Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 27 subscribers
  • Views 8585 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Policy Routing - Does it work or is broken

Nitin Mirchandani

Hello

 

I want to route a certain websites to a different gateway.

(My WAN gateway is PPPoE and then I have added another gateway, which is via my IPSEC tunnel)

I have tried

a) Policy routing- Doesnot work

b) Firewall policy- doesnot work

c) Tried changing routing in console(system route_precedence set vpn static policyroute)- doesnot work.

All 3 together - doesnot work.

(Ps - in screenshots - I have defined whatsapp as a) FQDN, FQDN group. Even tried whatsmyip as IP. Still it doesnot route correctly

 

So, what am I doing wrong?

Attaching the screenshots.

Thank you



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    what you haven't shown is your firewall rules order. The firewall rule for this website would need to be at the top of any allowed list.

    You should not need to use policy routing, just a simple firewalll rule.

    So what do the entries show when you try to connect?

    Ian

  • 0 in reply to rfcat_vk

    This policy is on TOP.

    Even above the LAN to LAN policy (Which I had to make when I created a bridge of my extra ports - another oddity of XG)

    Every method above is just ignored by XG. Any packet which is NOT on my LAN (192.168.39.0) or my VPNs (192.168.20.0, 192.168.82.0) is simply sent to the wan port.

    There is no effect of having an extra gateway - its simply ignored.

    Maybe what I am trying to achieve is not possible in XG as "virtual firewall" functionality is missing. But then logic dictates this should work (technically this is like marking the packets and send all marked packets to VPN). 

    Thank you

  • 0 in reply to Nitin Mirchandani

    Hi,

    please post a copy of your firewall rule.

    Ian

  • 0 in reply to rfcat_vk

    Its there above (3rd one)

    I am attaching now additional screens - How I defined whatsapp (multiple ways - using APP and using url). I have also added another screenshot of the firewall rule where I tried to use the application rule.

     

    There is NO way to know which rule is being hit (debug)- Should be there.

    Thanks

  • 0 in reply to Nitin Mirchandani

    Hi,

    Sorry, I must be going blind, I was sure I looked all your entries and didi not see the firewall rule.

    in the log viewer the messages will report on the rule being used.

    You need to enable MASQ on your firewall rule.

    Ian

  • 0 in reply to rfcat_vk

    Hello

    MASQ is defined in the gateway policy - so it doesnot matter (though I have tried that too - and declicked gateway specific)

     

    Nope - doesnt show up in log.

     

    Another thing - I am a clientless user.

  • 0 in reply to Nitin Mirchandani

    Hi,

    clientless users has no affect, all my devices are clientless users it is the only way to ensure you get the device going out the correct port when not using a server or firewall approval.

    Do you have log enabled on the firewall rule, I can't see that box?

    I have two internet ports on my XG and spread the users over them with different rules. 

    I have a VoIP rule for the phones that directs them to the correct ISP link. My wife's connection users the faster ISP connection to stop facebook etc timing out (currently my links are very slow).

    Ian

Reply
  • 0 in reply to Nitin Mirchandani

    Hi,

    clientless users has no affect, all my devices are clientless users it is the only way to ensure you get the device going out the correct port when not using a server or firewall approval.

    Do you have log enabled on the firewall rule, I can't see that box?

    I have two internet ports on my XG and spread the users over them with different rules. 

    I have a VoIP rule for the phones that directs them to the correct ISP link. My wife's connection users the faster ISP connection to stop facebook etc timing out (currently my links are very slow).

    Ian

Children
  • 0 in reply to rfcat_vk

    Hello

    Logging is on.

    I have searched by filter (filter rule=9 in my case) and I dont see any hits. This filter is simply ignored (or is not being hit)

     

    I DONOT have 2 WANs. What I have is one WAN (pppoe) and then I have setup IPSEC site to site, called it the gateway.(IP of other site as gateway)

     

    Thank you

  • 0 in reply to Nitin Mirchandani

    Without filtering can you see the traffic leaving on the WAN?

    Filter by IP address of your PC/MAC and see what shows?

    Ian

  • 0 in reply to rfcat_vk

    As mentioned earlier, it bypasses the rule and goes on to the next rule.

    It is like as if this firewall policy didnot exist.

     

    As an experiment, I tried to divert all traffic to the VPN channel - and it went into black hole (the routing policy wanted to send to WAN port, but firewall policy said send to VPN route - result - packet is dropped)

     

    Looks like its not possible - Policy routing - the documentation is incomplete (as well as this feature).

    I can see lots of people asking for Virtual firewall implementation - which can solve this issue.

    Thank you