Thursday, October 1, 2015

networking - different inbound outbound network path for web services



Can we have inbound and outbound traffic for services such as OpenVPN routed along different paths within our local network but using the same modem?



I ask for our internet failover strategy.



For example say we normally have





  • Modem A <- DMZ forwarded to -> Firewall 1 CentOS box <- TCP port 25 -> Mail Systems

  • Modem B <- DMZ forwarded to -> Firewall 2 CentOS box <- UDP port 1194 -> OpenVPN Server for routed LAN to LAN connections



With both LAN sides of the Firewalls on the same LAN and same subnet. The default gateways are:




  • Mail Systems have LAN IP of Firewall 1 as their default gateway.


  • OpenVPN server have LAN IP of Firewall 2 as its default gateway.



Then both modems A & B lose their internet connection and we want to use Modem C. Can we just




  • change the default gateways on Firewalls 1 and 2 to be Modem C's IP address

  • and setup Modem C to forward DMZ to Firewall 1

  • and tell Firewall 1 to forward UDP port 1194 (OpenVPN) traffic to the OpenVPN server

  • and update our MX record to point to the WAN IP of Modem C (yes I know it takes a while for DNS entries to propagate through the internet)




This will result in OpenVPN traffic coming in Modem C's WAN IP, being forwarded by DMZ rule to Firewall 1, which forwards the traffic on to the OpenVPN server, which then goes to respond via Firewall 2, which should send the traffic on through Modem C.



Will that work? If OpenVPN is too security paranoid what about other services?



This is a bit of a simplification of our network so the statement "just use port forwarding on Modem C to the right firewalls" is more work than it sounds.


Answer



It turns out that you can have the default route on a server go via a different path back out the same internet connection it came in without doing anything special.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...