问

防火墙出口策略路由不生效，请各位帮忙看看是什么地方不行

策略路由

2022-06-17提问

0关注
1收藏，1120浏览

zhiliao_SI5CzD

zhiliao_SI5CzD 三段

粉丝：1人关注：0人

问题描述：

这是防火墙一口与核心相接的口已经匹配了neiwang的路由策略

-----------------------

这是防火墙13口的专线

----------------------

这是匹配我现在电脑网段的ACL

--------------------------

这是我做测试用的一个节点，其他节点我没配置ACL，就是配置了这一个，应该没关系吧。

查看匹配这个段的流量是有的，但是没生效

走的还是默认路由的专线

--------------------

只有这一条默认路由，我现在就是不想走这条默认路由，走其他专线，但是失败了，请问我有哪里漏配或者是配置错了吗

组网及组网描述：

5 个回答

按时间按赞数

已采纳

IT钟点工

IT钟点工九段

粉丝：94人关注：0人

负载均衡优先

那我应该要如何把策略的优先级调高呢或者把负载均衡关闭

zhiliao_SI5CzD 发表时间：2022-06-17

只能把负载均衡禁用

IT钟点工发表时间：2022-06-17

ok了谢谢

zhiliao_SI5CzD 发表时间：2022-06-17

叫我靓仔

叫我靓仔九段

粉丝：154人关注：1人

你的node5不是跟你这个一样的吗

你好我把20删掉了保留了5 还是一样走的默认路由专线

zhiliao_SI5CzD 发表时间：2022-06-17

回复zhiliao_SI5CzD:

