New here and fighting with my new PA-820.
I have 2 ISP's and I want to make the best use possible of those two.
So I created a PBF which reroutes HTTP and HTTPS traffic over the 2nd modem.
Now I have speeds over 350mbit/s for clients and not bothering other important server data which I have only 40mbit/s for.
So this is all working fine! Until I use GP for VPN.
The HTTP and HTTPS reroute works fine though, but the internal web applications over port 80 and 443 are rerouted aswell.
So every internal webserver will time out. Age out and and is incomplete.
But for example a webserver with a different port (like synology port 5000) will work fine.
Now GP is more important, so i turned off the PBF and everything works now...
But I really want to use our wide bandwith instead of a very narrow one.
I've tried everything from tunnel traffic no-pbf rule to DNAT's to stop GP from using the PBF rule.
But maybe I'm overlooking something...
Can someone point me in the right direction?
Solved! Go to Solution.
Sure! Here it is!
As you can see, i've already tried to Negate the VPN pool, but the GP is also directly hooked to trust-zone.
The last IP you see is monitoring, if this IP is not reachable the PBF rule is deactivated.
Your PBF rule should only really be applied to destination zone Untrust, that way it will only activate for internet facing traffic where NAT via the two ISPs is actually required. Then, when you try to visit some internal server in destination zone Trust or DMZ the PBF policy won't even be applied.
What I have done in the past:
Source Zone: Trust
Source IP: Any
Destination IP: All RFC 1918 addresses (negate option checked)
Destination Zone: Untrust
That didn't work... but the session browser told me a critical thing.
The data was not correctly sent back..
So after thinking with two people, we decided to create this:
PBF1 - VPN zone to Trust - any any - No PBF
PBF2 - Trust to VPN IP Pool - any any - No PBF
PBF3 - Trust to Any - Forward Application [Web-Browsing + SSL] to I/F Eth1/1.400, next hop Router Gateway with Monitor
Now everything works as expected!
Thank you for your precious time :)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!