Solved: Policy Based Routing for only internet traffic

Mithu · ‎2020-06-15

Team,

Is it possible to configure for internet traffic or IP range in destination, One of my Customer wants to route for particular VLAN traffic should use third internet link but customer environment have 30 routing entry for their enterprise network so in this case, I need to configure 30 PBR entry for the internal networks?

PhoneBoy · ‎2020-07-04

The way routing works in general is more specific routes will be preferred over routes that are more general (like the default route).
So if you have routes for those other networks on your gateway, then you should just need a single PBR route with source that VLAN, destination default route.
It's possible that you might also need to create more specific PBR routes for those other networks as well as I'm not entirely clear on how "regular" routes and "PBR" routes interact in this case.

View solution in original post

PhoneBoy · ‎2020-06-17

From R80.30, you can create PBR rules where the default route is the destination.
Meaning, you only need one PBR route for that VLAN to be routed out a different Internet connection.

In earlier releases, you can achieve something similar by creating a series of more specific PBR routes.

Mithu · ‎2020-07-03

@PhoneBoy Agreed that solution provides for internet traffic through another ISP, when I put similar PBR for particular VLAN all the traffic including internal subnet also forwarded to ISP link, herewith I have attached simplified network overview.

Scenarios:

1. ISP 1 - Primary INT

2.ISP 2 - Specific user internet access (managers)

3.ISP 3 - Specific server segment internet access

Near Future expansion

4. ISP-4 SIP link for softPBX server

5.ISP-5 secondary internet going to participate ISP redundancy

I believe PBR table would be enormous also very hard to manage, Please suggest best practice to maintain less configuration to fulfill the requirement (please consider MPLS network will be used by users/servers to access some service from corporate network)

PhoneBoy · ‎2020-07-04

What precise release are you running?
If it's less than R80.30, I highly recommend upgrading for reasons beyond just this issue.
If you don't want to upgrade, you'd basically have to create a number of routes that exclude your internal address space.
It's difficult to tell from the very generic network diagram you provided what the scope of this challenge would be.
If the environment changes regularly, then even once you've configured it, maintaining it will be an ongoing challenge.
In which case, you'll save yourself a lot of work by upgrading.

Mithu · ‎2020-07-04

Hi

@PhoneBoy I have upgraded to R80.30 OS, So what is the best way to configure PBR. The best practice??

PhoneBoy · ‎2020-07-04

The way routing works in general is more specific routes will be preferred over routes that are more general (like the default route).
So if you have routes for those other networks on your gateway, then you should just need a single PBR route with source that VLAN, destination default route.
It's possible that you might also need to create more specific PBR routes for those other networks as well as I'm not entirely clear on how "regular" routes and "PBR" routes interact in this case.

Mithu · ‎2020-07-04

I understood, but the default route includes all the addresses(any), it would be much easier if there is an option in PBR for internet routes (Public IP addresses only). Please consider this in future releases.

timothyjwitt · ‎2022-10-04

Hi Mithu - Would like to know what you did to resolve the internet only issue, we are facing the same challenges.
Thanks,
Tim

RS_Daniel · ‎2022-10-04

Hello,

You have to create another PBR table which includes all your local network and static routes and apply that table before the 'internet only' pbr rule. It is very well explained in this post

Solved: Route specific subnet out second ISP interface - Check Point CheckMates

Regards

Are you a member of CheckMates?

Policy Based Routing for only internet traffic