Hi, all...
I have a rather unique situation I'm working on configuring:
ASG Linux 8.3
Internal IF 1: on Internal (trusted) LAN: 192.168.aaa.0/24
Internal IF 2: on Internal (guest) LAN: 192.168.bbb.0/24
External IF 1: fiber (25/25)
External IF 2: cable (15/5)
Web proxy: transparent; trusted LAN allowed *only*
Profile proxy: standard; guest LAN allowed only; access to trusted LAN blocked
Remote client (user) needs VPN access to single host on guest LAN. Guest LAN should be considered "untrusted," and firewall & NAT rules block access to trusted LAN from guest (though traffic from trusted LAN *to* guest is allowed).
IPSec VPN (client-to-site) is configured to allow login for this user and access to the guest LAN only. Remote access to the host works as expected.
User needs access to the internet from the host machine over both external IF's. Off the top of my head, I figured that the existing transparent proxy for IF 1 would work, coupled with a profile for standard proxy on port 8080, to route traffic out IF 2. However, using various multipath & uplink rules, coupled with masquerading & NAT, I can get the reverse to work (guest LAN port 80 -> IF 2 / guest LAN port 8080 -> IF 1), but not exactly what I want.
Is there no way to tell the web proxy to route traffic for a particular address/network out a specific IF? SNAT was a thought, but there is no way to specify *which* sources (before the proxy) should be SNAT'd. I'm stumped.
Any thoughts or ideas appreciated.
Thanks!
I have a rather unique situation I'm working on configuring:
ASG Linux 8.3
Internal IF 1: on Internal (trusted) LAN: 192.168.aaa.0/24
Internal IF 2: on Internal (guest) LAN: 192.168.bbb.0/24
External IF 1: fiber (25/25)
External IF 2: cable (15/5)
Web proxy: transparent; trusted LAN allowed *only*
Profile proxy: standard; guest LAN allowed only; access to trusted LAN blocked
Remote client (user) needs VPN access to single host on guest LAN. Guest LAN should be considered "untrusted," and firewall & NAT rules block access to trusted LAN from guest (though traffic from trusted LAN *to* guest is allowed).
IPSec VPN (client-to-site) is configured to allow login for this user and access to the guest LAN only. Remote access to the host works as expected.
User needs access to the internet from the host machine over both external IF's. Off the top of my head, I figured that the existing transparent proxy for IF 1 would work, coupled with a profile for standard proxy on port 8080, to route traffic out IF 2. However, using various multipath & uplink rules, coupled with masquerading & NAT, I can get the reverse to work (guest LAN port 80 -> IF 2 / guest LAN port 8080 -> IF 1), but not exactly what I want.
Is there no way to tell the web proxy to route traffic for a particular address/network out a specific IF? SNAT was a thought, but there is no way to specify *which* sources (before the proxy) should be SNAT'd. I'm stumped.
Any thoughts or ideas appreciated.
Thanks!