Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

PBR Limitations question

Hi everyone.

I have a question regarding the use of PBR and their limitations

According to sk100500, the documented limitations regarding the use of PBR, include Domain Based VPN.

I currently have a client that has two ISPs and two LAN network segments (LAN1 and LAN2); the customer wants to segment their traffic, so LAN1 uses only ISP1 and LAN2 uses only ISP2. However, LAN1 using ISP1 has multiple s2s VPNs (Domain based) configured.

The question is, if I only use PBR to route LAN2 traffic through ISP2, will the VPNs established on LAN1 through ISP1 be affected?, or will PBR only affects the traffic in which it is applied? (in this case, we are attempting to apply PBR only through LAN2-->ISP2)

Extending the context of the question, PBR limitations only applies in traffic in which PBR rules are applied? or affects the entire traffic passing through the firewall?

 

Many thanks in advance.

 

Best regards.

0 Kudos
Reply
3 Replies

Hi again

By the way, another question is: what exactly is the limitation "locally-generated" traffic referring to?

Thank you again
0 Kudos
Reply
Admin
Admin

The problem is that VPN Routing and regular routing somewhat conflict with one another as they operate at a similar area in the packet flow and the behavior may not be as expected.
Possible it still works, but it's an unsupported configuration.

Locally generated traffic refers to traffic that comes from the gateway itself.
0 Kudos
Reply
Champion
Champion

When you make sure that for the VPN remote peers the routing is properly set to ISP1, this should work just fine.
The point is that routing for the encrypted traffic will follow the route for the remote peer and cannot be rerouted by PBR.
Regards, Maarten
0 Kudos
Reply