PBF is working, but I want to exclude GP

Showing results for 
Show  only  | Search instead for 
Did you mean: 

PBF is working, but I want to exclude GP

L1 Bithead

Hello everyone,


New here and fighting with my new PA-820.


I have 2 ISP's and I want to make the best use possible of those two.

So I created a PBF which reroutes HTTP and HTTPS traffic over the 2nd modem.

Now I have speeds over 350mbit/s for clients and not bothering other important server data which I have only 40mbit/s for.


So this is all working fine! Until I use GP for VPN.

The HTTP and HTTPS reroute works fine though, but the internal web applications over port 80 and 443 are rerouted aswell.

So every internal webserver will time out. Age out and and is incomplete.

But for example a webserver with a different port (like synology port 5000) will work fine.


Now GP is more important, so i turned off the PBF and everything works now...

But I really want to use our wide bandwith instead of a very narrow one.


I've tried everything from tunnel traffic no-pbf rule to DNAT's to stop GP from using the PBF rule.

But maybe I'm overlooking something...


Can someone point me in the right direction?


Accepted Solutions

That didn't work... but the session browser told me a critical thing.

The data was not correctly sent back..


So after thinking with two people, we decided to create this:
PBF1 - VPN zone to Trust - any any - No PBF

PBF2 - Trust to VPN IP Pool - any any - No PBF

PBF3 - Trust to Any - Forward Application [Web-Browsing + SSL] to I/F Eth1/1.400, next hop Router Gateway with Monitor


Now everything works as expected!

Thank you for your precious time 🙂

View solution in original post


L5 Sessionator

Hey @Joukevanduijsen


Can you share a screenshot of your PBF policy when it was at the undesired state?




Sure! Here it is! reroute.JPG


As you can see, i've already tried to Negate the VPN pool, but the GP is also directly hooked to trust-zone.

The last IP you see is monitoring, if this IP is not reachable the PBF rule is deactivated.

Your PBF rule should only really be applied to destination zone Untrust, that way it will only activate for internet facing traffic where NAT via the two ISPs is actually required. Then, when you try to visit some internal server in destination zone Trust or DMZ the PBF policy won't even be applied.


What I have done in the past:


Source Zone: Trust

Source IP: Any

Destination IP: All RFC 1918 addresses (negate option checked)

Destination Zone: Untrust

Ahh! Thank you! I'm going to try that now

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!