Issue
Routing issue
Network Diagram Here
Version 7.7.2
My use case is:
1) when the NGFW device is present (10.0.6.1) then all traffic should be sent this path with no nat.
2) When NGFW is not present, ens37 is the default route and the traffic should be nat. Hence making it an "external" interface
The default state is #2 and my scripting senses when the NGFW comes on-line.
I am using the guidelines here: https://documentation.clearos.com/content:en_us:kb_bestpractices_managing_static_routes
Of note, ens35, a LAN interface, has this "0.0.0.0/0 via 10.0.6.1" in /etc/sysconfig/network-scripts/route-ens35 & there is no route-ens37 present as it seems to make itself the default gw as is.
When I " /sbin/ifdown ens37" within 30-45 seconds it comes back and installs itself as the default route.
What I as was expecting is that ens37 would remain down and I would then reload ens35 "/sbin/ifup ens35" and it would install it's default route.
I also tried manually removing/adding the default routes with the route command (del default & add default gw 10.0.6.1) but ens37 always takes over.
Is there a way to force ens37 to stay down? Any suggestions on a better approach?
thanks!
Version 7.7.2
My use case is:
1) when the NGFW device is present (10.0.6.1) then all traffic should be sent this path with no nat.
2) When NGFW is not present, ens37 is the default route and the traffic should be nat. Hence making it an "external" interface
The default state is #2 and my scripting senses when the NGFW comes on-line.
I am using the guidelines here: https://documentation.clearos.com/content:en_us:kb_bestpractices_managing_static_routes
Of note, ens35, a LAN interface, has this "0.0.0.0/0 via 10.0.6.1" in /etc/sysconfig/network-scripts/route-ens35 & there is no route-ens37 present as it seems to make itself the default gw as is.
When I " /sbin/ifdown ens37" within 30-45 seconds it comes back and installs itself as the default route.
What I as was expecting is that ens37 would remain down and I would then reload ens35 "/sbin/ifup ens35" and it would install it's default route.
I also tried manually removing/adding the default routes with the route command (del default & add default gw 10.0.6.1) but ens37 always takes over.
Is there a way to force ens37 to stay down? Any suggestions on a better approach?
thanks!
Share this post:
Responses (3)
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
If you don't want ens35 to be NAT'd, so not External, isn't is where you use OSPF to look after the routing - not that I know anything about OSPF.
ClearOS will continually try to bring up External interfaces. You may need to disable syswatch when you detect NGFW becoming available and re-enable it when it is not available.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »