PBR and default route

Answered Question
Mar 6th, 2008

I have a 1811 router which has 2 internet connections(FE0 and FE1) and Vlan1. What I need to achieve is:

1. all the internet browser traffic going through FE1

2. ipsec site-to-site tunnel established through FE0

3. mail sending in and out through FE1

4. other services (web, citrix,etc) from outside through FE0

According to this design, I think PBR is needed to apply to VLAN1 inside. The precedence is

10 ipsec traffic (permit 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255) interface FE0

20 servers providing outside service (permit host 10.0.0.3,10.0.0.5) interface FE0

default route interface FE1

Is my understanding of PBR right? When the package reached VLAN1 from inside, it check PBR first. If it meet the requirement than pass the packet on, otherwise use the default route.

For the servers providing services, the original traffic is generated outside. When it replies, it hits VLAN1, does it need route to tell it which way to go back like I defined in PBR 20?

In this way, all the traffic from the servers are through FE0, not only the replying traffic.

Since nat overload are set on FE1, if I want to browse internet from servers,it wont work. Unless another route-map for servers is defined for the dynamic nat on FE0.

Is it possible not to use PBR, but ACL to deny traffic through Fastethernet interface therefore it will try the other interface if it is rejected? Sure it will use static route 0.0.0.0 0.0.0.0 to both interface.

Can anybody tell me what is the simple and logical way to do so?

Many thanks,

I have this problem too.
0 votes
Correct Answer by Joseph W. Doherty about 8 years 9 months ago

1. Normally, site-to-site VPN tunnels appear to your internal IP traffic as a normal link that ties together one "internal" router with another "internal" router. The tunnel configuration has the actual Internet IP addresses for the tunnel's end points, but these addresses, if known, are seen as external Internet addresses by the rest of your network.

The far side of the tunnel internal LAN addresses need to be known. This can be done with static routes or, sometimes, using dynamic routing across the tunnel.

PBR is, more or less, special conditions static routing. Usually used when there are multiple paths to a destination and you want to specify path preference for different types of traffic.

In your case, probably, you have traffic to/from the Internet, and/or to/from the remote tunnel end's LAN. Different logical destinations even though the tunnel, itself, runs across the Internet.

2. Usually, internal hosts, will see Internet hosts with an Internet address. Your internal routing, normally, will forward any unknown internal host addresses to the Internet. In your case, likely as the traffic passes out to the Internet, the internal source address is NAT'ed to a public Internet address. The Internet host, replies back to the NAT'ed address. The NAT translates the reply destination address back to the original requester's source address. Your internal routing delivers it. The two special elements are sending unknown addresses out to the Internet. Translating internal private addresses to/from public Internet addresses. Everything else usually is standard routing.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joseph W. Doherty Thu, 03/06/2008 - 06:51

Normally from what you're describing, a point-to-point tunnel is used to extend the internal network. Internal traffic forwarding is accomplished similar to how it would be conducted if the remotely connected devices were locally connected; often as a different L3 segment. I.e. if you can provide that, traffic to/from the Internet would not normally require special redirection to/from the tunnel connected devices. Outbound to the Internet would likely use a default route. Inbound from the Internet would likely use a NATted address that is redirected to the appropriate internal host address.

yayasolenet Thu, 03/06/2008 - 17:44

Thank you for the quick reply. But I did not quite get what you mean.

1. IPsec tunnel is not locally connected, it is through internet using the encryption. My understanding is the interesting traffic will start the phase 1 negotiation,then phase 2 and establish the tunnel. If no PBR, how can the interesting traffic reach the WAN interface to start the negotiation?

2.Sure inbound traffic will reached nated address, but to the reply traffic, how can it go back to the internet through the same interface coming in? Does it need a route to tell it?

Thanks.

Correct Answer
Joseph W. Doherty Thu, 03/06/2008 - 18:48

1. Normally, site-to-site VPN tunnels appear to your internal IP traffic as a normal link that ties together one "internal" router with another "internal" router. The tunnel configuration has the actual Internet IP addresses for the tunnel's end points, but these addresses, if known, are seen as external Internet addresses by the rest of your network.

The far side of the tunnel internal LAN addresses need to be known. This can be done with static routes or, sometimes, using dynamic routing across the tunnel.

PBR is, more or less, special conditions static routing. Usually used when there are multiple paths to a destination and you want to specify path preference for different types of traffic.

In your case, probably, you have traffic to/from the Internet, and/or to/from the remote tunnel end's LAN. Different logical destinations even though the tunnel, itself, runs across the Internet.

2. Usually, internal hosts, will see Internet hosts with an Internet address. Your internal routing, normally, will forward any unknown internal host addresses to the Internet. In your case, likely as the traffic passes out to the Internet, the internal source address is NAT'ed to a public Internet address. The Internet host, replies back to the NAT'ed address. The NAT translates the reply destination address back to the original requester's source address. Your internal routing delivers it. The two special elements are sending unknown addresses out to the Internet. Translating internal private addresses to/from public Internet addresses. Everything else usually is standard routing.

yayasolenet Sun, 03/09/2008 - 17:42

Last Friday, I had the chance to work on the router with the internet connections.

My original design did not work. But I tried another way and it worked!

PBR is needed for my case.

10 IPsec traffic forward to FE0

20 Servers host forward to FE0

30 any other traffic is forwarded to FE1

Without default gateway, the internet browing and mail server worked fine. But the rest doesn't work.

I added the default gateway to FE0. Then everything worked.

There is something I need to point out.

1. without default route, the ipsec wont go up. As the tunnel is established using public ips and the PBR is applied to VLAN.

2. if you have 2 default gateways, ipsec still wont work. Ipsec does not work with load balance. Actually I dont know how load balance works. When I tried to ping the remote ip, the reply is one packet gets through and the next one gets lost.

3. for NATed service, the incoming traffic first reaches the router for the internal server. It is translated into internal address and reaches the internal server. When the internal server replies, it sees the global address as public ip. When it reaches VLAN port, there is still 2 ways for it to choose. So PBR needs to tell it which interface to choose.

Hope it helps.

Actions

This Discussion