Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tedauction
New Contributor III

Reverse routing possible ?

Hello, is there any way to set up routes based on the reverse of RFC1918 private addresses i.e. any route that does NOT match:

192.168.0.0 - 192.168.255.255 172.16.0.0 - 172.31.255.255 10.0.0.0 - 10.255.255.255[/ul]
5 REPLIES 5
lobstercreed
Valued Contributor

I imagine there are ways to achieve your goals.  Can you give more details?  Blackhole routes and policy routes come to mind depending on the problem you're trying to fix. 

 

For example I use blackhole routes to ensure that I don't send any RFC1918 traffic to the internet.  If I have a more specific route on a LAN link then it will take that first, otherwise it is dropped.

tedauction

Hello, I am wanting a way to route all non-private address destinations to a particular port without using a 0.0.0.0 default route.

Are there any options ?

lobstercreed

I'll have to avoid getting into a philosophical debate on why you don't want to use a default route for its basic purpose...  

 

Policy routing might be able to achieve what you want.  You'll still wind up using a default route of sorts but it will be at the bottom of your policy routes to send traffic to the particular port. 

 

Above it you would include 3 rules that say if the destination is 10.0.0.0/8, stop policy routing, then the 2nd rule would do the same for 192.168.0.0/16 and the 3rd for 172.16.0.0/12

Only if the traffic passed all 3 rules excluding RFC1918 traffic would it match on the destination 0.0.0.0/0 to go out the specified port.

 

I've actually done something similar to handle failover to a tiny backup Internet circuit.  I want most of my users to stay stuck on my main circuit even if it's down so they don't squash the little guy.

tedauction

I dont want to use a default route, because we have some LAN subnets that are not advertised via BGP, therefore, I still need that default route to point to our WAN circuit.

Yes, nice idea about creating there policy routes. That is what I was after. Thank you Sir.

ede_pfau
Esteemed Contributor III

In contrast to 'router static', you can negate addresses in policy routes:

config route policy

   set dstaddr <RFC1918addressgroup>

   set dst-negate enable

...

Haven't had to use it myself but maybe worth trying.

And, a policy route which only matches on destination address is identical in function to a regular route.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors