Nebula Policy Route malfunction with VPN Orchestrator

GiuseppeR

Hello everyone,

I went to this section:

to route a pair of specific LAN devices via wan2 internet connection.

I have 2x wans on that site but I need that both of those LAN devices go on the internet ONLY via wan2. No backup via wan1.

The problem is that I have also a VPN (VPN that is working via wan2 only too) on that ORG:

So when those rules are enabled I am NOT able to use internal VPN to reach those devices. Neither ping or smb connection.

In my opinion VPN is an internal LANs connection, so routing policies via wan2 should NOT affect LAN traffic.

How can I solve that?

Zyxel_Melen

Hi @GiuseppeR ,

The issue occurs because your current Policy Routes use "Any" as the destination and the policy route has higher priority than site-to-site VPN in routing flow. Since the VPN subnets are technically "Any" destination, the firewall prioritizes the Policy Route and pushes that traffic out through WAN2 instead of routing it through the VPN tunnel.

Please allow me to take some time to find the solution for you.

Zyxel_Melen

Hi @GiuseppeR

I checked the priority of routing flow can't be modified. It seems like you have some reason for using policy route rather than setup the WAN Load Balancing? May you share the reason and your scenario's detail? With these information, we can help to figure the solution.

GiuseppeR

Hi @Zyxel_Melen

I need to use wan2 for redundant backup and VoIP purposes.

VoIP PBX is set to be aligned to a specific IP that is working only via wan2, a part from this wan1 is made on a radio ISP connection so it has more latency and instability with bad weather.

Redundant backup has to go via wan2 because it has to avoid any conflict with traffic usage via wan1. In this scenario I’m sure that wan1 is used for the rest of the ORG traffic, avoiding the backup to use that bandwith too. Using only wan2 could lead to a little bit longer backup, but a smoother working time for the rest of the ORG