Results 1 to 5 of 5
  1. #1
    Newbie
    Join Date
    Mar 2019
    Posts
    3

    Default tunnel rules not working - eventhough not the "voting"

    Hi guys,

    now after a few ping-pongs with support i make a last try here in the forum.
    So i have two "lines": One is a VDSL with german telekom, the other is a LTE (4G cell phone stuff) line for failover. I'm on countryside, at this point i simply have no other choice but to do it this way. The construction crew called me today cause we get another line but this will last a while until it's done. And if it is done i still will keep the LTE (4G), cause the lines are going to the same main distributor. If the (next) car crashes in it, we are safe here. But this LTE line has a few disadvantages: Because we are on countryside, the radio mast is far away, it is a question of weather condition how good or bad it works (is sends on 800 MHz). So our headquarter knows which weather condition we have simply by listening to the quality of our voip.
    So we are here in the office, our terminal servers, voip server and so on are in the headquarter, we simply connect through a SSL-VPN (openvpn)-Tunnel to it. No, we have two tunnels to it. Certificate, username, password to authetificate. So untangle connects very smooth to it. No problem until here.
    But now it drives me crazy:
    I want untangle to go FIRST through the tunnel 200 which i send over the Interface VDSL (the stable line in the earth).
    I want untangle to ONLY FAILOVER through the second tunnel 201 which i send through the interface LTE.
    Now, what does untangle do? It sends all the stuff through LTE. No matter what rules i set, no matter which tunnel is the first, no matter which tunnel is the first one that is enabled... No matter what i do - even in the moment the (unstable) LTE-tunnel is open, it send everything through it. The (stable) VDSL-tunnel get's nothing but a little Keep-It-Open-Talking.
    So i found this thread (sorry, i'm new and can't link the post, but simply search for tunnel and priority) here in the forum, i did the same, but hey, untangle doesn't give nothing on it. It sees the LTE tunnel and doesn't give nothing on every rule i set, it sends everything over the tunnel that has the LTE-Interface. It only depends on which tunnel has the LTE-interface. Not what rules are given, the interface is the main player here.
    So the support wanted first to tell me that i'm wrong. They told me the report says ot goes all straight through the VDSL-tunnel. Now i found out that the report (out of the box) is - let's say "not very well designed" because it reports always only the first tunnel available. It never reports any other but the first tunnel. So this argument was from the table from this moment and i never heard anything about it anymore.
    Now the engineer came around with the following statement:
    The tunnel VPN rules basically "vote" on which WAN should be used which there is a choice.
    In this case there is no choice because there's actually a route for that subnet:
    in config > network > routes:

    *= IPv4 Table main =
    10.62.83.0/24 via 10.62.84.1 dev tun201

    This means all 10.62.83.* traffic will go to 10.62.84.1

    I don't see this route in your static routes, so presumably its being pushed from the openvpn server that you is connecting to.

    I would check the other side and see what those settings are.
    Okay, now rules are "a vote". Okay, now i set a static route. It of course changes nothing, but ok. That i have two tunnels and they go to the same firewall and therefore to the same hop - yes! Of course! It is the same headquarter and it should failover. Not use the failover line the whole day.
    So, what rules have i set?
    As i learned in the above mentioned thread i made two rules:

    Rule 1:
    IF Destination Adress = 10.62.83.0/24 (Headquarter-Network)
    AND
    Source Interface = Any Non-WAN
    AND
    (IP-Adress-Range of allowed Devices here)
    THEN GOTO Destination Tunnel: VDSL
    Rule 2:
    IF Destination Adress = 10.62.83.0/24 (Headquarter-Network)
    AND Source Interface = Any Non-WAN
    AND (IP-Adress-Range of allowed Devices here)
    THEN GOTO Destination Tunnel: LTE

    As simple as that. And with a ticket before support signed this as "works as designed".
    So i think untangle should follow its rules but it doesn't. Engeneering says rules are a "vote". So i still say: Untangle should follow its "vote" - why else are they good for it they don't work?!

    So today i had the tunnels this way: 200 is VDSL, 201 is LTE. You know where untangle sent all stuff through, right? So i simply changed the interfaces and left everything else as it is: The rules, the names, etc. So now 200 is LTE and 201 is VDSL. Guess where untangle immediately sends all the stuff through...? Of course: 200. It doesn't matter what rules are set, it doesn't matter which names are given, it doesn't matter... Rules are simply worthless.
    I sound frustrated? Yes, i am. i'm really. Cause i'm talking since weeks to support and nothing happens. Our headquarter knows still our weather condition because untangle only uses the line that reacts on weather conditions.
    So at the end i feel really very comfortable with untangle and i really love it but at this point (and it is really only this point) it drives me crazy.
    Maybe you have any ideas out there that i can try or questions that i can answer (or that i forgot to answer in this long cookbook that i wrote here... sorry...).
    I'm really thankful for any idea....

    Many thanks for your support and that you read that whole story out there guys!

    Achim

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,692

    Default

    Tunnel VPN rules and WAN Balancer rules only effect sessions going out WAN interfaces and have no effect on "local" traffic.
    If you think about it you'll realize it has to be this way otherwise your network would be offline right now. Basically they say "prefer this WAN except if its not an option." Its not an option if there is a local route for the session.

    If you want to use routes thats fine too.
    Last edited by dmorris; 03-12-2019 at 08:30 AM.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Newbie
    Join Date
    Mar 2019
    Posts
    3

    Default

    Quote Originally Posted by dmorris View Post
    Tunnel VPN rules and WAN Balancer rules only effect sessions going out WAN interfaces and have no effect on "local" traffic.
    If you think about it you'll realize it has to be this way otherwise your network would be offline right now. Basically they say "prefer this WAN except if its not an option." Its not an option if there is a local route for the session.

    If you want to use routes thats fine too.
    I don't get it - really not.
    If the rules don't work - what are they good for ?
    And if the there is no preferring and no balancing and no effect on nothing and no this and no that - why is there always the LTE preferred (aha!)? Why does untangle shoot all sessions through LTE and not a few here and a few there? It clearly preferes under all circuumstances LTE. So if you wanna prioritize a tunnel - here's your howto: Buy you a LTE and you're all set.
    Last edited by achseu; 03-12-2019 at 11:50 AM.

  4. #4
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,692

    Default

    Quote Originally Posted by achseu View Post
    I don't get it - really not.
    If the rules don't work - what are they good for ?
    And if the there is no preferring and no balancing and no effect on nothing and no this and no that - why is there always the LTE preferred (aha!)? Why does untangle shoot all sessions through LTE and not a few here and a few there? It clearly preferes under all circuumstances LTE. So if you wanna prioritize a tunnel - here's your howto: Buy you a LTE and you're all set.
    I don't follow.
    Of course all that traffic goes out the that interface, its local to that interface. There is no prefer because there is no choice. 10.62.83.0/24 is definitionally on tun201.
    If thats not what you want, then dont add a route for that interface.

    As you posted earlier:
    = IPv4 Table main =
    10.62.83.0/24 via 10.62.84.1 dev tun201

    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Newbie
    Join Date
    Mar 2019
    Posts
    3

    Default

    Don't follow either.
    Engineer posted only the half picture. Here is the full picture:

    = IPv4 Table uplink.200 =
    default via 10.62.84.1 dev tun200

    = IPv4 Table uplink.201 =
    default via 10.62.84.1 dev tun201

    So there is a choice between both, but untangle chooses only 201. Nobody @untangle knows why, because nobody seems to understand, how the tunnels work and how traffic is routed to them.
    Last edited by achseu; 03-16-2019 at 01:19 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2