Split Route Tunnels

  • Hey all, have a quick question I’m hoping someone can give me some help with. I have Googled until my eyes turned blue, scoured my ScreenOS Cookbook to no avail. I have the following:

    Firewall A -- e0/0 provider 1 (T1)
               -- e0/1 provider 2 (DSL)
               -- bgr0
    Firewall B -- e0/0 provider 1 (MetroE)
               -- bgr0

    I had been asked to send ALL 192.168.0.x tunnel traffic MINUS 1 host via e0/1 and ONE 192.168.0.x host via e0/0

    ASCII should look like:

    Firewall A --> --> via e0/1 --> Firewall B
    Firewall A --> --> via e0/0 --> Firewall B

    Unsure how to accomplish this. Firewall A’s e0/1’s default route is active and nothing I send to e0/0 gets through. The moment I gave e0/1 the better preference, is the moment all stopped. I went back and created two VPNs from Firewall A to Firewall B and vice versa, but I cannot get Firewall A’s e0/0 connected to Firewall B. Any thoughts, pointers, etc?

  • Another possiblity is source-base or policy-based routing. In the last example you can route the paket according to the src-ip, dst-ip, dst-port, src-port, ….

  • That all is one step forward. What is the general purpose for that? Is it that 0.200 needs to be tunnelled with a faster connection than all the others?
    I think there are many ways to do that. I would use another virtual router first, because then I can add routes separately and I don’t have to think about metrics or something. I would also put the 0.200 into that another virtual router if possible and do necessary routing and policies if that machine must be reachable in 0.0/24 network.

    Maybe it also works when you do two different policy based tunnels and then just set in the policy that 0.200 goes to 2.0/24 network through one tunnel and all the others through another (the latter policy being below the first).

    There are certainly more ways to do that, depending on how much things can be changed in the current environment.