Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 11022 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Traffic routing order?

Ivar Pikker

Hi,

1) Which make precedence, or what order are processed those typer of rules - route to network directly connected to UTM (routing table), static route table (routing table), policy routes, multipath rules.
Example when I have static route to some internal subnet, then can I use multipath rule to route this traffic to some other gateway and interface?
 
2) Are policy routes stateless or stateful? Do they control sessions or also return packets?
 
3) Do UTM remember from what interface session come, so it can route return packets back to right interface. Or I must make static route for return packets? 
 
Thanx.

 



This thread was automatically locked due to age.
  • 0

    Hello Ivar,

    I think, routing is always based on "best match" in the routing table. It works on IP-layer and there is no session control.

    Multipath routing only works with interfaces with the default gateway behind (not via routing table). With multipath routing the utm takes care that return packets are send through the interface the original packets came in.

    Maybe it helps.

    CS

     

     

     

    Sophos Certified Architect (UTM + XG)

  • 0 in reply to CS

    CS said:
    I think, routing is always based on "best match" in the routing table. It works on IP-layer and there is no session control.Multipath routing only works with interfaces with the default gateway behind (not via routing table). With multipath routing the utm takes care that return packets are send through the interface the original packets came in.

    So, policy routing is also stateless, the same as routing table.

    And, I understand multipath holds state table, regardless what says routing table and return packets go to right interface. This is good. But how about session initialization? Example routing table says some specific session must go to interface A, but in multipath rule I set it must go to B. Which take precedence? Do multipath rules at all go in processing when there is direct route in routing table? Maybe I must make all interfaces to gateway set up interfaces, into active load balancing table, use only interface rules in multipath rules and delete all routing table entries. Then I can route traffic exactly to what I want.

    Regards.

  • 0 in reply to Ivar Pikker

    If you want to route to the internet i would prefer multipath routing.

    To internal networks/host i would suggest policy routing.

    (If you add the default gateway to all interfaces, the "internet" object would be bound to all interfaces.)

    What about ospf to do a equal cost load balancing?

     

    Good luck!

    CS

     

    Sophos Certified Architect (UTM + XG)

  • 0 in reply to CS

    CS said:
    If you want to route to the internet i would prefer multipath routing.To internal networks/host i would suggest policy routing.

    (If you add the default gateway to all interfaces, the "internet" object would be bound to all interfaces.)What about ospf to do a equal cost load balancing?

     

    No, load balancing dont interest me, me interest steteful routing. With multipath there is possibility to bind rule with one interface and even when this interface goes down, it dont switch interface. What is "internet object"? I cant use policy routing, because its stateless, I need return packets go exactly to this interface from where they come. I have 8 interfaces. A is management subnet, B connects to internet, C connect to other ISP, D connects to subnet where are openVPN server and pureVPN server, E connects to subnet from where VPN servers connect to local subnets (out of tunnel), F connects to local router-firewall wan port (for outbount traffic), G connects to local router-firewall lan port, H connects to local subnet (only for inbount sessions). Now all outgoing traffic must go trough H-G-F-B. PureVPN traffic for mailserver must first go to pureVPN server through B-D. Then out of tunnel traffic must go through D-H and also this out of tunnel traffic come from internet (source ip is unknown). As I sayd I have one additional router-firewall, but its only for outgoing sessions. Incoming sessions must bypass it and go to local subnet through other path. Altough local subnet is the same and gateway for local computers is UTM H interface.    ....... As you see, I cant use stateless routing, because when I write policy route for pureVPN server to local mailserver "from any to mailserver, then route through H interface", then when mailserver outgoing traffic goes through other path (outgoing mails must bypass pureVPN server and go directly to internet through other UTM interface), then return packets see the same policy rule and as source is still any and destination is still mailserver, then it routes return packets to wrong interface H, instead of interface F. But when I delete policy routing and make F as gateway interface, then return packets find right path from state table and return packets go to F interface, from were the session was coming. For pureVPN server to mailserver I write multipath rule to direct traffic to H interface. Therefore I asked what is the processing order - do policy routing or other static routing rules processed before multipath or viceversa.   

    Regards.

Unfiltered HTML