Single WAN always active with multiple WAN ifaces?

I’ve installed a nethserver with multiple WANs just for easy routing between GREEN ifaces to other different RED ifaces.

The problem I’m facing is that when i do changes to the firewall or any other nethserver for that matter it sometimes changes my active WAN iface so that I can’t reach it from where I am right then and there. I then need to go and connect physically to that network just to reach it and activate the right WAN again.

Is there some way to just use single WAN instead and not risking nethserver changing my WAN?

I have tried change all but the WAN i want to DMZ or BLUE ifaces, but I can’t figure out how where to route the traffic with static routes to get it working… Am I missing something?

I have one GREEN iface and seven RED ifaces at the moment.

NethServer Version: NethServer release 7.9.2009 (final)

Welcome @lonnestig ,

AsFarAsIKnow the intended use of multiple RED interfaces is either load-balancing or fail-over.

So maybe someone can help you better if you explain what you are trying to achieve with seven RED interfaces…


Thank you Mark!

The thing is that I don’t want seven red interfaces.
The only reason they are red today is because of the routing
from green to red is done automatically in nethserver and I need to reach everything on six of these seven red interfaces, thats the only reason.

Today we have different production VLANs that needs to be reachable from one single network just so that we
don’t need to give all the client computers all these VLANs just to reach all they need to reach in our network.

Example of how it is today:


RED: 1. 77.250.xx.xx (Incoming internet)
2. (production VLAN 10)
3. (production VLAN 20)
4. (production VLAN 30)
5. (production VLAN 40)

Here I want everyone that connects to VLAN 2 to also have access to VLANs 10,20,30,40.

This is just how I want it, but I dont VLAN 10,20,30,40 to be RED interfaces.
I would like them to be BLUE or ORANGE instead, but then I can’t seem to route
the traffic so that the GREEN interfaces gets access to those BLUE or ORANGE networks.

That is what I need help with.

Thank you in advance!

Regards Hampus

One more question, where does the (default) router of your networks fit in this picture
(or in other words do you plan to use Nethserver as router or an other dedicated router ?)

Nethserver is planned to be used as the dedicated router and firewall.
Removing an old Zyxel hardware firewall.

Creating a static route is a bit hidden in NS (in System > Network )

click on the three dots on the right then Create route


(EDIT: Note one cannot route orange (DMZ) to green (LAN) )

That doesn’t work for me.
I have tried it multiple times…

DMZ: (Can’t have GW on DMZ)

then the route on the green interface should be


Or am I in the wrong?

Sorry to have confused you :hushed: (See edit above)

You are right one can not route GREEN <> ORANGE (DMZ), ORANGE can only route to RED.
GREEN > BLUE is possible , however by default BLUE can route to RED. (So this would not fit your needs)
And AFAIK you can make a FW-rule to block all BLUE networks to RED however not configure this per BLUE network.
To make this rule you need to install the “Basic Firewall” from the Software center then go to > Applications and click the blue “settings” button of the Firewall

(tip: while you are in applications you may want to hit the 3 dots and make a shortcut, the Firewall module should show up in the left menu)

1 Like

Not being an network expert this configuration hit’s my knowlage and it even may hit NS’s possibilities…

This being said hope others will chip in and the following could be wrong :hushed:

  • Put VLAN 10,20,30,40 on a BLUE Network,
  • make static routes from GREEN (VLAN 2) to the BLUE networks
  • If the BLUE networks should not to have Internet access make a FW-rule to drop all requests (any) from BLUE to RED and vice-versa.

AFAIK one needs to create a static route between GREEN networks too, meaning without this route two (or more) GREEN networks are isolated too.
So, if you want (as an example VLAN 10) to have I-net access give it a GREEN role; NOTE this network has access to the services of the Netserver.

I have changed some of them to BLUE networks now and made static routes from GREEN to BLUE but it still doesn’t work…
I don’t know what I’m doing wrong. In my world this should work too.

Ok, @lonnestigwhat would you want to achieve?
What are production vlans for you? Have you a project about the network that any vlan should reached and being reached from?

I thing I want to achieve is that I want a client computer to connect to VLAN 2 and then automatically have access to VLAN 10,20,30,40 through that connection without having to connect with a VPN or a physical ethernet cable to reach those networks.

So I want to have routes from GREEN to those BLUE interfaces.
It works if they are RED but then I get problem that sometimes nethserver change which RED interface that should be active, so I can’t have them being RED interfaces.

To be quite frank is does work here.

Did enable DHCP on BLUE to get an IP

Both can ping and (DNS works)
I am able to ping and ssh in (on Blue) from (on Green) , not vice-versa
I am able to ping and ssh in debvm01 form Green , so dns works too

Stunned it does not work for you :thinking:

@pike Two of my production VLANs is IPMI and Switch management for example.

@mark_nl I have it setup exactly like that but I can’t get it to work?! This is really wierd…

And the Client on BLUE receives an IP from the Nethserver or has the BLUE network an second router/dhcp-server?

The BLUE has not router. It’s static on all clients. I can reach them from nethserver terminal when I ping for example, but when I ping from eth1 which is the GREEN interface I timeout.
ping -i eth1

Longshot: can you try to enable the DHCP server on the blue network?

Maybe this triggers the nethserver to be the router of the network

Not making it up it work here: :thinking:

EDIT: Do the static clients show up if the scan (System > DHCP > Scan network) the network ?

Summoning @giacomo for a bit more insights…
Creating a Blue network segment, even without DHCP enabled, should trigger routing and standard firewall creation… Am I wrong?

@mark_nl When I scan the BLUE network I see all my connected devices on that BLUE network so I shouldn’t need to enable DHCP.

And those clients with a fixed-IP on all networks have the correct gateway configured?

AFAIK (in your setup)
GREEN clients need to use gateway
BLUE clients need to use gateway

here on the green client:

# ip route
default via dev eth2 dev eth2 proto kernel scope link src 

on the blue client:

# ip route
default via dev ens18 dev ens18 proto kernel scope link src