This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

machine routing problem

Hi,

We have recently bought an ASL 5.0 license and updated the firewall. We are facing a small problem with it, below is our scenario and the problem:

Scenario: We have ASL5 as gateway with 3 network cards; (eth0) LAN, (eth1)Broadband Internet, and (eth2)FiberOptic Leased Line. We use the broadband connection as internet gateway and the other fiber optic line is mainly used for the IPSec VPN between our office and US office. (Even they have an ASL as firewall).
We have masquaraded all the internal IP's for the broadband connection which is the default gateway on the ASL5 machine. This all works fine.

Problem: Sometimes we need to route one of the internal machines to use the fiber optic as gateway. Right now what we do is change the default gateway on the astaro to fiber optic. But then the VPN traffic is affected. Just need to know how do I route just once machine on the Fiber optic link and rest all on the Broadband connection.

Please let me know if you need any more info.

Thanks!
Parvez. [:S]

This thread was automatically locked due to age.

Parents

0 KKnecht over 21 years ago

Solution one:
Go to \Definitions\Networks and add the Destination Server there.
Then go to \Network\Rounting and add a manual route that says:
Traffic to the Destination Server has to be routed via the fibre optic gateway.
This setting will affect all computers in your network

Solution two:
If it is only one local system which should use this gateway add it locally to the system
for example in Windows use ROUTE ADD

Karsten
Cancel
Vote Up 0 Vote Down

Cancel
0 Parvez over 21 years ago in reply to KKnecht

I guess, I've confused you guys.. what I need is: From one of the internal machines the firber optic should be a default gateway... and for rest of the internal network the DSL line should be the gateway.

Like in the solution above: Destination would be 0.0.0.0 network.

Thanks,
Parvez.
Cancel
Vote Up 0 Vote Down

Cancel
0 Abi_01 over 21 years ago in reply to Parvez

Pravez,

Its simple. Just set a route (routeing table) on your ASL box for the subnet in the private network. For example lets say the IP of the computer which has to connect to the fibre optic line is 192.168.10.8 use a netmask like 255.255.255.252 thereby creating a subnet of 04 ips. Put these adresses on your ASLs routing table. All traffic from these hosts will then be automtically routed correctly as long as the APROPRIATE RULES (YEP the RULES) are configured on ASL.

Hope I helped.

Cheers.
Cancel
Vote Up 0 Vote Down

Cancel
0 Gert Hansen over 21 years ago in reply to Abi_01

Hi there all,

let me try to clearify the problem.

in order to better understand the problem, we need to understand what the default gateway is?

Once a packet reaches the routing stack, we need to decide what to do with it.
the firewall takes a look at the destination of the packet and tries to find the matching routing entry.
if none of the existing routing entries match, the firewall forwards the packet to the default gateway,
so it can decide where to forward the packet to.

All systems normally route packets based on their destination.

What you are asking for is routing packets based on their source address.
This is also called Source Policy Routing.

ASL V5 is currently not possible to configure that using the GUI.

There are workarounds if you know the destination where the clients communicate to and if you add routing entry that all clients that communicate with that destination gets routed through the second line.

I hope that helps.

regards
Gert
Cancel
Vote Up 0 Vote Down

Cancel
0 Parvez over 21 years ago in reply to Gert Hansen

Hi Gert,

Thanks for this mail. Yes, I do need the Source Policy Routing. If not thru gui, is there any hack for this?? [;)]

coz I'd prefer the keep the destination 0.0.0.0 (i.e anywhere) for this particular machine.

Please let me know.

Thanks!
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Parvez over 21 years ago in reply to Gert Hansen

Hi Gert,

Thanks for this mail. Yes, I do need the Source Policy Routing. If not thru gui, is there any hack for this?? [;)]

coz I'd prefer the keep the destination 0.0.0.0 (i.e anywhere) for this particular machine.

Please let me know.

Thanks!
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Andre_01 over 21 years ago in reply to Parvez

[:S]
do you got an anser regarding " Source Policy Routing" ?!?
Cancel
Vote Up 0 Vote Down

Cancel
0 Parvez over 21 years ago in reply to Andre_01

nope.. nothing yet found.. if I get any.. will update this post

has no one done this yet? nothing different that we are trying to do... [:S]
Cancel
Vote Up 0 Vote Down

Cancel
0 medic over 21 years ago in reply to Parvez

Yes, source routing is one of the realy needed functions of
ASTARO.
They have HA option but no second internet line can be used very usefully (only with static routes) :-(

Medic
Cancel
Vote Up 0 Vote Down

Cancel
0 firebear_01 over 20 years ago in reply to Parvez

Hi,
if your second line is a fiber-optic line. is there a router in front of your asl wich terminates your fiber-line ?
If yes you can make a SNAT rule wich says any packet wich comes from the one station that you want to "source route" goes to the external router.

firebear
Cancel
Vote Up 0 Vote Down

Cancel