TL;DR: please allow administrators to configure custom routes to the SureBackup appliance.

I know it might be a niche case, but I have a customer which has a hardened (network) environment, with the following setup:
- Hardware Backup server and hardware Linux hardened repository in one VLAN (let's pretend it's VLAN200)
- productive environment with servers (let's pretend it's VLAN100) and clients (let's pretend it's VLAN101)
- a firewall with a internet break-out directly connected to the backup server (NIC2)
- SureBackup appliance NAT (let's pretend it's VLAN250)
To make it simple let's also pretend that the VLAN is the 3rd octette of the IP address. (192.168.x.x)
We have ACLs in place to manage which ports are allowed between the backup server and the productive environment.
The firewall is also configured to only let traffic out to well-known hosts (like for Veeam licensing checks, AWS offloading, etc.) but as no connection to the production network.
The default route on the backup server is set to the firewall so the offloading is working as expected.
We have now implemented SureBackup.
Every time Veeam is setting up the route to the virtual lab once the SureBackup job is started.
But the route is set to the wrong gateway which is in the productive server environment (VLAN100) which the backup server can't reach.
Because of that, the backup server is using his default route, which is pointing towards the firewall and the firewall have no information about the internal network, so the request is sent off to the internet.
I tried the following things:
- I added a permanent route to the IP address via the gateway in the VLAN200 (which know the NAT behind the SureBackup appliance), but Veeam won't start the SureBackup jobs because 'There's already a route defined, please remove this route'
- If I "intercept" the jobs created route and use a "route change 192.168.250.0 mask 255.255.255.0 192.168.200.1" -> everything works as intended.
My workaround is now, that I start the SureBackup job via PowerShell and after getting a reply from the SureBackup appliance, the script will automatically change the route to the correct gateway.
I don't know if this has been an issue for someone of you, but I would highly appreciate a feature or setting to set the route to the virtual lab by my own, either through a permanent route on the backup server or dis- / enabling setting a default route within the GUI.
As many of our customers are now going the way of network segmentation and shutting the backup server from their productive environment, I'll be happy if I don't have to tell them they need to use scripts for the backup testing which should work out of the box.
Best regards,
Peter