Open JacBra opened 3 months ago
AdSchellevis
commented
3 months ago gateway groups are intended for policy based routing only, the same type of information (weight/round-robin) and priority wouldn't apply to the routing table. These type of infrastructures usually require BGP or OSPF to handle multiple possible routing paths.
JacBra
commented
3 months ago I see, what about the alternative solution I formulated?
AdSchellevis
commented
3 months ago Some sort of mechanism to have a gateway monitor on them sounds nice, but is an awful lot of work which is likely not worth the effort (investment).
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Is your feature request related to a problem? Please describe.
For the purpose of prioritizing traffic over multiple IPsec tunnel (VTI) I am missing a solution to be able to statically route traffic over multiple tunnels". Currenty, only one static route towards a prefix can be defined.
Describe the solution you like
When Adding/Modifying a static route (System > Routes > Configuration), I would like to be able to set the input filed 'gateway' to a Gateway Group.
An alternative solution would be: When Adding/Modifying a static route (System > Routes > Configuration), I would like to be able to add several routes for the same prefix, each with a different gateway. When the gateway is down, the route is disabled. When te gateway is up again, the route is enabled.
Describe alternatives you considered
As a workaround, I created a gateway group consisting of my IPsec gateways. Then, I used policy based routing in the firewall rules to achieve my goal. However, this is not so efficient, not flexible enough, and error-prone.
I also tried to use OSPF to dynamically route the traffic, but that did not work out in our use case: the firewall brand we use at the other side has serveral OSPF issues that led to hickups when doing configuration changes.
As a last resort, I ended up by routing a /24 subnet to the gateway of IPsecTunnel_1 and routing two /25 subnets to the gateway op IPsecTunnel_2. That works, but is very inflexible.
Additional context