topic Directing specific ports traffic to second ISP interface in Firewall and Security Management

Directing specific ports traffic to second ISP interface

Rui_Meleiro — Wed, 26 Jul 2017 17:08:24 GMT

On a 5100 R80.10, need to direct all outbound traffic on port TCP/80 to a second ISP interface.

Already checked:

- ISP redundancy (no port control, even on load-balancing)

- Policy Based Routing (cannot define the general destination 0.0.0.0/0.0.0.0 on any rule)

Did any one found any solution or workaround to this?

Re: Directing specific ports traffic to second ISP interface

PhoneBoy — Wed, 26 Jul 2017 23:36:13 GMT

Instead of trying to do a 0.0.0.0, you might try breaking the Policy-Based Routes into a series of smaller routes, such as:

0.0.0.0/1
128.0.0.0/2
192.0.0.0/3

That should cover anything routable via IPv4 on the Internet (and some stuff that isn't).

Re: Directing specific ports traffic to second ISP interface

Rui_Meleiro — Thu, 27 Jul 2017 00:07:47 GMT

So, subnetting the Internet is the answer.

Please don't get me wrong, I appreciate your suggestion as a great workaround - wish I had thought of it before.

But, having used Checkpoint in the late 90's and now again since June 2017, I'm continuously amazed by these "limitations" that keep appearing that have been already addressed by other manufacturers I have worked with in the past (Cisco, Fortinet...). Why Checkopint won't use something that was devised specifically for these situations ("quad-zero route" or "gateway of last resort") continuously amazes me.

Thanks again Dameon.

Re: Directing specific ports traffic to second ISP interface

PhoneBoy — Thu, 27 Jul 2017 00:37:20 GMT

Subnetting the Internet was just me being creative.

I did ask R&D and the official answer is to create a rule that specifies both the inbound interface and TCP port 80.

Just specifying the TCP port isn't sufficient.

When you do that, you can use a default route as the destination.

Re: Directing specific ports traffic to second ISP interface

Rui_Meleiro — Thu, 27 Jul 2017 01:03:27 GMT

Creative indeed. I had in fact tried several combinations on PBR including specifying the inbound interface and port, and PBR works pretty well on specific subnets. My question was on the quad-zero route and how to specify it as the interface disallows it.

Time to get a good IP calculator and work my way around 10.0.0.0/8, 192.168.0.0/16...

Re: Directing specific ports traffic to second ISP interface

PhoneBoy — Thu, 27 Jul 2017 05:02:15 GMT

I think I was able to do it without subneting.

As a test, I routed port 8080 out a different interface.

I confirmed a TCP connection to port 8080 to some random Internet host was indeed routing out the specified interface.

It looks like this in the Gaia WebUI:

The "test" route was created like this:

(Note, I clicked the "default" here, but the IP here is most definitely not my default route)

The policy rule looks like this:

Hope that helps.

Re: Directing specific ports traffic to second ISP interface

Rui_Meleiro — Thu, 27 Jul 2017 17:36:58 GMT

Now, that's an elegant solution. Somehow I understood "default route" as "default gateway" and not by face value. I can confirm it does work, although the requests are being NAT'ed, which I think they shouldn't. But the main issue of service routing is accomplished, thank you.

And, of course, my previous rant on Checkpoint is meaningless now