I seem to be hitting an issue with grouped networks used in OBP, and I am pretty sure this has worked in the past!
Scenario is TST Duo & Duo Pro that on occasion we want to breakout the modems on in a way that they can easily be plugged into a trunk port with each modem presented via a discrete VLAN do another devices WAN interfaces.
This device may or may not always be a Peplink, so whilst I could use Synergy mode I am looking for a more generic solution that can be easily managed from Ic2 using tags.
Physically we would be doing something like this:
TST LAN [Tagged VLANs 21/22/23/24/25/26] > Switch [Trunk accepting 21/22/23/24/25/26] > Access ports from a switch to Firewall WAN 1/2/3/4/5/6 etc.
In Ic2 we have some VLANs defined that can be applied as required using tags:
In Ic2 we have defined some grouped networks to match interesting subnets:
On the TST we can see the grouped networks being pushed down correctly:
In Ic2 we have the following OBP configured referencing the grouped networks as source:
On the devices we can see the OBP being applied as expected, and on the overview screen we see that the source is being correctly defined as the grouped network:
We observed however that traffic was not being matched correctly:
When we look at the actual rule directly on the TST we see the following:
When we try and manually define a rule on the TST we are unable to use a grouped network as the source:
I’ve seen this across TST Duo and TST Duo pro running 8.4.1s032 build 5494.
//
Edit:
So it seems this might be a factor that for some reason “grouped networks” are not supported in OBP on the Transit Duo / Duo Pro, I’m not sure if that has always been the case but this config works as expected if I apply it to a Balance 580X.
If that is the case my normal experience of OBP when driven from Ic2 is that if the rule is invalid it does not normally get applied to the device, so in this instance there is maybe a case that Ic2 is allowing an invalid config for the Transit, however a more reasonable resolution would be why they cannot also use grouped networks as source/destination lists.