会话清空一下，或者重启下设备

叫我靓仔发表时间：2022-06-17

知了小白

粉丝：人关注：人

贴全配置吧

你好已经贴了请帮忙看看

zhiliao_SI5CzD 发表时间：2022-06-17

zhiliao_SI5CzD

zhiliao_SI5CzD 三段

粉丝：1人关注：0人

# version 7.1.064, Release 8860P18 # sysname FW # clock protocol none # context Admin id 1 # telnet server enable # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # nat address-group 1 name 会议预约 port-range 1080 1080 # nat alg h323 nat alg ils nat alg mgcp nat alg nbt nat alg rsh nat alg sccp nat alg sctp nat alg sip nat alg sqlnet nat alg tftp nat alg xdmcp # dns server 8.8.8.8 dns server 114.114.114.114 ip host *.* 192.168.12.2 # lldp global enable # password-recovery enable # vlan 1 # vlan 700 # object-group ip address dahuafk 0 network host address 192.168.1.240 # object-group ip address dahua鏈嶅姟鍣? 0 network host address 192.168.1.240 # object-group ip address fkxt 0 network host address 192.168.12.2 # object-group ip address KF_CRM 0 network host address 192.168.1.244 # object-group ip address 会议预约系统 0 network host address 192.168.12.2 # object-group ip address 内网 0 network subnet 172.16.100.0 255.255.255.0 # object-group service 1080 0 service tcp destination eq 1080 # object-group service 1080dk # object-group service 8080 description 8080 0 service tcp destination eq 8080 # object-group service 8100 0 service tcp destination eq 8100 # object-group service 8314绔彛 0 service tcp destination eq 8314 # object-group service 8910绔彛 0 service tcp destination eq 8910 # object-group service 9100 0 service tcp destination eq 9100 # object-group service 会议预约 description 会议预约系统 0 service tcp destination eq 1080 # policy-based-route neiwang permit node 5 if-match acl 3000 apply next-hop 120.234.173.49 # policy-based-route neiwang permit node 10 if-match acl 3002 apply next-hop 183.24.99.73 # policy-based-route neiwang permit node 30 if-match acl 3001 apply next-hop 183.62.30.121 # policy-based-route neiwang permit node 100 # nqa template icmp 1 # interface NULL0 # interface Vlan-interface700 # interface GigabitEthernet1/0/0 port link-mode route # interface GigabitEthernet1/0/1 port link-mode route ip address 10.10.10.1 255.255.255.0 manage https inbound manage ping inbound manage ssh inbound manage telnet inbound ip policy-based-route neiwang # interface GigabitEthernet1/0/2 port link-mode route # interface GigabitEthernet1/0/4 port link-mode route # interface GigabitEthernet1/0/5 port link-mode route # interface GigabitEthernet1/0/6 port link-mode route # interface GigabitEthernet1/0/7 port link-mode route # interface GigabitEthernet1/0/8 port link-mode route # interface GigabitEthernet1/0/9 port link-mode route # interface GigabitEthernet1/0/10 port link-mode route # interface GigabitEthernet1/0/11 port link-mode route # interface GigabitEthernet1/0/12 port link-mode route # interface GigabitEthernet1/0/13 port link-mode route description yidong1000M bandwidth 1000000 speed 1000 ip address 120.234.173.50 255.255.255.248 gateway 120.234.173.49 # interface GigabitEthernet1/0/14 port link-mode route description dianxin bandwidth 50000 mtu 1492 ip address 183.62.30.122 255.255.255.248 ip address 183.62.30.123 255.255.255.248 sub ip address 183.62.30.124 255.255.255.248 sub tcp mss 1022 nat server protocol tcp global 183.62.30.122 1080 inside 192.168.12.2 1080 rule ServerRule_2 nat server protocol tcp global 183.62.30.122 9100 inside 192.168.1.244 9100 rule ServerRule_1 # interface GigabitEthernet1/0/15 port link-mode route description GuideWan Interface bandwidth 100000 ip address 183.24.99.75 255.255.255.248 dns server 202.96.128.86 dns server 202.96.128.166 nat outbound nat server protocol tcp global 183.24.99.74 1080 inside 192.168.12.2 1080 rule ServerRule_3 nat server protocol tcp global 183.24.99.74 8314 inside 192.168.1.240 443 rule ServerRule_5 nat server protocol tcp global 183.24.99.75 1080 inside 192.168.12.2 1080 rule ServerRule_4 gateway 183.24.99.73 # interface GigabitEthernet1/0/16 port link-mode route combo enable fiber # interface GigabitEthernet1/0/17 port link-mode route combo enable fiber # interface GigabitEthernet1/0/18 port link-mode route combo enable fiber # interface GigabitEthernet1/0/19 port link-mode route combo enable fiber # interface GigabitEthernet1/0/20 port link-mode route # interface GigabitEthernet1/0/21 port link-mode route # interface GigabitEthernet1/0/22 port link-mode route # interface GigabitEthernet1/0/23 port link-mode route # interface GigabitEthernet1/0/24 port link-mode route # interface GigabitEthernet1/0/25 port link-mode route # interface GigabitEthernet1/0/3 port link-mode bridge # interface M-GigabitEthernet1/0/0 ip address 1.1.1.1 255.255.255.0 # interface Ten-GigabitEthernet1/0/26 port link-mode route # interface Ten-GigabitEthernet1/0/27 port link-mode route # security-zone name Local # security-zone name Trust import interface GigabitEthernet1/0/1 import interface Vlan-interface700 # security-zone name DMZ # security-zone name Untrust import interface GigabitEthernet1/0/13 import interface GigabitEthernet1/0/14 import interface GigabitEthernet1/0/15 # security-zone name Management import interface M-GigabitEthernet1/0/0 # scheduler logfile size 16 # line class console authentication-mode scheme user-role network-admin # line class vty user-role network-operator # line con 0 user-role network-admin # line vty 0 4 authentication-mode scheme user-role level-15 user-role network-admin # line vty 5 63 authentication-mode scheme user-role network-admin # ip route-static 0.0.0.0 0 183.24.99.73 ip route-static 172.16.0.0 16 10.10.10.2 ip route-static 192.168.0.0 16 10.10.10.2 # info-center loghost 127.0.0.1 port 