Hi all,
I am having some issues getting PBF working. Basically, I have two interfaces connected to Internet. One is used for ssl vpn access and it has a static IP that is nated and the other for Internet browsing and it gets IP through DHCP.
What I want to achieve is route internet traffic through the DHCP interface and the SSL VPN traffic through the fixed IP interface. The Master routing instance should have both routes with DHCP interface preferred.
I have configured a routing instance with default route, copied the routes through RIB group and then created firewall filter on VLAN interface used for SSL VPN traffic to redirect traffic to the created routing instance, I also made the static route through the fixed IP interface less preferred in the master routing instance. The problem is doing so makes the SSL VPN gateway unreachable, which I guess is due to routing problem. It looks like still the traffic from the SSL VPN appliance is going out through the DHCP interface and so forwarded by the master RI in stead of being forwarded by the created RI.
Can you please help me identifiying the issue?
Here is a snippet of my configuration:
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 1.1.1.2;
}
}
}
ge-0/0/4 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan1;
}
}
}
}
}
vlan {
unit 1 {
family inet {
filter {
input redirectSslVpn;
}
address 2.2.2.1/24;
}
}
}
routing-options {
interface-routes {
rib-group inet IMPORT-PHY;
}
static {
route 0.0.0.0/0 {next-hop 1.1.1.1;
preference 13;}
}
rib-groups {
IMPORT-PHY {
import-rib [ inet.0 isp.inet.0 ];
}
}
}
firewall {
family inet {
filter redirectSslVpn {
term redirect {
from {
source-address {
2.2.2.2/32;
}
destination-address {
0.0.0.0/0;
}
}
then {
count redirected;
routing-instance isp;
}
}
term fromSA {
from {
source-address {
0.0.0.0/0;
}
destination-address {
2.2.2.2;
}
}
then {
count fromSA;
routing-instance isp;
}
term accept {
then accept;
}
}
}
}
}
routing-instances {
isp {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 1.1.1.1;
}
}
}
}
vlans {
vlan1 {
vlan-id 11;
l3-interface vlan.1;
}
}
ge-0/0/0 {
unit 0 {
family inet {
address 1.1.1.2;
}
}
}
ge-0/0/4 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan1;
}
}
}
}
}
vlan {
unit 1 {
family inet {
filter {
input redirectSslVpn;
}
address 2.2.2.1/24;
}
}
}
routing-options {
interface-routes {
rib-group inet IMPORT-PHY;
}
static {
route 0.0.0.0/0 {next-hop 1.1.1.1;
preference 13;}
}
rib-groups {
IMPORT-PHY {
import-rib [ inet.0 isp.inet.0 ];
}
}
}
firewall {
family inet {
filter redirectSslVpn {
term redirect {
from {
source-address {
2.2.2.2/32;
}
destination-address {
0.0.0.0/0;
}
}
then {
count redirected;
routing-instance isp;
}
}
term fromSA {
from {
source-address {
0.0.0.0/0;
}
destination-address {
2.2.2.2;
}
}
then {
count fromSA;
routing-instance isp;
}
term accept {
then accept;
}
}
}
}
}
routing-instances {
isp {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 1.1.1.1;
}
}
}
}
vlans {
vlan1 {
vlan-id 11;
l3-interface vlan.1;
}
}
Thanks a lot