Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Nickel

Directing specific ports traffic to second ISP interface

Jump to solution

On a 5100 R80.10, need to direct all outbound traffic on port TCP/80 to a second ISP interface.

Already checked:

- ISP redundancy (no port control, even on load-balancing)

- Policy Based Routing (cannot define the general destination 0.0.0.0/0.0.0.0 on any rule)

Did any one found any solution or workaround to this?

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Admin
Admin

Subnetting the Internet was just me being creative. Smiley Happy

I did ask R&D and the official answer is to create a rule that specifies both the inbound interface and TCP port 80.

Just specifying the TCP port isn't sufficient.

When you do that, you can use a default route as the destination.

View solution in original post

0 Kudos
6 Replies
Highlighted
Admin
Admin

Instead of trying to do a 0.0.0.0, you might try breaking the Policy-Based Routes into a series of smaller routes, such as:

  • 0.0.0.0/1
  • 128.0.0.0/2
  • 192.0.0.0/3

That should cover anything routable via IPv4 on the Internet (and some stuff that isn't).

0 Kudos
Highlighted
Nickel

So, subnetting the Internet is the answer.

Please don't get me wrong, I appreciate your suggestion as a great workaround - wish I had thought of it before.

But, having used Checkpoint in the late 90's and now again since June 2017, I'm continuously amazed by these "limitations" that keep appearing that have been already addressed by other manufacturers I have worked with in the past (Cisco, Fortinet...). Why Checkopint won't use something that was devised specifically for these situations ("quad-zero route" or "gateway of last resort") continuously amazes me.

Thanks again Dameon.

0 Kudos
Highlighted
Admin
Admin

Subnetting the Internet was just me being creative. Smiley Happy

I did ask R&D and the official answer is to create a rule that specifies both the inbound interface and TCP port 80.

Just specifying the TCP port isn't sufficient.

When you do that, you can use a default route as the destination.

View solution in original post

0 Kudos
Highlighted
Nickel

Creative indeed. I had in fact tried several combinations on PBR including specifying the inbound interface and port, and PBR works pretty well on specific subnets. My question was on the quad-zero route and how to specify it as the interface disallows it. 

Time to get a good  IP calculator and work my way around 10.0.0.0/8, 192.168.0.0/16...

0 Kudos
Highlighted
Admin
Admin

I think I was able to do it without subneting.

As a test, I routed port 8080 out a different interface.

I confirmed a TCP connection to port 8080 to some random Internet host was indeed routing out the specified interface.

It looks like this in the Gaia WebUI:

The "test" route was created like this:

(Note, I clicked the "default" here, but the IP here is most definitely not my default route)

The policy rule looks like this:

Hope that helps.

Highlighted
Nickel

Now, that's an elegant solution. Somehow I understood "default route" as "default gateway" and not by face value. I can confirm it does work, although the requests are being NAT'ed, which I think they shouldn't. But the main issue of service routing is accomplished, thank you.

And, of course, my previous rant on Checkpoint is meaningless now