Bridge member as incoming interface in policy routing?

USG 40/ USG40W/ USG60/ USG60W/ USG110/ USG210/ USG310
USG 20/ USG 20W/ USG 50/ USG 100/ USG 200/ USG 300/ USG 1000/ USG 2000

Moderator: AliceShih

Bridge member as incoming interface in policy routing?

Postby Ivar on Sun Apr 30, 2017 2:21 am

Can I select bridge member as incoming interface in policy routing? I just want to route some bridge traffic to other interface and gateway. Also for local subnet computers default gateway is not bridge interface, but gateway in other side of bridge.
I use right now pFsense and it routes this kind of traffic without problems. I plan to replace pFsense with Zyxel, but I need to know can I do this.
Ivar
Newbie
Newbie
 
Posts: 22
Cash: 28
Joined: Sun Apr 23, 2017 2:29 am

Re: Bridge member as incoming interface in policy routing?

Postby PeterUK on Sun May 07, 2017 5:00 pm

Traffic to the bridge interface you likely can do routing for but testing here traffic going through the bridge you can not do routing on as of yet.
PeterUK
Junior
Junior
 
Posts: 57
Cash: 59
Joined: Tue Mar 04, 2014 7:41 pm

Re: Bridge member as incoming interface in policy routing?

Postby Ivar on Mon May 08, 2017 1:27 am

PeterUK wrote:Traffic to the bridge interface you likely can do routing for but testing here traffic going through the bridge you can not do routing on as of yet.


I dont understand. What "testing"? Example pFsense and also with Sophos XG allow to route traffic out from bridge even when bridge was not gateway for internal computers. In pFsense return packets only dont go back (I must do MAC-address NAT with Mikrotik first) when route was from some other interface to bridge (viceversa). But Sophos XG allows both direction routing in bridge, and computers dont need to set gateway as bridge interface.
Ivar
Newbie
Newbie
 
Posts: 22
Cash: 28
Joined: Sun Apr 23, 2017 2:29 am

Re: Bridge member as incoming interface in policy routing?

Postby PeterUK on Mon May 08, 2017 1:35 am

Your just not able to route traffic that is going through the bridge but traffic going to the bridge interface you likely can route.
PeterUK
Junior
Junior
 
Posts: 57
Cash: 59
Joined: Tue Mar 04, 2014 7:41 pm

Re: Bridge member as incoming interface in policy routing?

Postby Ivar on Mon May 08, 2017 2:08 am

PeterUK wrote:Your just not able to route traffic that is going through the bridge but traffic going to the bridge interface you likely can route.


Are you sure? Are you tested it? Really bad news. So I still cant buy Zyxel, altough I really like its GUI.
Ivar
Newbie
Newbie
 
Posts: 22
Cash: 28
Joined: Sun Apr 23, 2017 2:29 am

Re: Bridge member as incoming interface in policy routing?

Postby PeterUK on Mon May 08, 2017 2:44 pm

Like I said I did testing for it but it seems routing rules can only be done if the traffic goes to a interface MAC. I too would like to be able to do this and should be possible with the use of SNAT and next hop gateway.

something like is what you want yes?
S MAC ISP IP > D ISP MAC 8.8.8.8 through bridge
routing
S MAC ZyXEL interface IP ZyXEL > D gateway MAC 8.8.8.8
PeterUK
Junior
Junior
 
Posts: 57
Cash: 59
Joined: Tue Mar 04, 2014 7:41 pm

Re: Bridge member as incoming interface in policy routing?

Postby Ivar on Mon May 08, 2017 3:39 pm

PeterUK wrote:Like I said I did testing for it but it seems routing rules can only be done if the traffic goes to a interface MAC. I too would like to be able to do this and should be possible with the use of SNAT and next hop gateway.

something like is what you want yes?
S MAC ISP IP > D ISP MAC 8.8.8.8 through bridge
routing
S MAC ZyXEL interface IP ZyXEL > D gateway MAC 8.8.8.8


Are you testing all aspects:

1. Routing out of bridge (I understand you tested it and it wasnt work). This is not big problem. You can use Mikrotik firewall bridge between Zyxel and local network. Mikrotik allows to do DNAT for MAC-addresses. Just change ISP gateway to Zyxel bridge interface MAC. I was used pFsense and it allows by itself route out of bridge also without Mikrotik tricks.

2. How about return packets. Example pFsense is able to route out of bridge when session origin was coming TO bridge member, but unable to return packets when origin was from some other interface TO bridge interface and return packets must go to bridge member and then to that other interface. For this I use exactly this Mikrotik trick. I suspect when you tested 1. point, then probably also return packets cant find path itself when internal computers default gateway was not set to bridge interface.

But its not big problem - Mikrotik can help here. The real big problem is can return packets at all find right return path when there is some policy route. Example I want to route LAN traffic to WAN1 and write policy route. Now from WAN2 come session to LAN. Return packets from LAN see policy route to route return traffic to WAN1 and its wrong path. This makes firewall unusable. So I still cant buy it before I know for sure. It depends do firewall holds interface mark in state table for return packets and do it accepts also policy routing in return traffic. Maybe workaround should then to use DNAT for WAN2 sessions. Because DNAT usually is full stateful and dont accept any route for return packets. But this I dont know also for sure in Zyxel case.
Ivar
Newbie
Newbie
 
Posts: 22
Cash: 28
Joined: Sun Apr 23, 2017 2:29 am

Re: Bridge member as incoming interface in policy routing?

Postby PeterUK on Mon May 08, 2017 5:44 pm

You have to ask for it to be added because what your trying to do I think can't be done from what I'm reading.
PeterUK
Junior
Junior
 
Posts: 57
Cash: 59
Joined: Tue Mar 04, 2014 7:41 pm

Re: Bridge member as incoming interface in policy routing?

Postby Ivar on Mon May 08, 2017 7:14 pm

PeterUK wrote:You have to ask for it to be added because what your trying to do I think can't be done from what I'm reading.


What cant be done?
Ivar
Newbie
Newbie
 
Posts: 22
Cash: 28
Joined: Sun Apr 23, 2017 2:29 am

Re: Bridge member as incoming interface in policy routing?

Postby PeterUK on Tue May 09, 2017 4:05 am

Ivar wrote:
PeterUK wrote:You have to ask for it to be added because what your trying to do I think can't be done from what I'm reading.


What cant be done?

Traffic going through the bridge, you could get the low end model and test then ask to make it possible.
PeterUK
Junior
Junior
 
Posts: 57
Cash: 59
Joined: Tue Mar 04, 2014 7:41 pm

Next

Return to USG series

Who is online

Users browsing this forum: No registered users and 1 guest

forum statistics View Forum Stats
© Copyright 1995-2009, ZyXEL Communications Corp. All rights reserved.