AnsweredAssumed Answered

Issue to manage already configured "unlisted interfaces" via Policy manager

Question asked by markus.weiss.1 on Feb 9, 2017
Latest reply on Apr 22, 2017 by Stephen_Hughes

Hi Community,

 

we have the following issue using respectively configuring further "unlisted interfaces" on the a cluster (GW1/GW2):

 

we would like the enable respectively configure the already configured unlisted ports via the Policy Manager
(Manage Listen Ports).
I will try  to explain the setup in detail to provide you an exact overview what we have configured.

 

Current state respectively what we have configured:
- we have a cluster configuration with 2 Gateways which is running under Hyper-V as an virtual appliance
- on each GW we have configured the "physical interfaces" eth0 to reach the Gateways via the network  (it is only allowed to use one interface "eth0" within the virtualization)
- on GW1(primary) we have configured additionally unlisted interfaces:
    eth0:1 to use an "service1" with an dedicated IP (.111)
    eth0:2 to use an "service2" with an dedicated IP (.113)
- on GW2(secondary) we have configured also unlisted interfaces:
    eth0:1 to use an "service1" with an dedicated IP (.111)
    eth0:2 to use an "service2" with an dedicated IP (.113)
- the communication to the Policy Manager for service1/service2 pass through the Firewall via port 443
- port 8443 is the "manage access port" for the Policy Manager on interface eth0 ( which is the physical interface-> cluster/two IPs)

 

under manage listen ports we have configured the following but it doesn't work:
- service1 is configured to use interface eth0:1 (with two IPs-> cluster ) on port 8445. The communication pass through the firewall via port 443 to the virtuell interface and routed intern to port 8445 ( which is configured under managed listen ports->manage firewall rules redirect from 443 to 8445)
- service2 is configured to use interface eth0:2 (with two IPs-> cluster ) on port 8444. The communication pass through the firewall via port 443 to the virtuell interface and routed intern to port 8444 ( which is configured under managed listen ports->manage firewall rules redirect from 443 to 8444)

 

The result respectively issue is that all requests are routed via the physical interface eth0 as you can see in the iptables extract:
[ ~]# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 771 packets, 52156 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REDIRECT   tcp  --  eth0   any     anywhere             anywhere            tcp dpt:opsession-prxy redir ports 3306
    0     0 REDIRECT   tcp  --  any    any     anywhere             anywhere            tcp dpt:http redir ports 8080
    0     0 REDIRECT   tcp  --  any    any     anywhere             anywhere            tcp dpt:https redir ports 8443
    0     0 REDIRECT   tcp  --  eth0   any     anywhere             anywhere            tcp dpt:https redir ports 8445
    0     0 REDIRECT   tcp  --  eth0   any     anywhere             anywhere            tcp dpt:https redir ports 8444

 

Why we do not seen the interfaces eth0:1 and eth0:2? Do we have such an massive misconfiguration?

 

Has anybody an idea how to handle the issue or what ist the exact configuration?

 

Best regards

markus

Outcomes