watchguard xtm 525 - how to force ports to leave on the same IP they arrived?

[dalearyous]

using a watchguard firewall/router to load balance two ISPs. in the policy manager i have certain ports set to allowed that come from a static IP on one of the ISP and they get forwarded to the internal IP of a server. the problem is that server, if i do a whatsmyip shows the IP of the other ISP. so what i assume is happening is that the request is coming in and getting forwarded properly but because its sending out under a different IP they are being dropped.

does anyone have any idea how to fix this? i know its a very specific but i am stuck.

 

[Nicklebon]

lol ... of course they are getting dropped ... as they should be.

You want someone to connect to IP x.x.x.x and accept replies from y.y.y.y?

BWAHAHA!!! NO SOUP FOR YOU!


Seriously what you're doing is for outbound connections only. To do inbound load balancing across ISPs you will need need the cooperation of the ISPs. I'm guessing that the static IP is assigned to the firewall interface and you're using PAT to get it inside. Is that correct? If so see my first sentence. It won't work. If you trult have a static public IP on the server then you may able send the replies across the other ISP, if you don't hide NAT the reply, but not likely as it will be detected as a spoofed address and dropped.

In short unless you move the server out of the IT ghetto then it needs to communicate through the interface connected the interface that owns the IP your using for PAT.