[Feature Request] Setting routes to SureBackup appliance

[pp_er]

Hey,

TL;DR: please allow administrators to configure custom routes to the SureBackup appliance.

I know it might be a niche case, but I have a customer which has a hardened (network) environment, with the following setup:
- Hardware Backup server and hardware Linux hardened repository in one VLAN (let's pretend it's VLAN200)
- productive environment with servers (let's pretend it's VLAN100) and clients (let's pretend it's VLAN101)
- a firewall with a internet break-out directly connected to the backup server (NIC2)
- SureBackup appliance NAT (let's pretend it's VLAN250)

To make it simple let's also pretend that the VLAN is the 3rd octette of the IP address. (192.168.x.x)
We have ACLs in place to manage which ports are allowed between the backup server and the productive environment.
The firewall is also configured to only let traffic out to well-known hosts (like for Veeam licensing checks, AWS offloading, etc.) but as no connection to the production network.

The default route on the backup server is set to the firewall so the offloading is working as expected.

We have now implemented SureBackup.
Every time Veeam is setting up the route to the virtual lab once the SureBackup job is started.
But the route is set to the wrong gateway which is in the productive server environment (VLAN100) which the backup server can't reach.
Because of that, the backup server is using his default route, which is pointing towards the firewall and the firewall have no information about the internal network, so the request is sent off to the internet.

I tried the following things:
- I added a permanent route to the IP address via the gateway in the VLAN200 (which know the NAT behind the SureBackup appliance), but Veeam won't start the SureBackup jobs because 'There's already a route defined, please remove this route'
- If I "intercept" the jobs created route and use a "route change 192.168.250.0 mask 255.255.255.0 192.168.200.1" -> everything works as intended.

My workaround is now, that I start the SureBackup job via PowerShell and after getting a reply from the SureBackup appliance, the script will automatically change the route to the correct gateway.

I don't know if this has been an issue for someone of you, but I would highly appreciate a feature or setting to set the route to the virtual lab by my own, either through a permanent route on the backup server or dis- / enabling setting a default route within the GUI.
As many of our customers are now going the way of network segmentation and shutting the backup server from their productive environment, I'll be happy if I don't have to tell them they need to use scripts for the backup testing which should work out of the box.

Best regards,
Peter

[Andreas Neufert]

If I understand this all correctly then it would not help to set some things in Veeam. You need to set some routes that everything works in your infrastructure.
And I think as any envrionment can be very unique, it is hard to address.

Let me try to solve it for you (hope I understood everything well).

Example:
Your Internet Router has 10.0.0.1 255.255.255.0

Your Internal Router has NIC with 192.168.x.1 255.255.255.0 with activated routing between networks

Backup Server
NIC 2
10.0.0.2 255.255.255.0 GW 10.0.0.1
NIC 1
192.168.200.2 255.255.255.0 No GW or 192.168.200.1 (which would be your internal Firewall/Router between subnets)

Surebackup Appliance
192.168.200.2 255.255.255.0 GW 192.168.200.1

VLAB wizard advanced
In VLAB appliance you define the following:
VMNetworkVLAN100=>VMnetworkVirtualLabVLAN100 (VLAN100)
Select MnetworkVirtualLabVLAN100
Proxy IP 192.168.100.1 255.255.255.0
Masquerade Network 173.168.100
Disable DHCP when your work with static IPs on the backed up VMs

In VLAB appliance you define the following:
VMNetworkVLAN101=>VMnetworkVirtualLabVLAN101 (VLAN101)
Select MnetworkVirtualLabVLAN101
Proxy IP 192.168.101.1 255.255.255.0
Masquerade Network 173.168.101
Disable DHCP when your work with static IPs on the backed up VMs

Enable routing between vLAB subnets in the wizard.


You need to add then the following route static to the Veeam Backup Server:
193.168.0.0 255.255.0.0 Routed through 192.168.250.1
192.168.0.0 255.255.0.0 Routed through 192.168.250.1 (this might not be needed but if you do not set a gateway for the first NIC on the backup server then this is needed)

And on the internal router
193.168.0.0 255.255.0.0 Routed through 192.168.200.2

This should do the trick.

Explanation:
We start the vLAB and boot the server in the VLAB. Lets say the server in the lab has
192.168.100.2 (fileserver) 255.255.255.0 GW 192.168.100.1 (its normal IP configuration)
We set a dynamic route on the VBR server that is called 193.168.100.0 255.255.255.0 192.168.200.2
Ping goes from backup server to 193.168.100.2
The dynmic route and the manual set routhe forward the packages through the internal router to the virtual lab appliance.
The Virtual lab appliance does it´s magic and forward the ping to the vlab internal network of the "fileserver". The answer back goes to the default route (which is the vlab internal IP - which is at same time the gateway IP of production).
THe Virutal lab appliance does it´s magic and send back the ping on it´s route to 192.168.250.2 (backup server) through the internal router (because of the correct gateway address set in the vlab production network).

[pp_er]

Good morning Andreas,

thank you for your reply.
I had the same idea, but it won't work.
I'll attach a simple topology view. (which is based on the example we are talking about)


The issue is, that Veeam is setting the route with a gateway in the server network (192.168.100.0/24) where the backup server only can reach his gateway in the (192.168.200.0/24) network.
So as the gateway for this network is not reachable, it will fail over to the default gateway, which is in the network of 10.0.0.0/24.

I'll quote a sentence from the Microsoft page about the 'route' command here:

<gateway> Specifies the forwarding or next hop IP address over which the set of addresses defined by the network destination and subnet mask are reachable. For locally attached subnet routes, the gateway address is the IP address assigned to the interface that is attached to the subnet. For remote routes, available across one or more routers, the gateway address is a directly reachable IP address that is assigned to a neighboring router.

Source: https://learn.microsoft.com/en-us/windo ... ute_ws2008

This means, that the gateway must reside in the same network. (192.168.200.0/24)
If I do a 'route change' as already mentioned in my initial post, everything works as expected.

Would it be possible to just disable the "stop SureBackup if route already exists"?

Best regards,
Peter