Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 3 subscribers
  • Views 30792 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What is the order of Static Routes?

Jmangione
This is a threefold question:

[LIST=1]
What is the order that the Static Route list is presented in? Specifically, what is the mechanism that places the first static route above the second, and so forth?[/LIST]
[LIST=2]
What is the order that the Static Route list is executed in? Specifically, is there an order that the list is analyzed against when faced with a routing question?[/LIST]
[LIST=3]
Like the "Live Log: Packet Filter" shows which rule was used to dispose of a packet, is there a way to see which static route was used to send a particular packet toward a particular interface?[/LIST]



Thanks.


This thread was automatically locked due to age.
Parents
  • 0
    I don't understand why you would need ordering of static routes as you don't normally define more than 1 static route for a given destination. If you explain what you are trying to achieve along with the confirmation that you are not using policy based routing with static routing, then I'll try to help you as best I can.
  • 0 in reply to Bilal

    Policy routes come first and processed from top to bottom. First match ends it. Static routes are not rules, example when you have two static route to fit, example destination as 192.168.10.0/24 to gateway 192.168.5.1 and 192.168.10.10/32 to gateway 192.168.1.2 , and you want to transfer to 192.168.10.10, then 192.168.1.2 gateway is used, when you want to transfer to 192.168.10.1 then 192.168.5.1 gateway was used. Always used route entry that fits more accurate............But me interest instead what is processed first - routing rules or multipath rules and both in case of session and return packets point of view.

    Regards.

  • 0 in reply to Ivar Pikker

    Hi, Ivar, and welcome to the UTM Community!

    "Always used route entry that fits more accurate" - I know that's right in Cisco, but are you certain that that's the case with the UTM?  I think I've seen that violated, for example, with automatic routes taking precedence over manually-created ones.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Its standard. What are "automatic routes"? Default there must be only direct routes to directly connected subnets and default gateways. Of course direct routes take precedence, as they fit more precisely.....sorry, not precisely but they dont have gateway, just link to interface.

    Regards.

  • 0 in reply to Ivar Pikker

    I know you would be right with a pure router, but WebAdmin is a GUI that manipulates databases of objects and settings. A single change there can cause the Configuration Daemon to rewrite hundreds of lines of the code used to run the UTM.  For example, without electing to bind an IPsec Connection to a particular Interface, you cannot manually create a route that takes precedence over the routes automatically created by the Configuration Daemon.

    Now, if you've had someone from Sophos tell you that a route for a /30 subnet will always take precedence over one for a /24 subnet, I'll need to rethink my understanding.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    This sounds interesting. Im new with UTM VPN. I was worked with OpenVPN server, CheckPoint and Kerio VPNs. They just put routes for other side of tunnel, with gateway as VPN subnet, tunnel other side endpoint. They are just ordinary routing table entries and firewall dont break any routing logic. If UTM makes some unusual logic, then its interesting. But can I at all set VPN interface as multipath choice and make multipath static rule to this VPN tunnel?

    Regards.

  • 0 in reply to Ivar Pikker

    With RED tunnels, it's straightforward.  With IPsec site-to-site tunnels, you have to select 'Bind tunnel to local interface' with a duplicate tunnel for each additional WAN connection and you then can use Multipathing.  I like the description in this UTM Wiki entry: Sophos UTM multiple S2S IPsec VPN mit Failover – Tutorial (DE).  Although it's in German, the pictures are all of WebAdmin in English and the pictures are complete documentation on their own.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Ivar Pikker

    With RED tunnels, it's straightforward.  With IPsec site-to-site tunnels, you have to select 'Bind tunnel to local interface' with a duplicate tunnel for each additional WAN connection and you then can use Multipathing.  I like the description in this UTM Wiki entry: Sophos UTM multiple S2S IPsec VPN mit Failover – Tutorial (DE).  Although it's in German, the pictures are all of WebAdmin in English and the pictures are complete documentation on their own.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML