SDN+R605 : PBR broken ?
Hello,
I'm running Omada SDN with R605 for more than a year.
Went across the various upgrades (software and firmwares) and currently running Omada 4.4.6 and firmware 1.1.1.
I have plenty (10+) of ip interfaces configured in my homelab and used to use the PBR as a "security by design" feature ; i.e. I want the traffic from specific interface to be unconditionaly routed through the WAN interface.
My PBR setup is fairly simple : one rule per source network to any destination forced through the WAN interface.
However, it seems that PBR just do not work on the R605, traffic freely flows between the vlans interfaces as if there was no PBR configured.
Behaviour is the same whatever source and destination networks I test.
Question n°1 : Is that behaviour known/expected (i.e. PBR not working) ? Any plan to fix that ?
Question n°2 : I would suggest a partial rework of this feature :
- First : PBR rules should not be global/floating rules but each should be bound to a specific Ip interface. This allows a specific one to apply to all inbound traffic of the selected interface ; i.e. I should be able to create a "on interface vlan xx if packet matches <from any to any> condition then policy route to wan".
- Second : We should be able to create PBR exceptions. The basic obvious use case is policy routing to the WAN but having the SDN on a local connected network. If I have SDN compatible devices on a local network, PBR would break the connectivity to the SDN server unless I can configured a PBR exception (exception means : do not policy route, just perform regular routing).
- Third : We should be able to configure a nexthop as the target of the PBR rule. Ethernet (thus excluding the PPP/PPTP) is a broadcast multi-access network thus forwarding makes sense only to a nexthop (as ARP has to provide with the target MAC address so frame can be sent on wire).
- Fourth : We should be able to policy route to a local ip nexthop, not just WAN. This makes sense in some advanced network topologies (which, I understand, is probably not the preliminary business use case of the SafeStream devices).
Any chance these get implemented in a near future ?
Thank you.
Regards.