topic Re: can i bypass PBR for internal networks in General Topics

can i bypass PBR for internal networks

Amir_Arama — Thu, 02 Dec 2021 08:54:03 GMT

Hi there,

i'm pretty sure it's not possible, but i'll ask anyway

here is the scenario.

we have an sdwan in dmz behind the FW.

the fw have ospf vs the sdwan so it gets updated dynamically on the availability of remote networks, and also have bgp against other fw's with bgp as a backup path.

now i want to create a pbr rule that if users goes to default route (intetnet surf) then the next hop will be the sdwan, so internet traffic will be controlled by the sdwan only.

the thing is if i do that, than routes to internal networks will not go to dynamic routes from that source lan, they will stuck at pbr where they are the mached.

is there anyway to tell the pbr that if the dst is internal network than bypass to kernel routes, and if it isn't then take the default route from pbr.

or any other way.

thanks

Re: can i bypass PBR for internal networks

Wolfgang — Thu, 02 Dec 2021 09:44:17 GMT

PBR rules are checked before all other routing services (static or dynamic routes). Only if your PBR filter does not match the packets are forwarded to the other routing daemons for processing.

Re: can i bypass PBR for internal networks

Amir_Arama — Thu, 02 Dec 2021 11:22:45 GMT

i know this how it works formally. this is why i asked if there is a way to make a bypass somehow in my scenario. i guess there isn't.

thx

Re: can i bypass PBR for internal networks

Wolfgang — Thu, 02 Dec 2021 13:11:53 GMT

As an idea....

Try to define your PBR rules not only with filters for source use ports too if possible.

Another way ... create PBR rules for your internal networks as destination and use more then one gateway as next hops. Then you can define priorities for this PBR routes and you can use "monitored IPs" to check the availability of links for these routes. With this you get something something like a "dynamic" routing for the PBR rules.