Outbound routing question

jbasford · April 26, 2022, 7:31am

Hi all - thanks in advance for any help given. I’ve got a strange outbound routing question. I’ve got 2 routers, with a series of devices connected behind them, one in New Zealand, one in Australia. Our NZ device is not given a Public WAN address by our ISP, while our Australian device is given 2 (on purpose). We have a finance app that needs to talk to and from the Internet via the second Public IP we are given on our Australian connection. I already have an outbound NAT rule in place so that the finance workstation in Australia NATs out all Internet traffic from the right IP address, but how do I do the same from a new finance workstation in NZ?

I’ve attached a quick diagram of the network layout for easy reference.

Australia Router #1
WAN IP 1– 130.102.4.19
WAN IP 2 - 130.102.4.20
LAN IP – 192.168.20.1/24

New Zealand Router #2
WAN IP – 10.10.10.10
LAN IP – 192.168.10.1/24

PC #2 in Australia = 192.168.20.45 and outbound NAT’s to the 130.102.4.20 WAN IP 2.
PC #2 in NZ = 192.168.10.55 and needs to cross the VPN tunnel and outbound through the same Public IP now.

How do I configure the NZ router to forward all traffic across to Australia, and then have the Australian router NAT the traffic back over the VPN successfully?

Thanks for any help and guidance

Jay
outbound routing.png

Larsa · April 26, 2022, 8:05am

Hello @jbasford, welcome to the forum!

If I understand it correctly: you already have got a site-to-site VPN between net 192.168.10 (NZ) and 192.168.20 (AU) up and running. Now you want to relay ALL traffic from NZ through the AU router?

If so, perhaps something similar to this is applicable: “Site-To-Site VPN tunnel while accessing internet from one router”

EDIT:
Assuming you are using IPsec, you may skip the “road warrior” part at the end of the post as I assume that NZ is already configured as an IPsec initiator due to lack of public IP.

jbasford · May 4, 2022, 8:15am

Larsa - thanks for the quick reply and apologies it has taken me a while to get back to you.

I don’t need to route the whole network from one side of the VPN to the other, I just need to route a specific PC on the NZ side to be outbound across the link and to appear to the Internet as coming from Australia.

Milotop · May 4, 2022, 12:36pm

If the tunnel is an interface you could mark the routes for source address 192.168.10.55 and select the AUS gateway as default gateway for that mark. If the tunnel is policy based you could just include that source address in the policy and set the default gateway correctly on the PC.