Im trying to send all clients over a VPN by default, but i want to “bypass” the VPN for a list of clients.
set firewall group address-group VPN_v4_BYPASS address '10.0.3.9'
set protocols static table 100 route 0.0.0.0/0 next-hop 10.0.0.1
set policy route VPN_v4_BYPASS rule 100 source group address-group VPN_v4_BYPASS
set policy route VPN_v4_BYPASS rule 100 set table 100
Is what i did, but i cant use !VPN_v4_BYPASS to negate the match. So this would send all listed clients over the VPN. I need the negation tho.
Whats the cleanest way to achieve something like this?
Hi @MartB .
I will create a task in phabricator, so negated groups can be used in policy.
A workaround that may work for now, is creating a “non by passed” address group. Something like this:
set firewall group address-group NO_VPN_v4_BYPASS address '10.0.3.1-10.0.3.8'
set firewall group address-group NO_VPN_v4_BYPASS address '10.0.3.10-10.0.3.254'
set firewall group address-group VPN_v4_BYPASS address '10.0.3.9'
set policy route VPN_v4_BYPASS rule 90 set table 'main'
set policy route VPN_v4_BYPASS rule 90 source group address-group 'NO_VPN_v4_BYPASS'
set policy route VPN_v4_BYPASS rule 100 set table '100'
set policy route VPN_v4_BYPASS rule 100 source group address-group 'VPN_v4_BYPASS'
Maybe not the cleanest way to achieve what you are looking, that may work until we get negated groups available in policy
Oh, I can see in latest that negated groups can be used in firewall and policy, even though it’s not listed in cli! You need to negate using character !
set policy route VPN_v4_BYPASS rule 110 set table '100'
set policy route VPN_v4_BYPASS rule 110 source group address-group '!NO_VPN_v4_BYPASS'