Hi,
Public and static IP is too expensive (indeed I can add some money and take those options too but I'm trying the cheapest solution..)
So, the goal is to have two different ISPs and load balance the connection without BGP, OSPF, etc.
The most important issues so far it was that I couldn't manage the device remotelly by accessing the interface which have the IP assigned over DHCP, but that issue was solved with the VIP trick.
So far I have used that ISP on another vrouter because of the Connected route assigned by screenos automatically because of DHCP. PBR was used in this scenario but unfortunately there are some important limitation when using policy based routing.
The only problem that I still have is why local subnets which have PBR associated to access 0.0.0.0/0 over the second vrouter cannot access local resources from other vlans or dmz? If I'm checking the logs all traffic is forwarded to internet even if the other routes are connected too..
I know that 0.0.0.0/0 means anything but how I can forward traffic from a local vlan to the internet over another ISP from another vrouter?
On the ACL you can only define src xx.xx.xx.xx (local subnet) destination 0.0.0.0/0 (internet) and ports. I did some tricks like forward 80, 443, etc. with PBR in this way I was able to access internet over the second ISP and local shares for example, but I have 80 and 443 in local DMZ too...
Idealy is to have the posibility to define an extended ACL with src, dst EXCEPT dst xx.xx.xx.xx where I can defaine local networks.
In the worst case scenario I will move the DHCP interface in trust-vr (Untrust) and everything will be simple but idealy is to have the internet links in another vr.
I hope I was clear enough this time 🙂
Thanks for help.