policy route back to inside interface

Forum|Forum|15 years ago
February 9, 2011
6 replies
4688 views

Hi.. I' ve this situation with a FG_200B: two policy routes that say: 1: from my_net (internal) to remote_net port 80 force traffic to internal interface with gateway x.x.x.x (that belongs to my_net) 2: from my_net (internal) to any port 80 force traffic to wanX with gateway y.y.y.y then.. the second one works. the first one doesn' t... I am able to ping the remote_net but not get to port 80. is it possible do a rule like the 1st one that force traffic to the same interface from where the traffic comes from? thanks Oliver

emnoc

New Member

Interesting scenario that you have. Can you just do this with a static route on the FGT and use ICMP redirection to steer the clients to the other gw on my_net for that remote network ? Or better yet, place static route entries on the clients that need to use the 2nd gateway. I don' t think PBR will allow you to redirect in the fashion that you want imho.

oliverlagAuthor

New Member

Hi Emnoc, thanks for your reply.. I cannot do it via a static route since policy routing is before static routes in ' order of operations' .. and then I' ve a default policy routes that force the whole http traffic to anther hop. Btw if I set up a static route on the pc it works... just tried. in cisco router the policy route back to the same interface as the source shold work.. I don' t understand why it doesn' t with FG. Oliver

ejhardin

New Member

That should work if I' m understanding correctly. As long as you specify the destination address for the remote network and make it the first policy route.

oliverlagAuthor

New Member

it doesn' t :( I will try to debug a bit later..

emnoc

New Member

I cannot do it via a static route since policy routing is before static routes in ' order of operations' .. and then I' ve a default policy routes that force the whole http traffic to anther hop. Btw if I set up a static route on the pc it works... just tried. in cisco router the policy route back to the same interface as the source shold work.. I don' t understand why it doesn' t with FG. Oliver

Correct PBR comes before static, but how about removing the PBR entry and replacing it with a static entry for a test.

oliverlagAuthor

New Member

ook, I did a debug and I found the problem.. traffic was coming from internet, being natted with a VIP, redirected with a PBR to a cisco router (that had a vpn) and delivered to the host (on the other side of the vpn) After that, the host was not able to send traffic back since the source was an internet address and thereforse the traffic was not going back through the vpn but to the 0.0.0.0 of the host. I just enabled the nat on the vip address and everything works now. thanks for the support guys. Oliver

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded