Reply
New Member
Posts: 8
Registered: a week ago

Policy-Based routing question/help request

[ Edited ]

Hello all,

 

I am trying to use policy based routing in the EdgeRouter to route a specific VLAN (12) destined for the WAN through an external deep packet inspection appliance (DPIA).  From there the traffic should flow back to the EdgeRouter and continue to the WAN port.  And conversely, when VLAN12 traffic arrives back from the WAN, send it through the DPIA back to the EdgeRouter and onto the VLAN.

I have attached a rough network diagram to should the flow for VLAN12.

Here are the commands I have attempted that I thought should work, but clearly are not.  Luckily when I apply the configs, only the test VLAN (12) is impacted.  All other traffic is unaffected.

 

Any assistance would be greatly appreciated.

 

set system gateway-address <WAN Gateway>


set protocols static table 11 route 0.0.0.0/0 next-hop 10.0.11.1
set protocols static table 12 route 0.0.0.0/0 next-hop <WAN gateway>
set protocols static table 13 route 10.0.12.0/24 next-hop 10.0.11.2

set protocols static table 14 route 10.0.12.0/24 next-hop 10.0.12.1

 

set interfaces ethernet eth4 address 10.0.11.1/30
set interfaces ethernet eth5 address 10.0.11.2/30

set interfaces ethernet eth3 vif 12 address 10.0.12.1/24
set interfaces ethernet eth3 vif 12 description 'Wifi Flex for Trip'

 

set interfaces ethernet eth3 vif 12 firewall in modify TRIP_SOURCE
set interfaces ethernet eth5 firewall in modify TRIP_SOURCE_EGRESS
set interfaces ethernet eth0 firewall in modify TRIP_RETURN_INGRESS
set interfaces ethernet eth4 firewall in modify TRIP_RETURN

 

set firewall modify TRIP_RETURN rule 10 action modify
set firewall modify TRIP_RETURN rule 10 description 'Traffic from TRIP to Router Connection'
set firewall modify TRIP_RETURN rule 10 destination address 10.0.12.0/24
set firewall modify TRIP_RETURN rule 10 modify table 14
set firewall modify TRIP_RETURN_INGRESS rule 10 action modify
set firewall modify TRIP_RETURN_INGRESS rule 10 description 'Traffic from Trip to Switch Connection'
set firewall modify TRIP_RETURN_INGRESS rule 10 destination address 10.0.12.0/24
set firewall modify TRIP_RETURN_INGRESS rule 10 modify table 13
set firewall modify TRIP_SOURCE rule 10 action modify
set firewall modify TRIP_SOURCE rule 10 description 'Traffic from Switch to TRIP Connection'
set firewall modify TRIP_SOURCE rule 10 modify table 11
set firewall modify TRIP_SOURCE rule 10 source address 10.0.12.0/24
set firewall modify TRIP_SOURCE_EGRESS rule 10 action modify
set firewall modify TRIP_SOURCE_EGRESS rule 10 description 'Traffic from TRIP to Router Connection'
set firewall modify TRIP_SOURCE_EGRESS rule 10 modify table 12
set firewall modify TRIP_SOURCE_EGRESS rule 10 source address 10.0.12.0/24

RoutingThroughExternal.PNG
Veteran Member
Posts: 5,782
Registered: ‎01-04-2017
Kudos: 830
Solutions: 294

Re: Policy-Based routing question/help request

It seems like your trying to solve a layer 2 problem with a layer 3 solution. but I could be wrong. more info would be helpful. have you done any packet captures to find out where its failing? make model of dpia?
Veteran Member
Posts: 7,609
Registered: ‎03-24-2016
Kudos: 1979
Solutions: 871

Re: Policy-Based routing question/help request

Play around with tcpdump on interfaces, to see where packet ends up.

 

is sNAT involved?  afaik, mangle comes before NAT, so you might not be able to match on internal destination IPs on wan interface 0

 

Does trip somehow modify packets?  I wonder if you end up with a single, or two entries in conntrack.

Some deep packet inspection work create seperate TCP connections for inside and outside

SuperUser
Posts: 8,178
Registered: ‎01-05-2012
Kudos: 2169
Solutions: 1074

Re: Policy-Based routing question/help request

I don't see the firewall modify ruleset applied on eth3 vif 12, but the DPI appliance, can do NAT/masquerade, on port 1 (its wan port) ?

New Member
Posts: 8
Registered: a week ago

Re: Policy-Based routing question/help request

smyers119, you are correct. Normally, my DPIA would sit between a switch and the router in bridge mode and all would be good. However, I recently saw a campus with a port dense Layer3 Switch that was the Internet gateway. So, I am trying to do a proof of concept that any traffic on a given VLAN can be alternately routed through the DPIA.

The packet capture showes the packets leaving the Edgerouter, going into the DPIA (in bypass mode for now), out of the DPIA and towards the EdgeRouter. At that point, the connection is killed. I tested the configs above applied to both directions, only the VLAN outbound traffic and then the VLAN inbound traffic. All do not appear to be working at all. The packets appear to be dying somewhere betwee the Edgerouter port eth5 and eth0.
New Member
Posts: 8
Registered: a week ago

Re: Policy-Based routing question/help request

Static NAT is not involved for VLAN12. Simple Dynamic NATing is going on.

TRIP currently is in bypass mode, so no "inspection" is being done. But if this works, then it will simply be doing a bit bucket drop of "suspect" packets, or packets that match some blacklist criteria.
New Member
Posts: 8
Registered: a week ago

Re: Policy-Based routing question/help request

[ Edited ]

redfive,

Apologies, forgot to include the interface configs, will update the initial post, but here they are as well.  Additionally, the DPIA needs to be transparent for the most part, it does not do any NATing.  As long as a packet does not match a signature or something in the header in not on a blacklist, then it should be passed along like any other switched packet.

set interfaces ethernet eth3 vif 12 firewall in modify TRIP_SOURCE
set interfaces ethernet eth5 firewall in modify TRIP_SOURCE_EGRESS
set interfaces ethernet eth0 firewall in modify TRIP_RETURN_INGRESS
set interfaces ethernet eth4 firewall in modify TRIP_RETURN

Veteran Member
Posts: 5,782
Registered: ‎01-04-2017
Kudos: 830
Solutions: 294

Re: Policy-Based routing question/help request

That makes sense where its dropping. you have two routed ports on the router in the same layer 2 subnet. I would think you would need either A: 2 routers or B: router with VRF to accomplish that.
New Member
Posts: 8
Registered: a week ago

Re: Policy-Based routing question/help request

smyers119, thanks, I was afraid using a bridge mode (which is our standard setup) on the appliance would cause issues. I will try and use seperate subnets on ports 4 & 5 and enable routing on the appliance. It's not our ideal least impact solution (if it works) but this is a special case "proof of concept" at this point.
Reply