topic Re: Policy-based routing interrupts non-rule hosts in Firewall and Security Management

Policy-based routing interrupts non-rule hosts

Exonix — Fri, 11 Feb 2022 13:28:54 GMT

Hello everyone,

we have got a very strange case. Management Server and Security Gateway (cluster) are R81.10

there is a Rule: a "host group" to "public_internet" - accept, rule number 12. Very common rule.

policy-based routing: if rule number is 12 - use Table 2, which routes all traffic via an interface

It works, but! There are two hosts, and as long as this PBR is enabled, they cannot communicate with each other. I see that the traffic came to one firewall interface (source server is connected to this interface), but didn't leave the other (target server is connected to the second interface). The hosts are not members of the group in the Rule 12! As soon as I delete the PRB - everything works again. What is wrong and how to fix it?

The Table PRBZ is used by another PRB with other Rules - but it doesn't affect the hosts:

Thank you in advance.

Re: Policy-based routing interrupts non-rule hosts

Timothy_Hall — Fri, 11 Feb 2022 16:56:50 GMT

Next step will be to have the PBR rule active and then run fw ctl zdebug + drop and have the two hosts try to talk to each other that aren't working. The drop reason given should provide a clue.

If you don't see anything related to those two hosts in the zdebug output at all it is a routing issue, try running tcpdump/cppcap and figure out where the traffic is going that is not coming out on the expected interface, it is I imagine improperly leaving on your PBR rule's interface. Try disabling SecureXL for the two problematic hosts only with the steps in the SK below, if that still doesn't have any effect it is probably time for a TAC case.

sk104468: How to disable SecureXL for specific IP addresses

Re: Policy-based routing interrupts non-rule hosts

Exonix — Tue, 15 Feb 2022 12:09:40 GMT

We have adjusted rule 12. Now we only allow certain ports - it works.

Thank you.