Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Amir_Arama
Collaborator

can i bypass PBR for internal networks

Hi there,

i'm pretty sure it's not possible, but i'll ask anyway

here is the scenario.

we have an sdwan in dmz behind the FW.

the fw have ospf vs the sdwan so it gets updated dynamically on the availability of remote networks, and also have bgp against other fw's with bgp as a backup path.

now i want to create a pbr rule that if users goes to default route (intetnet surf) then the next hop will be the sdwan, so internet traffic will be controlled by the sdwan only.

the thing is if i do that, than routes to internal networks will not go to dynamic routes from that source lan, they will stuck at pbr where they are the mached.

is there anyway to tell the pbr that if the dst is internal network than bypass to kernel routes, and if it isn't then take the default route from pbr.

or any other way.

thanks

0 Kudos
3 Replies
Wolfgang
Leader
Leader

PBR rules are checked before all other routing services (static or dynamic routes). Only if your PBR filter does not match the packets are forwarded to the other routing daemons for processing.

0 Kudos
Amir_Arama
Collaborator

i know this how it works formally. this is why i asked if there is a way to make a bypass somehow in my scenario. i guess there isn't.

thx

0 Kudos
Wolfgang
Leader
Leader

As an idea....

Try to define your PBR rules not only with filters for source use ports too if possible.

Another way ... create PBR rules for your internal networks as destination and use more then one gateway as next hops. Then you can define priorities for this PBR routes and you can use "monitored IPs" to check the availability of links for these routes. With this you get something something like a "dynamic" routing for the PBR rules.

0 Kudos