Huh ... I don't really see what you mean ?

The policy on the interface and the local one have a different goal :

- On the interface it's there so that all packet that comes from this interface are routed thru the routemap

- The local policy is there so that packet generated locally are router thru the routermap (for examples dns request generated by the router itself, stuff like that).

Sylvain

I am not sure from your post whether you believe that there is a problem with Policy Based Routing, or whether you just think that there is a problem with how the router picks a source address. Perhaps you can clarify?

For some protocols (for example for syslog, for FTP and TFTP, for TACACS or Radius, for NTP, for ping or traceroute) there is the possibility that you can configure the router to identify what to use as the source address. You do not indicate whether you have configured any of this on your router. Perhaps you can provide the complete config so that we can see how things are set up?

You have not told us what kind of traffic is being generated by the router that is policy base routed and what traffic is having the wrong source address? Perhaps you can explain this to us? And perhaps you can explain what you think that the source address should have been?

HTH

Rick

I think there is a problem with how the router picked the source IP. The packets in question are DNS requests. I haven't configured anything to force him to take any source address for DNS.

I can't force it because some requests will be sent on the LAN (and in this case I expect it to take the LAN ip as source) and some will be sent on the WAN (and there I expect it to take the WAN ip as source).

The config is attached.

Sylvain

I have looked at the config that you posted and some of it is helpful. I note some differences between the config posted and what you have previously described. In particular in previous post you describe one Policy Based Routing on a VLAN interface and a different PBR for local policy. But the posted config has the same PBR for the interface and for local policy.

I also note that the configured default route is:

ip route 0.0.0.0 0.0.0.0 ATM0.4

but there is not any ATM0.4 interface but is ATM0.1.

So I am not sure if the config and the behavior are changing during the discussion.

I do see in the config that you have configured 2 name servers and that both of them are external (reached through the outside interface not the LAN interface). I also see that you have configured the router to act as a DNS server for clients on the VLAN interfaces. So I would expect DNS requests to be sent out the outside interface and DNS responses to be sent out the inside interface. If that is not what is happening perhaps you can provide some details of the packets that are not doing as expected?

HTH

Rick

Well in order :

- About the different policies : The first post is erroneous ... I just forgot to replace mck-vpn to special_stuff ...

- About ATM0.4 vs ATM0.1 I just forgot to rename it while posting ... The .4 is due to the fact I reconfigures 4 times using SDM at the very beginning ... but there is only 1 interface and it's always the same that's used in the running config.

- The DNS server actually splits the requests. If it's for a domain matching *.somecompany.com, the DNS requests will be sent to a IP that is _not_ internal but that will match the routemap and have it's next hop set to an internal IP (10.0.1.32 iirc). Because even if the dns server that must answer this request has an 'internet' ip, it is not directly reachable and must be tunnelled via 10.0.1.32

Sylvain

With the additional explanation I believe that I understand the behavior now. First let us be clear that PBR takes place as the packet is about to be forwarded - after the packet is built. So if the router is building a packet that is a DNS request it believes that it will be sending the packet out the ATM subinterface (if it is building a request to 100.100 there is not any entry in the routing table for 100.100 so it will use the default route out the ATM subinterface) and chooses the ATM subinterface as the source address. But then in the forwarding process PBR changes the next hop from the ATM subinterface to 10.0.1.32. At this point the source address is already chosen (appropriately as far as I can see) and PBR does not change the source address.

It seems to me that the way to solve this is to put routes into the routing table for 100.100 (or at least for 100.100.1.1 and 100.100.2.1) with 10.0.1.32 as the next hop. This way when the router builds its DNS request it will understand correctly which interface to use as the source address.

HTH

Rick

Ok, I see.

Indeed puting the route make things work.

But the side effect is that requests to 100.100.{1,2}.1 coming from Vlan2,3&4 are now also sent to 10.0.1.32 instead ... In my original config I didn't apply the policy to Vlan2,3&4, only to Vlan1. But that's ok, it's just two IP ...

Thanks.

Well, the DNS service is not directly rachable ... other might.

And the VLAN 2,3,4 are not trusted at all, so I prefered to avoid tunneling packet on their behalf.

But it's not a big deal, I can just block all forwarding request from vlan 2,3,4 to theses two IPs. The guests have no business trying to contact them anyway ...

Sylvain