Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 3 subscribers
  • Views 30791 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What is the order of Static Routes?

Jmangione
This is a threefold question:

[LIST=1]
What is the order that the Static Route list is presented in? Specifically, what is the mechanism that places the first static route above the second, and so forth?[/LIST]
[LIST=2]
What is the order that the Static Route list is executed in? Specifically, is there an order that the list is analyzed against when faced with a routing question?[/LIST]
[LIST=3]
Like the "Live Log: Packet Filter" shows which rule was used to dispose of a packet, is there a way to see which static route was used to send a particular packet toward a particular interface?[/LIST]



Thanks.


This thread was automatically locked due to age.
  • 0
    This really is simpler than you're imagining...

    There are no "route logs" to check to see which routing "rule" was chosen to handle a specific packet.

    It's helpful to think of everything in the Astaro in terms of selectors.  In any particular ruleset, the rules are processed in order as they appear.  When an item is selected for a particular rule, no more rules of that type are processed.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    This really is simpler than you're imagining...

    There are no "route logs" to check to see which routing "rule" was chosen to handle a specific packet.

    It's helpful to think of everything in the Astaro in terms of selectors.  In any particular ruleset, the rules are processed in order as they appear.  When an item is selected for a particular rule, no more rules of that type are processed.

    Cheers - Bob


    What you've said makes sense. However, your answer implies that I will get different results when the rules (static routes) are in different orders, right? I am comfortable with that concept in the "Packet Filters" listing, and on other rules-based lists.

    The problem is that there is no way, in "Static Routes", to declare where you want a particular route rule to appear in relation to any/all other rules in the Static Routes listing. Therefore, it is impossible to direct the firewall to use particular static routes in a particular order.

    I suspect I know the answer here, but request confirmation: I believe that if I want/need to manage routes in and out of the firewall, then I should be using "Policy Routes" instead of "Static Routes". (Somewhere else in this forum I discovered that Policy Routes are considered before Static Routes, which now makes sense, since I can conduct all the hand-crafting of rules before the static routes might ever see the packet.) 

    Is it true that, if I want to control how one route is selected before another, I should be using "Policy Routes" instead of "Static Routes"?

    Even though this seems to be a moot point, it still doesn't answer my very first question:

    In what order are the various routes, on the "Static Routes" screen, placed there? What is the algorithm in use that explains why I see the static route in the first position on that list (as opposed to seeing that route at the bottom, or in the middle, for instance)?

    Thanks for your help.
    John
  • 0
    Good catch, John.  I just did a bit of studying, and it looks like ordering static routes isn't the standard approach unless one is doing OSPF; take a look at 7.4 STATIC ROUTING.

    Was this just a learning/philosophical question, or is there an actual issue driving it?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Good catch, John.  I just did a bit of studying, and it looks like ordering static routes isn't the standard approach unless one is doing OSPF; take a look at 7.4 STATIC ROUTING.


    I did read that page and, although it opened up the possibility that route order can be influenced by "metrics", it brought me/us no closer to understanding what Astaro is doing in relation to route order and how we might be able to influence it.

    Was this just a learning/philosophical question, or is there an actual issue driving it?


    In so far as I need to get this firewall working properly, I need to crawl under every rock that could be hiding some rule or filter or something else that would cause the firewall to behave incorrectly, or undesirably. 

    The static routing order was the rock that I began to crawl under at this point.

    I am unable to distinguish between an academic question and an actual issue at this point, since I don't know why this firewall is misbehaving. So, like the principle of RTFM, I have committed myself to learning the ins and outs of this firewall, how it works, and how it doesn't work, since it is the firewall I have inherited and the one I have to fix.

    Believe it or not, the fog is slowly, but steadily, lifting, and much of it is thanks to your repeated and patient replies to folks like me. Of course, there are a couple of other forum members who also exhibit the kindness associated with a thoughtful and helpful reply. 

    Thanks, Bob!

    John
  • 0
    I don't understand why you would need ordering of static routes as you don't normally define more than 1 static route for a given destination. If you explain what you are trying to achieve along with the confirmation that you are not using policy based routing with static routing, then I'll try to help you as best I can.
  • 0 in reply to Bilal

    Policy routes come first and processed from top to bottom. First match ends it. Static routes are not rules, example when you have two static route to fit, example destination as 192.168.10.0/24 to gateway 192.168.5.1 and 192.168.10.10/32 to gateway 192.168.1.2 , and you want to transfer to 192.168.10.10, then 192.168.1.2 gateway is used, when you want to transfer to 192.168.10.1 then 192.168.5.1 gateway was used. Always used route entry that fits more accurate............But me interest instead what is processed first - routing rules or multipath rules and both in case of session and return packets point of view.

    Regards.

  • 0 in reply to Ivar Pikker

    Hi, Ivar, and welcome to the UTM Community!

    "Always used route entry that fits more accurate" - I know that's right in Cisco, but are you certain that that's the case with the UTM?  I think I've seen that violated, for example, with automatic routes taking precedence over manually-created ones.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Its standard. What are "automatic routes"? Default there must be only direct routes to directly connected subnets and default gateways. Of course direct routes take precedence, as they fit more precisely.....sorry, not precisely but they dont have gateway, just link to interface.

    Regards.

  • 0 in reply to Ivar Pikker

    I know you would be right with a pure router, but WebAdmin is a GUI that manipulates databases of objects and settings. A single change there can cause the Configuration Daemon to rewrite hundreds of lines of the code used to run the UTM.  For example, without electing to bind an IPsec Connection to a particular Interface, you cannot manually create a route that takes precedence over the routes automatically created by the Configuration Daemon.

    Now, if you've had someone from Sophos tell you that a route for a /30 subnet will always take precedence over one for a /24 subnet, I'll need to rethink my understanding.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    This sounds interesting. Im new with UTM VPN. I was worked with OpenVPN server, CheckPoint and Kerio VPNs. They just put routes for other side of tunnel, with gateway as VPN subnet, tunnel other side endpoint. They are just ordinary routing table entries and firewall dont break any routing logic. If UTM makes some unusual logic, then its interesting. But can I at all set VPN interface as multipath choice and make multipath static rule to this VPN tunnel?

    Regards.

Unfiltered HTML