the other WAN, still no go.

 

There MUST be something obvious I'm missing. Can I not have different WANs NATing to different local addresses?

 

I appreciate any help anyone can offer. As to the well, why are you doing this? My primary is the strongest speeds. I'm having all my gaming servers/apps like teamspeak run through this. I want all my generic external web hosting and camera software to go through the weaker link. I have priorities - haha.

 

I'm using the default attack prevention settings.

  2      
  2      
#1
Options
16 Reply
Re:Dual WAN Seperate NAT Paths Not Working
2023-02-07 02:03:40

To add into this, it's possible that it's due to the load balancing, albeit I can't imagine it's an "intended" consequence.

 

I intentionally took down WAN1. All of a sudden, the port forwarding for WAN2 started to work externally now. I plugged back in WAN1. The NATing continued working on WAN2 and was not working on WAN1. I disconnected WAN2, and voila, like clockwork, NAT translations were now working on WAN1. Plugged back in WAN2, WAN1 NAT still worked, WAN2 NAT would not work.

 

I'm at a loss at why it is the router would be unable to say, If WAN1:32999->192.168.x.1 and if WAN2:80->192.168.x.2. Almost any other router with multiple WANs allows this to work. Is there a setting somewhere I'm missing? Is there a way to straight up disable load balancing and let another WAN just sit idle except port forwards to try and see if that'll work? Only see ways to change the load balancing weight, but not straight disable it.

 

Appreciate the help again, it's mildly annoying to myself that I cannot figure this out. Does anyone have a similar setup that's working? Might be able to just compare and see whats up.

  0  
  0  
#2
Options
Re:Dual WAN Seperate NAT Paths Not Working
2023-02-07 06:20:16

  @flick8234 

Disable Link Backup;

Make sure you choose both WAN1 and WAN2 on port forwarding settings page.

  0  
  0  
#3
Options
Re:Dual WAN Seperate NAT Paths Not Working
2023-02-07 14:14:38

  @Somnus 

 

Thanks for the reply! I have tried with link backup both on and off as I mentioned in the first post, but to no avail.

 

As for the choose "both" wan1 and wan2 on the port forward ports, are you recommending that for every port, I specify both WANs? That seems like a bad idea from an attack perspective. Someone can make a dns request go to either IP at that point and still get through to the internal server and utilize either internet capacity.

 

I have it setup now where 80, 443, 32400 go through WAN2 and a few different ports go through WAN1. If I place both WANs on all ports, it opens the gates for someone to flood out both my links rather than just one.

 

Unless I'm misunderstanding you, if so please let me know! My goal would be to have this working without opening up to a vulnerability. Appreciate the comment!

  0  
  0  
#4
Options
Re:Dual WAN Seperate NAT Paths Not Working
2023-02-08 06:38:31 - last edited 2023-02-08 06:39:01

  @flick8234 

 

Oh it's me misunderstand. I thought your WAN1 and WAN2 are doing port forwarding to the same servers.

 

I haven't tested it on my router, but your settings seem to be correct. Maybe a bug of the firmware? @Hank21 

  0  
  0  
#5
Options
Re:Dual WAN Seperate NAT Paths Not Working
2023-02-08 08:57:34

Dear  @flick8234 

To better assist you, I've created a support ticket via your registered email address, and escalated it to our support engineer to look into the issue. 

The ticket ID is TKID230213556, please check your email box and ensure the support email is well received. Thanks!

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#6
Options
Re:Dual WAN Seperate NAT Paths Not Working
2023-02-08 16:33:33

  @Somnus No worries! Just wanted to better explain. Appreciate teh assistance either way!

 

@Hank21 

 

Thanks! I'll check and respond with the requested info. Really looking forward to having a resolution - it's quite literally my ONLY problem with the Omada ecosystem (just put in about $800 in router/switches/APs like a crazy guy). Everything else is awesome! But the split WAN NAT is super important to me.

  0  
  0  
#7
Options
Re:Dual WAN Seperate NAT Paths Not Working
2023-03-16 14:18:45 - last edited 2023-03-16 14:19:07

  @flick8234 

 

Tried this for days with my er605 + activated Omada SDN.

 

There is no solution for:

e.g.

Interface WAN (10.10.10.1) -> HTTP -> 192.168.0.10 (Webserver1)

Interface WAN1 (10.10.20.1) -> HTTP -> 192.168.0.11 (Webserver2)

 

Tried all different load balancing settings with and without omada sdn. Tried Policy routes and so on...

 

Port forwarding always works only for the "active" WAN Link. That means even if you do loadbalacing or failover, only the active link will match the rule!

 

You cannot split the NAT Settings on two WAN interfaces.

 

I found out:

When the example solution is activated, the pakets will be forwarded correctly to the "standby" wan NAT Rule (Virtual Server...).... But if the WAN route is on standby it will not correctly retourn the paket over the incoming wan interface... It will return the paket on the "active" WAN interface.

 

This thing only handles Loadbalancing and failover, with portforwarding only on the active interface! That's a shame! I wanted to have my high Bandwith webserver on WAN and my low bandwidth Mailserver on WAN1...

 

I hope they will make a fix for this.

  1  
  1  
#8
Options
Re:Dual WAN Seperate NAT Paths Not Working
2023-03-16 14:29:29

  @chicken689 

 

I'm glad I'm not the only one. I worked with support, sent them configs, backups, and everything. They claimed they replicated the setup on their side exactly and it works completely fine. Here I was thinking my router was a lemon or something.

 

I imagine they are not replicating what you and I have done as I've factory reset everything trying again with the same failed results.

 

Your scenario mimics mine exactly and you experience the same problem I do. Hopefully they see I'm not the only one with the issue and realize it seems like a bug. I imagined that "Application Optimized Routing" would have done what we are trying to do based on the description, but on or off it still fails. It's supposed to record the wan port it goes through so it sends it back out that port. Sadly this doesn't work for port forwards it seems.

  1  
  1  
#9
Options
Re:Dual WAN Seperate NAT Paths Not Working
2023-03-16 15:20:49 - last edited 2023-03-16 15:22:44

I had one support call with tp-link, i did not even needed the words "maybe this is not possible" i knew it when i was told to draw a network diagram and what i wanted to exactly do. The technical support man said: Send it to us and we will have to forward it to our chinese hq (main business) they will check it... Never draw it and i'm happy that i found you with the same problems as me. I can't understand why they wont enable the features for multiwan "virtualservers" + failover.

 

Maybe we just need to buy their new product line when it comes out for 500 Bucks not 60 Bucks. Business strategy. With unhappy customers, with "special" (not so special!) needs.

  0  
  0  
#10
Options
Re:Dual WAN Seperate NAT Paths Not Working
2023-03-17 04:48:26

 @flick8234 

 

I have the same problem

  1  
  1  
#11
Options