Re: Configure default route when Untrust interface is a DHCP client
[ Edited ]
2 weeks ago
You need to use one of the below methods:
1/ isolate Your untrust interface into a separate virtual router routing-instance
2/ isolate Your clients' interfaces into a separate virtual router routing-instance or instances.
The example config for method # 1 should look like:
set routing-instances UNTRUST-vr instance-type virtual-router set routing-instances UNTRUST-vr interface ge-0/0/0.0 ## Your ISP-facing untrust interface set interfaces st0.0 family inet ## Add route-based IPSEC VPN configuration as You need set routing-options static route 0.0.0.0/0 next-hop st0.0 ## Add security config as You need
When the 0/0 route disappears from inet.0 because i.e. IPSEC VPN went down, there would be no other route to take Your clients traffic. This may be advantage or disadvantage depending on Your point of view.
The advantage is that Your sensitive traffic is not leaked to wider internet if Your IPSEC VPN is down.
The disadvantage is that Your human clients are going to be frustrated because their fav Youtu.be/FB/Twitter etc watching/posting does not work when Your IPSEC VPN is down.