In what order are processed UTM 9.5 policy routes and multipath routes?

Hi, I find out after long testing in virtual environment that both policy routes and multipath rules are stateless. Testing was with 3 interfaces. WAN (with gateway), EXT (with gateway) and LAN (without gateway). NAT was not used. Static route was set only for LAN (computer not directly connected to subnet, between was virtual router). Important point of testing was session from EXT (computer not directly connected to subnet, between was virtual router) to LAN. Return packets from LAN wasnt goed back to EXT.  Load balancing was not used. Policy Route or Multipath was set from LAN to WAN, as I want to use only WAN for outgoing. But EXT wasnt able to connect to LAN. Also policy-route from EXT to LAN wasnt helped. Connection succeeded only when I writed additional policy-route from LAN to EXT. But this means policy-route was stateless. The same with Multipath rules. So, this means UTM is not for routing, altough it have good IPS and monitoring. But instead Sophos XG have stateful policy-routing. All return traffic come back to right interface when sender was from WAN-zone. But XG have mess monitoring.

Hi Ivar,

I have to admit that I'm confused.  I'm not sure what you mean by stateful routing.  What did you see that makes you conclude that UTM is not for routing?

If I have two separate ISPs and connect each to a different interface, I will have activated Uplink Balancing when both interfaces have a default gateway assigned.  Let's say that my public IPs are 44.55.66.77 on one interface and 33.33.33.33 on the other.  When my Multipath rules send a packet from 33.33.33.33 to 66.66.66.66, the response from 66.66.66.66 will always be sent to 33.33.33.33 and will never come to 44.55.66.77 - that's fundamental internet protocol.

As for whether Multipath rules are considered before Static Routes, I believe they are - see #2 in Rulz.  In fact, after you setup something in WebAdmin and hit [Apply], the Configuration Daemon checks the databases of settings and objects and alters the code that controls the UTM.  Multipath rules, VPN profiles, Static Routes, etc. all result in iptables routing commands, firewall rules, etc.

Cheers - Bob

You dont know what is stateful? Stateful means that rules dont apply to return packets (because internet traffic consist both ingress and egress), because for that exist state table. Do you know what is state table? State table is firewall internal database for holding session information. But in UTM they both policy routing and multipath rules apply both to also return packets and this means those rules are stateless. Read my post once more, I never talked about ISP-s and about load balancing (I dont need balance, I need strict routing).  Also you are wrong about flow order. The order is:  DNAT -> routing (first to match: local subnets --> policy routing --> static routing --> default route) --> multipath rules --> SNAT.  The firewalls that I personally tested and can say they have stateful policy routing are:  SophosXG, Pfsense, Palo Alto PanOS.  The firewalls tested and have stateless policy routing:  SophosUTM, Check Point, Mikrotik, home users wifi routers like Asus.  Firewalls that dont have at all policy routing - Kerio Control.   

I'm not trying to be contrary, Ivar, I'm just trying to understand.  I'm familiar with the connection tracker (conntrack) and the fact that it makes the UTM's a "stateful" firewall.  In 14 years with WebAdmin and 10 years of active participation in this Community, I've never seen anything that would lead me to believe that the UTM wasn't working in the way described in #2 in Rulz.

What did you see that made you conclude that response packets are also routed by Static Routes and Multipath rules instead of information in the connection tracking table?  May we see pictures of the configurations that gave you these results?

Cheers - Bob

First, "stateful firewall" dont necessarily mean that all functions in it are stateful. Example static-route is always stateless. And you get me wrong. Not by "static routes", but "policy routes". Yes, I tested it and return packets are also routed by policy routes and multipath rules. They are full stateless. Just try yourself and then you see itself.

I just don't see how Multipath rules come into play, Ivar, nor how a Policy Route could re-route a response packet.  That's why I was asking to see the configuration - I can't imagine how to force incorrect routing.  Maybe an example of a request-response packet pair where the response was incorrectly routed would clarify this.

For example, I would expect that 172.16.1.12->(51234:80)->67.68.69.70 might be sent out 33.33.33.33 by a Multipath rule and be masqueraded as 33.33.33.33->(51234:80)->67.68.69.70.  Then, the response received would be 67.68.69.70->(80:51234)->33.33.33.33 which would be changed by conntrack to 67.68.69.70->(80:1234)->172.16.1.12.

Cheers - Bob

I dont use NAT.

OK, then let me ask a different question, what Policy Route that you made came before what Multipath rule?  If I can demonstrate that to myself, I can improve #2 in Rulz.

Cheers - Bob

Anything what you like. There is no any spectific bug or condition. Just test your firewall. Do you know how to test firewall routing? Make 3 interfaces. When you need some subnets translation help, then use virtual dd-wrt routers. They are very good for testings. And of course, I like testing in ESXi environment. Then make rule from A->C. Then connection from B->A. And you see return goes instead of A->B to A->C and connection lost. The same with multipath. Put rule from LAN->WAN1. Then make connection from WAN2->LAN and you see return goes to wrong WAN. To WAN1, instead of WAN2.