The case shared in this issue is related to corporate network issues.

Background Introduction
Fans reported that their company has 1 headquarters and 3 branches A, B, and C. The headquarters has a public IP address and the branches have private addresses. One day, after adding multiple broadbands, branch A found that the PCs on the intranet could not access the router of the headquarters through the public IP address. The performance was: the login page could be opened, but after entering the account and password, an error message "Request timeout" was reported, and then it immediately returned to the login page.

Existing analysis
Comparative test: IT staff conducted a comparative test and found that the access was normal using mobile network, PCs in Division B and Division C. The topology is as follows:

Problem diagnosis
(1) First of all, this phenomenon is exactly the same as being "squeezed out". By judging that the headquarters router can only be used by one session/user at a time, otherwise it will be squeezed out;

(2) Based on this premise, it can be inferred that the problem only occurs after "adding multiple broadbands". It is not difficult to guess that when the PC in Division A accesses the headquarters router, multiple sessions will go out from different WAN ports to establish connections with the headquarters router respectively, resulting in session congestion. Therefore, check the relevant configuration first:

Routing table
Policy routing

From the above, the routing table is normal, and the default network of the policy routing configuration will arbitrarily go through pppoe1 and pppoe2. It is possible that the PC accesses the headquarters route separately.

(3) By capturing the data packet analysis of the PC in Branch A accessing the headquarters route web page, it can be clearly seen that the PC will initiate multiple TCP SYN port incremental session connections to the destination IP:

(4) By simultaneously capturing the data packet analysis of the WAN port of the headquarters router, it can be found that there are indeed 2 access request flows from different public network IPs:


(5) The corresponding public IPs of PPPoE1 and PPPoE2 under the two broadbands of Branch A can be matched with the source IP of the headquarters:

Analysis results
After adding multiple broadbands to Branch A, there will be multiple TCP sessions (with increasing source ports) with the same destination when the PC accesses the Web of the headquarters router;
These TCP flows will go out to different WAN ports and establish connections with the headquarters router respectively;
Since the source IPs are inconsistent and the headquarters router can only support one session access, the sessions are squeezed out and the management page cannot be accessed normally.


Solution
After testing, it seems to be related to the configuration items of selecting both pppoe1 and pppoe2 in policy routing:

After deleting/disabling this entry, the TCP flow with only one destination IP can go out from the same WAN port, and the headquarters router device page can be logged in normally: