Wireless Access

Maybe not the best subject, as gateway may be a bit confusing..

Due to data quota limits from the ISP we've got to use multiple modems/routers, and I thought I had achieved that by setting up IP Routing like this:

This is just a simple test, and I want to add more modems when this actually works the way I want it to do.

If a client is connected to VLAN20, it will be assigned a correct IP address according to the VLAN, the gateway will be 192.168.2.5, but it seems like if I take down the modem, the clients are still able to reach the internet.

If I take down the modem, the client will stop/wait for some seconds, and then proceed as if nothing have happened.

A redundancy would of course be nice (I've got an impression that it acts like that right now), but primary I need the routes to work. I see that the data usage doesn't correspond with the setup, so something got to be wrong..

Is anyone here able to see what I've done wrong?

If you want clients to have a different uplink for their internet traffic, you should use PBR or Policy Based Routing.  This requires a special route ACL and an ip next-hop-list to redirect client traffic in the client's role.  Please see the thread here:  http://community.arubanetworks.com/t5/Wireless-Access/Setting-AP-PBR-on-controller/m-p/314467#M76169

The limitation on setting up routes like you did above, is that it does not take the source of the traffic as an argument as to how to route traffic.  PBR, does.

Thank you very much Colin.

I've followed your example as far as possible, and in most cases it works, but when we test it we see that sometimes we get wrong external ip, e.g. going out through wrong uplink.

On the roles where the ACL's isn't connected, the external ip is correct, on roles with ACL's added the external IP is correct in most of the cases, but sometimes it switches over to the main uplink.

Have you got any idea why this happens?  We see that the external IP changes during an active session without doing anything else than refreshing the webpage that shows our external IP..

No, only one IP in the list.  Also removed all the routing found in the example from my initial post here.

If it matters, both uplinks have an IP address from the same VLAN (192.168.1.1 and 192.168.1.2).

Nexthop-List Entries
--------------------
Nexthop-list Name  Nexthop-list Id  Preemptive Failover  Active IP    Nexthop IPs(Priority)
-----------------  ---------------  -------------------  ---------    ---------------------
gateway1           0x4401           Enabled              192.168.1.2   192.168.1.2(128)ip access-list session userrules
userrules
---------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any          any                   permit                           Low                                                           4

ip access-list route routingrules
routingrules
------------
Priority  Source  Destination  Service  Application  Action   NextHopList  IpsecMap  Tunnel  TunnelGroup  IPv4/6
--------  ------  -----------  -------  -----------  ------   -----------  --------  ------  -----------  ------
1         any     any          any                   forward                                              4
2         any     192.168.1.1  any                   route    gateway1                                    4

---

 

ip access-list route routingrules
routingrules
------------
Priority  Source  Destination  Service  Application  Action   NextHopList  IpsecMap  Tunnel  TunnelGroup  IPv4/6
--------  ------  -----------  -------  -----------  ------   -----------  --------  ------  -----------  ------
1         any     any          any                   forward                                              4
2         any     192.168.1.1  any                   route    gateway1                                    4

---

If you want all of the traffic in that user role to go to gateway 1, the only  EDIT:  two rules you need above should be "

any any svc-dhcp forward

any any any route gateway 1"

I've given that a try for several hours, but it still switched over to the other gateway sometimes.

I realized that both gateways were in the default gateway list, with the same cost.

Guess it's not the right way to do it at all, but when I sat the first gateway at a higher cost, it worked just fine, and have done that after.

Is this a bad way of doing it? One thing is that it's working right now, but most likely there will be added even another uplink in a while, where similar rules must be implemented.

Oh..!  You should only have a single default gateway for the controller, and allow the routing rules attached to a user role to control the user traffic.

I agree with you Colin, but somehow it won't work at all if the second gateway is removed from the controller.

We are talking about the same place to define gateways?

If I remove the 192.168.1.2 gateway from the list, the clients are going through the main gateway immediatly.

PS: 3400 controller running 6.4.4.6

The controller should only need one default gateway for traffic to/from the controller.  The ip next hop list controls traffic to/from users.

You should open a TAC case so that they can examine your setup.