3 Replies Latest reply on Dec 13, 2015 7:59 AM by jandrewartha

    Multi-link without NAT?

    jandrewartha

      Is it possible to use a Multi-link to route traffic without NATting it? I have several purposes that need policy routing but that preserve the source address.

       

      Also, how do Multi-Link and dynamic routing (BGP) interact?

        • 1. Re: Multi-link without NAT?
          lnurmi

          No, but it's possible to use netlinks to route traffic without NATing it. A netlink just basically does policy-based routing by itself, the network defined in the netlink properties is the source IP selector. If source IP in packet is from the defined network, then that netlink route is used. Multi-link element in NAT rules just adds the NATing, netlink probing and failover etc.

           

          >Also, how do Multi-Link and dynamic routing (BGP) interact?

           

          What you configure in SMC are always considered static routes. They have lower administrative distance (1) than any route learned through a routing protocol, so they are always preferred if same route is learned through several means.

           

          BR,

          Lauri

          • 2. Re: Re: Multi-link without NAT?
            jandrewartha

            lnurmi wrote:

             

            No, but it's possible to use netlinks to route traffic without NATing it. A netlink just basically does policy-based routing by itself, the network defined in the netlink properties is the source IP selector. If source IP in packet is from the defined network, then that netlink route is used. Multi-link element in NAT rules just adds the NATing, netlink probing and failover etc.

            Ahh, now I understand what the network in the netlink is about. The documentation is a bit unclear on that.

            >Also, how do Multi-Link and dynamic routing (BGP) interact?

             

            What you configure in SMC are always considered static routes. They have lower administrative distance (1) than any route learned through a routing protocol, so they are always preferred if same route is learned through several means.

            Right, so for internet BGP I wouldn't have a default route, rather I'd let the one from BGP take effect.

             

            Which is good, except the next step is how to policy route only certain ports to our content filter. With Multi-link I can apply a QoS class to traffic in the firewall and then only put that QoS class on a certain netlink in that Multi-link, but then it's NATting again. I do have the document on how to achieve this which involves NAT policies and setting the content filter as the default route, but that's not going to fly with BGP.

             

            The super bonus level is our guest wireless network, which tags unauthenticated user traffic with a certain DSCP value, which I need to redirect to the captive portal. Again, if I could policy route on QoS at a netlink without the NAT of a Multi-link that would be perfect.

            • 3. Re: Multi-link without NAT?
              jandrewartha

              jandrewartha wrote:

              lnurmi wrote:

               

              What you configure in SMC are always considered static routes. They have lower administrative distance (1) than any route learned through a routing protocol, so they are always preferred if same route is learned through several means.

              Right, so for internet BGP I wouldn't have a default route, rather I'd let the one from BGP take effect.

               

              Which is good, except the next step is how to policy route only certain ports to our content filter. With Multi-link I can apply a QoS class to traffic in the firewall and then only put that QoS class on a certain netlink in that Multi-link, but then it's NATting again. I do have the document on how to achieve this which involves NAT policies and setting the content filter as the default route, but that's not going to fly with BGP.

              Thinking about this again, since the explicit route I create for the content filter will only be for internal IPs, BGP routes should only be used for the public IPs, which come from the other side of the content filter, or NATting. Now to understand NAT rules ...