Rule based routing



  • Hello

    I want to do rule based routing (i.e. coming from network Sales->to->Operations go through Fortigate, Sysop->to->Operations go through CiscoASA). How can this be done?
    (see attached picture for simplified network layout)

    We have bridged two networks here and our pfSense box is now the primary firewall. Our production servers at another location and as it happens we now have two routes to the same network.

    We have a VPN to the data center that the firewall on the other end allow pretty much everything. We can access all our different networks on that side from here. We now also have a dedicated line (probably some ATM or something) from our ISP to one of the networks up there. This dedicated line have nice low latency but can only access one of the networks up there.

    Only our sales people need to access Citrix on Operations via the dedicated line. The rest (the sysops etc) can make due with the CiscoASA VPN.

    Again, how can this be done?
    None of the interfaces to Operations are a WAN interface.

    Thanks in advance.

    / Fredrik



  • Just use the firewall rules on the interfaces facing sysops and sales. Change the gateway from default to whichever interface the traffic should go out on. If the interface isn't available on the gateway drop down, the gateway needs to be set on that interface.
    Using this method, you can use policy based routing based on destination IP's, source IP's, source ports, dest ports, etc.



  • Fortigate: 10.10.1.50
    CiscoASA: 10.10.2.50
    Sales: 10.10.3.0/24
    Sysop: 10.10.4.0/24
    Internet: 16.17.18.19
    Operations: 192.168.10.0/24

    1. Do you mean that on the interface facing Fortigate should set the fortigate as gateway, on the interface facing CIscoASA set the Cisco as gw, on a rule on Sales stating Destination: Operations Network, gw=10.10.1.50, and on Sysop stating Destination: Operations Network, gw=10.10.2.50?

    2. Is WAN gw always default gw for all networks until you specify something else with a rule?



  • Yep, and you can also use failover groups if you want the traffic to go over the other link if one fails.


Log in to reply