Issues regarding policy routes
However, I am not able to ping any clients connected to these 3 Vlans.
I hope it is clear
Thanks in advance.
Comments
-
What USG are you using?
So LAN1 on the untagged interface is not used by the looks of it (give it some other adders not to conflict with VLAN 11 so its gateway can be 10.0.0.1) and your WAN IP is in 10.0.3.0/24 ?
You might not be doing the tags/untag correctly and Policy routes to a gateway thats not in use looks wrong.
I'm having a hard time working out what you have done maybe a draw up would help me get a idea of the WAN and LAN with VLAN's in which zone.
I take it PC's on like VLAN 12 don't have internet or do they?
On 10.0.3.0/24 network what is the IP and gateway on what interface is getting?
0 -
It is USG 310 v 4.38.
Here is the diagram:
The goal is to direct traffic from VLANs 11, 12 & 13 to 10.0.3.0/24 using Policy Routes because we cannot use static routes (there are other LANs' traffic routed to another ISP router).
10.0.30/24 hosts should be able to access LAN 10.0.0.0/24, 10.0.1.0/24, 10.0.3.0/24
Here are the Policy Routes: (ISP = 10.0.0.1)index: 2
active: yes
auto-disable: no
description: VLAN13
user: any
schedule: none
interface: vlan13
tunnel: none
sslvpn: none
source: SUBNET_VLAN13
destination: any
DSCP code: any
service: any
srcport: any
nexthop type: Gateway
nexthop: ISP
nexthop state: Not support
auto destination: no
SNAT: none
DSCP marking: preserve
connectivity-check: no
index: 3
active: yes
auto-disable: no
description: VLAN12
user: any
schedule: none
interface: VLAN12
tunnel: none
sslvpn: none
source: SUBNET_VLAN12
destination: any
DSCP code: any
service: any
srcport: any
nexthop type: Gateway
nexthop: ISP
nexthop state: Not support
auto destination: no
SNAT: none
DSCP marking: preserve
connectivity-check: no
One remark: The option Use IPv4 Policy Route to Override Direct Route is disabled. This might be the problem since I want to direct VLAN 12 & 13 to 10.0.0.1 and they should not use the directly connected routes.
Thanks.
0 -
I think the problem is you trying to get more subnets by VLAN 11 if you remove VLAN 11 the tagged network so that you have the USG 10.0.0.2 to 10.0.0.1 router with Use IPv4 Policy Route to Override Direct Route it might all work?
Sorry I can't be more help I think someone else can help you more with your setup.
0 -
Well, thanks very much for your help. The VLAN 11 is in fact used as a "transit network" if you know what I mean.
I've run a simulation unsing GNS3 and it is correctly working but with a Cisco L3 switch instead of the USG 310.
My assumption is perhaps that I am not configuring these policy routes correctly. And I am not really familiar with Zyxel products to be honnest.
Do you know the impacts of this feature "Use IPv4 Policy Route to Override Direct Route" in a production environment?0 -
I used the feature "Use IPv4 Policy Route to Override Direct Route" here in this setup.
https://community.zyxel.com/en/discussion/9773/local-static-routes-not-working#latest
Instead of sending traffic out the interface it knows directly it instead sends it to the set gateway next hop.
0
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.5K Nebula
- 152 Nebula Ideas
- 101 Nebula Status and Incidents
- 5.8K Security
- 296 USG FLEX H Series
- 281 Security Ideas
- 1.5K Switch
- 77 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 254 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 76 Security Highlight
