Key4ce - 2012-12-16


We have been at this for quite a few days now but seem to be unable to figure it out.
We have 2 FW Builder 5.0 based firewalls.

it uses corosync to manage 2 IP Pools (1 for each firewall)  which fails over to the other when one is down. (saves wasting ip's on 2x active/passive setups) .

now from any External network you can reach everything we got perfectly fine.
from internal FW1  -> using External ip's -> FW2 -> works perfect with the rule:

Original source <10.0.1..0/24>
Original Destination <External IP here>
Original SRV <Service here (like http) >
Translated SRC <Firewall 1 Gateway IP>
Translated DST <Internal Server IP>
Translated SRV <Original>
Interface IN <auto>
Interface OUT <Auto>
Action <Translate>

This works perfect.. but ONLY for one of the 2 firewall servers (whos gateway is filled in) at Translated SRC.
Meaning only half of my VM's can contact eachother. (i got 2 gateway IP's 1 for each IP pack in corosync)
Internally - Everything can connect using local IP's this issue only occurs when it's using a external IP.
If i add a second rule with the other Gateway IP -> it fails.
if i leave Translated SRC empty , it fails too.
I have tried many different combinations with the Translation rules but seems i just can't get it right.

Any advice or knowledge will be greatly appreciated! .

Marco Tiggelaar