Tim,
Thanks again for your response.
Regarding Question 1:
We've implemented the FBF without the instance-import, and as expected the proxy didn't receive anything from the host.
We've conclude that, as you said, the route importation is mandatory to tell the forwarding RI were to find the proxy (even if it's directly connected).
I've understood also that both expert's responses are complemantary 🙂
1st expert:
" Absense of interfaces in forwarding RI makes them unidirectional, i.e. only client->server traffic can pass forwarding RI whereas server->client passes inet.0, and both use same interface.
This makes forwarding RI useful for certain applications at no extra cost of creating rib-groups/instance-import to leak return routes."
----> The use of rib-groups/instance-import concerns only the 1st direction (Host to Proxy), because only this communication is happening in the forwarding VR.
----> the return traffic goes through the master RI, so no need to re-learn in the forwarding RI what's known in inet.0 🙂
2nd expert:
" No. If using instance-type forwarding, you must use rib-groups, instance-import to import information into the routing table, so that next-hop can be resolved."
----> The forwrding RI's RIB is empty. Even the directly connected subnets aren't automatically inserted in it !!! So the next-hop is unknown, that's what the route import is for.
Could you confirm my statement?
Regarding Question 2:
I agree with you.
We've been told that the ports chosen (3128 for 80 & 3129 for 443) aren't for "brutal security" as i said 😉 but theese appear to be the squid's defaults ports for the service that inspects the packet at the highest level (that's what i have understood).
So, as we can't modify the destination port without modifying the ip destination, we've decided to use the "NAT Destination" method instead of FBF, and it seems to be working 🙂
set security nat destination pool Proxy-192-168-22-1 address 192.168.22.1/32
set security nat destination pool Proxy-192-168-22-1 address port 3128
set security nat destination pool Proxy_s-192-168-22-1 address 192.168.22.1/32
set security nat destination pool Proxy_s-192-168-22-1 address port 3129
set security nat destination rule-set from_Trust_pscc from interface reth2.13
set security nat destination rule-set from_Trust_pscc rule proxy_rule match destination-address 0.0.0.0/0
set security nat destination rule-set from_Trust_pscc rule proxy_rule match destination-port 80
set security nat destination rule-set from_Trust_pscc rule proxy_rule then destination-nat pool Proxy-192-168-22-1
set security nat destination rule-set from_Trust_pscc rule proxy_s_rule match destination-address 0.0.0.0/0
set security nat destination rule-set from_Trust_pscc rule proxy_s_rule match destination-port 443
set security nat destination rule-set from_Trust_pscc rule proxy_s_rule then destination-nat pool Proxy_s-192-168-22-1
Knowing that we're not allowed to use the Proxy to do the port conversion
(
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
), but we must use the FW to do this, is there anything that helps us achieving our goal using FBF?
Thank you in advance for your response.