3301 format default info-center source CFGLOG loghost level informational # performance-management # ssh server enable ssh server authentication-retries 5 # acl advanced 3000 rule 0 permit ip source 192.168.12.0 0.0.0.255 rule 5 deny ip # domain system # domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage password hash $h$6$hTAQM9XSiLWjqxcm$5RiqvDVLlTVtKuRC4QifIFVGtgcMtkbpspnRYO6RiwjfaO1qy+wooRZ7SBHnzt82k446Ic/hfQCyhaGJPO561A== service-type ssh terminal http https authorization-attribute user-role level-3 authorization-attribute user-role level-15 authorization-attribute user-role network-admin authorization-attribute user-role network-operator # public-key peer 127.0.0.1 public-key-code begin 30819F300D06092A864886F70D010101050003818D0030818902818100B8D57F1F30F907D2 D34EBB8171E6483CC55F5BF1121D0952A337D747D9FFF5AB2DF0F534B5AB8C88186BD1CF6C EC4A9D30429A68E489BD15DCC459C4E030008E3C68D187D3C69BACE875771312BBDB699F10 3509D266DF919E2FD87D80868D6326429212BF009A658D0D55579400B4F57110212313410A 53411C024969BCB0730203010001 public-key-code end peer-public-key end # public-key peer 172.16.100.5 public-key-code begin 30819F300D06092A864886F70D010101050003818D0030818902818100C75BDDEA9148BB63 C4D7843F9AF34C25B15DBC6CE465A8E854301865AAF83E6103CC43B2E25468E5882B86B1B4 86D654001DBF80CE67DD133FDA3C45879B3B9411EAE3A3D5107B22C0A6778A9BC1042FAD33 1EB3E17874ECB6F34EAE21C8363FD6B774BD9870E2FE65E364398EECB5FEBF3CA6FBE23FB0 34B7F577BCD813AF550203010001 public-key-code end peer-public-key end # ssl renegotiation disable ssl version ssl3.0 disable ssl version tls1.0 disable # session statistics enable session synchronization enable # ipsec logging negotiation enable # nat global-policy rule name GlobalPolicyRule_1 description GuideNat source-zone Trust destination-zone Untrust action snat easy-ip # ike logging negotiation enable # ip https enable # blacklist global enable # app-profile 0_IPv4 ips apply policy default mode protect data-filter apply policy default file-filter apply policy default anti-virus apply policy default mode protect waf apply policy default mode protect # inspect block-source parameter-profile ips_block_default_parameter # inspect block-source parameter-profile url_block_default_parameter # inspect block-source parameter-profile waf_block_default_parameter # inspect capture parameter-profile ips_capture_default_parameter # inspect capture parameter-profile waf_capture_default_parameter # inspect redirect parameter-profile av_redirect_default_parameter # inspect redirect parameter-profile ips_redirect_default_parameter # inspect redirect parameter-profile url_redirect_default_parameter # inspect redirect parameter-profile waf_redirect_default_parameter # loadbalance link-group 电信 predictor hash address source fail-action reschedule transparent enable probe 1 success-criteria at-least 1 link dianxin success-criteria at-least 1 probe 1 link guidewan success-criteria at-least 1 probe 1 # loadbalance class 1 type link-generic match-any match 1 source ip address 0.0.0.0 0 # loadbalance action ##defaultactionforllbipv4##%%autocreatedbyweb%% type link-generic forward all # loadbalance action ob$action$#for#1 type link-generic link-group 电信 fallback-action continue # loadbalance policy ##defaultpolicyforllbipv4##%%autocreatedbyweb%% type link-generic class 1 action ob$action$#for#1 default-class action ##defaultactionforllbipv4##%%autocreatedbyweb%% # virtual-server ##defaultvsforllbipv4##%%autocreatedbyweb%% type link-ip virtual ip address 0.0.0.0 0 lb-policy ##defaultpolicyforllbipv4##%%autocreatedbyweb%% bandwidth interface statistics enable service enable # loadbalance isp file flash:/lbispinfo_v1.5.tp # loadbalance alg h323 loadbalance alg ils loadbalance alg mgcp loadbalance alg nbt loadbalance alg rsh loadbalance alg sccp loadbalance alg sip loadbalance alg sqlnet loadbalance alg tftp loadbalance alg xdmcp # loadbalance link dianxin router ip 183.62.30.121 success-criteria at-least 1 # loadbalance link guidewan router ip 183.24.99.73 success-criteria at-least 1 # traffic-policy profile name chinatelnet bandwidth downstream guaranteed 30000 bandwidth downstream maximum 150000 bandwidth upstream guaranteed 30000 bandwidth upstream maximum 150000 bandwidth average enable per-ip bandwidth-threshold-detect enable per-ip bandwidth-threshold max-value 50000 per-ip bandwidth-threshold min-value 10000 per-ip bandwidth-threshold-learn enable per-ip bandwidth-threshold-learn duration 60 per-ip bandwidth-threshold-learn tolerance max-value 100 per-ip bandwidth-threshold-learn tolerance min-value 100 # scd learning source-ip 会议预约系统 auto-learn enable period one-hour # security-policy ip rule 0 name 1 action pass profile 0_IPv4 rule 1 name GuideSecPolicy action pass source-zone Trust destination-zone Untrust destination-zone DMZ rule 4 name secpolicy6 action pass source-zone Untrust destination-zone Local destination-ip-range 183.24.99.74 183.24.99.78 destination-ip-range 183.62.30.122 183.62.30.125 rule 10 name dkys action pass source-zone Untrust destination-zone Trust destination-ip KF_CRM service 9100 rule 11 name huiyiyuyue action pass source-zone Untrust destination-zone Trust destination-ip 会议预约系统 service 1080 rule 12 name fkxt action pass counting enable source-zone Untrust destination-zone Trust destination-ip fkxt service 1080dk service 1080 rule 13 name dahuafk action pass source-zone Untrust destination-zone Trust destination-ip dahuafk service 8314绔彛 # anti-virus signature auto-update update schedule daily start-time 02:00:00 tingle 120 # cloud-management server domain opstunnel-seccloud.h3c.com # return

