topic Re: Policy Based Routing for only internet traffic in Firewall and Security Management

Policy Based Routing for only internet traffic

Mithu — Mon, 15 Jun 2020 07:15:02 GMT

Team,

Is it possible to configure for internet traffic or IP range in destination, One of my Customer wants to route for particular VLAN traffic should use third internet link but customer environment have 30 routing entry for their enterprise network so in this case, I need to configure 30 PBR entry for the internal networks?

Re: Policy Based Routing for only internet traffic

PhoneBoy — Wed, 17 Jun 2020 17:28:23 GMT

From R80.30, you can create PBR rules where the default route is the destination.
Meaning, you only need one PBR route for that VLAN to be routed out a different Internet connection.

In earlier releases, you can achieve something similar by creating a series of more specific PBR routes.

Re: Policy Based Routing for only internet traffic

Mithu — Fri, 03 Jul 2020 13:40:45 GMT

@PhoneBoy Agreed that solution provides for internet traffic through another ISP, when I put similar PBR for particular VLAN all the traffic including internal subnet also forwarded to ISP link, herewith I have attached simplified network overview.

Scenarios:

1. ISP 1 - Primary INT

2.ISP 2 - Specific user internet access (managers)

3.ISP 3 - Specific server segment internet access

Near Future expansion

4. ISP-4 SIP link for softPBX server

5.ISP-5 secondary internet going to participate ISP redundancy

I believe PBR table would be enormous also very hard to manage, Please suggest best practice to maintain less configuration to fulfill the requirement (please consider MPLS network will be used by users/servers to access some service from corporate network)

Re: Policy Based Routing for only internet traffic

PhoneBoy — Sat, 04 Jul 2020 07:34:29 GMT

What precise release are you running?
If it's less than R80.30, I highly recommend upgrading for reasons beyond just this issue.
If you don't want to upgrade, you'd basically have to create a number of routes that exclude your internal address space.
It's difficult to tell from the very generic network diagram you provided what the scope of this challenge would be.
If the environment changes regularly, then even once you've configured it, maintaining it will be an ongoing challenge.
In which case, you'll save yourself a lot of work by upgrading.

Re: Policy Based Routing for only internet traffic

Mithu — Sat, 04 Jul 2020 07:40:34 GMT

@PhoneBoy I have upgraded to R80.30 OS, So what is the best way to configure PBR. The best practice??

Re: Policy Based Routing for only internet traffic

PhoneBoy — Sat, 04 Jul 2020 08:04:41 GMT

The way routing works in general is more specific routes will be preferred over routes that are more general (like the default route).
So if you have routes for those other networks on your gateway, then you should just need a single PBR route with source that VLAN, destination default route.
It's possible that you might also need to create more specific PBR routes for those other networks as well as I'm not entirely clear on how "regular" routes and "PBR" routes interact in this case.

Re: Policy Based Routing for only internet traffic

Mithu — Sat, 04 Jul 2020 08:57:18 GMT

I understood, but the default route includes all the addresses(any), it would be much easier if there is an option in PBR for internet routes (Public IP addresses only). Please consider this in future releases.

Re: Policy Based Routing for only internet traffic

timothyjwitt — Tue, 04 Oct 2022 16:07:07 GMT

Hi Mithu - Would like to know what you did to resolve the internet only issue, we are facing the same challenges.
Thanks,
Tim

Re: Policy Based Routing for only internet traffic

RS_Daniel — Tue, 04 Oct 2022 17:08:05 GMT

Hello,

You have to create another PBR table which includes all your local network and static routes and apply that table before the 'internet only' pbr rule. It is very well explained in this post

Solved: Route specific subnet out second ISP interface - Check Point CheckMates

Regards