Comments
-
If the next-hop of rule #3(of my comments) is 10.70.70.2, you get 4 steps of a roundtrip. If the next-hop of rule #3(of my comments) is 10.70.70.20, you get 3 steps of a roundtrip. So that, next-hop set to 10.70.70.20 is one lease hop cost (network latency) than to 10.70.70.2
-
"Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL." This is wrong statement. The security policy still check and block not allowed traffic. If there a policy not allow WAN to LAN.
-
Cloud you explain more for the requirement and use case of rule #1 wan1 to …
-
If the destination is directly connect to 10.70.70.20. Why you need to route to 10.70.70.2 for another hop cost ?
-
Hi @baba , Here the configuration comments for the case. Enable "Allow Asymmetrical Route" on Security Policy > Policy control page , to pass the stateful firewall checking. Usually, if the network setup need to use Policy Route overwrite direct route. There a triangle route issue need to take care. In this case, on both…
-
Wait for a few days. Doing the POC on my lab.
-
Hi @baba I want to confirm with you first, The requirement is once the WiFi link break. Then switch the route to IPSec VTI link to the peer, even the peer address 10.70.70.X is in direct connect subnet. Second, the source IP address will keep not be translate (SNAT) ?
-
The direct route 10.70.70.0/X will take the first priority. So that policy route will not hit. You need to turn on advanced option "Policy Route overwrite Direct Route". It's powerful but with risk(mis-configuration). Be careful to review all the policy routes to prevent rule to take over all direct route. Especially the…