Nature of Routing on Firewall

SandyYad · ‎03-05-2025

We have kind of below setup.

NW-1.0 <-- Router A <-> Firewall <-> Router B --> NW2.0

There is ibgp neighborship between Router A & Router B and routers A & B are connected via firewall.

Router A is advertising NW1.0 via ibgp nei to Router B, similarly Router B advertises its NW 2.0 to Router A via ibgp nei.

Qn. Do I need to do routing or add static routes for both sides NW like for 1.0 next hop Router A & for NW 2.0 Next hop is Router B. bcz in my setup they have added static routes in firewall.

I think we only need to do routing for subnet which we are going use for ibgp neighborship to make ibgp peers reachable & no need to add routes on fw for nw which are beyond the routers bcz routers are advertising them via ibgp.

But our client & Seniors says routing on fw for both nw 1.0 & 2.0 is also required. Is it right ? if yes then whats logic behind it, how firewall see/do its routing in this case. Please help me to understand it.

M02@rt37 · ‎03-05-2025

Hello @SandyYad

In the case of the Firewall should be in "transparent" mode, yes you're right..no need of static routes.

But, in the case of L3 function for that Fw, so it operates in routing mode (L3), it perfoms IP routing. The Firewall need to know where to send packets based on their destination IP addresses. Even if routers exchanging routes via iBGP, the Firewall will not be automatically aware of those routes unless manually configure it to know how to reach those destinations...

--

https://www.jasonvanpatten.com/2018/09/01/deploying-firewalls-with-routing/

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

SandyYad · ‎03-13-2025

Thanks M02@rt37

I thought router A will send packets directly to his ibgp peer which is on router b. and firewall is used only to make reachability of ibgp subnet. Not able to open the shared link. Happy if you elaborate this concept more to understand.

But Thanks again..

M02@rt37 · ‎03-13-2025

Hello @SandyYad

Router A and Router B exchange BGP routes and will send packets directly to each other.

BUT, if the firewall is in routed mode, it needs static routes for NW1.0 and NW2.0 so it knows where to forward traffic.

If the firewall is in transparent mode, no static routes are needed because it does not participate in IP forwarding.

BGP is just a control-plane protocol, meaning it only shares routing information but does not forward traffic itself. The actual data packets between NW1.0 and NW2.0 will be forwarded based on the routing table of each router.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Giuseppe Larosa · ‎03-13-2025

Hello @SandyYad ,

yes the FW if in routed ( or NAT mode) needs to know how to reach the prefixes that are advertised in BGP because BGP is a routing protocol and it does not provide alone a forwarding path. In other words without using some form of tunneling the traffic in the data plane is exposed to Firewall so it has to know how to route the prefixes of packets with SA= NW1.0 and DA= NW2-0 and viceversa, and being a FW it needs also to be configured to allow the traffic between the two remote subnets routing is not enough to achieve complete end to end communication ( firewall rule or access policy rule).

Hope to help

Giuseppe

SandyYad · ‎09-19-2025

Thank you @Giuseppe Larosa & M02@rt37

Suppose instead of firewall if there is L3 switch, then will logic remain same..

Router A <-> L3-switch <-> Router B

But i see in DC when we created ibgp nei between router A & B, L3 switch only have infra static routes to establish the bgp neighborship, not all static routes for subnet what router A & B are advertising to each other via ibgp

Giuseppe Larosa · ‎09-22-2025

Hello @SandyYad ,

if the L3 switch is on the data path between RA and RB and traffic is sent in clear text ( not using a GRE tunnel ) the L3 switch needs to know how to route traffic also for the BGP advertised routes otherwise the BGP session can be setup but user traffic cannot flow end to end

Hope to help

Giuseppe