Tunnel SSH and database ports via WAN2 in a dual WAN router

gatewayinternetlocal-area-networkunifiwide-area-network

ISP-A : 4mbps (1:1) fiber leased line static IP address and ISP-B : 20mbps (1:8) fiber connection with dynamic IP address.

Little context to the situation, currently we have only one ISP (ISP-A) and as the bandwidth is not sufficient for everyone (around 25people browsing & accessing AWS/Azure) so our plan is to add another ISP to our local network so that everyone can browse/mail without complaining about bandwidth issues. ISP-B costs less than ISP-A for 20mbps as it's not a 1:1 connection and they don't have any SLA with us. Our office is divided into Devs and Non Dev users.

Dev Users

  • Majority on LAN & 3 on WiFi
  • Connect to AWS/Azure (needs to be connected as a fixed IP for
    incoming firewall policies for Instances).
  • Need to browse the internet (doesn't matter if IP is fixed at this point). Most of them do SO/Git/Bitbucket/YT etc.

Non Dev Users

  • Majority on WiFi & 3 on LAN
  • Browse the internet, use mail/hangouts/skype/teamviewer and don't need any static IP for whatever they use.

Once we get the 2nd ISP-B, I would like to channel all browsing traffic to ISP-B (20mbps) & all the devs connect to AWS/Azure via ISP-A (4mbps) for SSH. So my plan was to set ISP-A as WAN1 and ISP-B as WAN2, Eg:

WAN1 172.16.0.1
WAN2 172.16.1.1

What needs to be done is, everyone uses the internet via ISP-B. Devs use SSH (Port 22), Database connections (Port 5432) and some other ports which require static IP via ISP-A.

Equipment in use

  1. CISCO SG300-58 managed switch
  2. TP-Link single WAN Router
  3. 3x Ubiquiti Unifi APs

Proposed Equipment for Purchase

  1. Ubiquiti USG-Pro4 (to do Dual WAN)
  2. 2x more Ubiquiti Unifi APs

Total Devs : 10
Total Non Devs : 25

Instead of changing their default gateway, how can I make them use the internet (Browse) via WAN2 without setting up a Proxy Server?

Best Answer

So I got this done using a USG-Pro-4.

A custom rule needs to be implemented for this via SSH as the UI for it is not complete at this stage to manage these rules.

The idea is to Send port 22,5432 out via WAN2 and keep Internet traffic on WAN1.

Equipment

  1. Cisco-SG300-52 - Doing DHCP - 172.16.0.1
  2. Unifi USG-Pro-4 - Dual WAN Router on - 172.16.0.5/16
    1. WAN1 : Fiber mux on 192.168.1.2
    2. WAN2 : - Fiber to LAN media converter on 192.168.2.1
  3. Unifi AP - 3x Nos, get addresses via DHCP, unifi controller is used to manage groups/SSID etc.

Overview of implementation

  • LAN1 : 172.16.0.0/16
  • WAN1 : 192.168.1.2/29 Gateway : 192.168.1.1
  • WAN2 : 192.168.2.2/29 Gateway : 192.168.2.1

All traffic going from LAN1 out on port 22 and 5432 is sent out via WAN2 using the following rule on the USG-Pro-4, this allows browing to happen via the 20mbps line and all Database related work and SSH to happen via WAN2 (Static IP).

Example Configuration for the USG-Pro-4

configure
set protocols static table 1 route 0.0.0.0/0 next-hop 192.168.2.1
set firewall modify LOAD_BALANCE rule 2950 action modify
set firewall modify LOAD_BALANCE rule 2950 modify table 1
set firewall modify LOAD_BALANCE rule 2950 source address 172.16.0.0/16
set firewall modify LOAD_BALANCE rule 2950 destination port 22
set firewall modify LOAD_BALANCE rule 2950 protocol tcp
commit
save

You can use this Link to access the entire thread for configuration. A big tank you to UBNT-jaffe.

Related Topic