小白白

小白白四段

粉丝：6人关注：0人

你是做的策略路由吧，你应该是用错接口了，策略路由需要用在内网接口处，而不是出接口

编辑答案

分享扩散:

➤

网站相关: 关于我们; 服务条款; 帮助中心; 经验与权限; 积分规则

联系我们: 联系我们; 建议反馈

常用链接: 知了APP下载; 标杆的神器下载

关注我们: H3C官网; 新华三服务公众号; 安仔远程运维服务; 新华三商城

内容许可: 除特别说明外，用户内容均可采用知识共享署名-相同方式共享3.0中国大陆许可协议进行许可

本图标版权归新华三集团所有，仅限本社区使用，切勿用做商业目的，违者必究

浙ICP备09064986号-1 浙公网安备 33010802004416号

✖

亲~登录后才可以操作哦!

确定

✖

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

✖

你的邮箱还未认证，请认证邮箱或绑定手机后进行当前操作

✖

侵犯我的权益 >

对根叔社区有害的内容 >

辱骂、歧视、挑衅等（不友善）

侵犯我的权益

泄露了我的隐私 >

侵犯了我企业的权益 >

抄袭了我的内容 >

诽谤我 >

辱骂、歧视、挑衅等（不友善）

骚扰我

泄露了我的隐私

您好，当您发现根叔知了上有泄漏您隐私的内容时，您可以向根叔知了进行举报。请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱，我们会尽快处理。

1. 您认为哪些内容泄露了您的隐私？（请在邮件中列出您举报的内容、链接地址，并给出简短的说明）
2. 您是谁？（身份证明材料，可以是身份证或护照等证件）

侵犯了我企业的权益

您好，当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时，您可以向根叔知了进行举报。请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱，我们会在审核后尽快给您答复。

1. 您举报的内容是什么？（请在邮件中列出您举报的内容和链接地址）
2. 您是谁？（身份证明材料，可以是身份证或护照等证件）
3. 是哪家企业？（营业执照，单位登记证明等证件）
4. 您与该企业的关系是？（您是企业法人或被授权人，需提供企业委托授权书）

我们认为知名企业应该坦然接受公众讨论，对于答案中不准确的部分，我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

原文链接或出处

诽谤我

您好，当您发现根叔知了上有诽谤您的内容时，您可以向根叔知了进行举报。请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱，我们会尽快处理。

1. 您举报的内容以及侵犯了您什么权益？（请在邮件中列出您举报的内容、链接地址，并给出简短的说明）
2. 您是谁？（身份证明材料，可以是身份证或护照等证件）

我们认为知名企业应该坦然接受公众讨论，对于答案中不准确的部分，我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔社区有害的内容

垃圾广告信息

色情、暴力、血腥等违反法律法规的内容

政治敏感

不规范转载 >

辱骂、歧视、挑衅等（不友善）

骚扰我

诱导投票

不规范转载

举报说明

产品线		搜索取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式	默认策略匹配全词匹配整句

防火墙出口策略路由不生效，请各位帮忙看看是什么地方不行

问题描述：

组网及组网描述：

编辑答案

提出建议