Hi all. New to JunOS and experimenting on an SRX100 in prep for full layer 3 transition to JunOS/SRX in the coming months. Having a bit of a problem with FBF, and I'm stumped.
I'm trying to force route an internal subnet across the tunnel using FBF. Outbound traffic sourced locally and its' inbound response traffic flows fine.
Traffic initiated from the far side of the tunnel breaks though. The traffic makes it in ok and is routed properly to the internal host, but the response traffic is not getting filtered into the routing instance that would send it to the tunnel. Instead it's attempting to take the master 0.0.0.0/0 route and is failing because it came in the tunnel interface and is trying to leave the untrust interface.
I can't figure out how to fix this async route, or how to force traffic sourced from the far side into the custom FBF routing instance.
I've included relevant config bits below and attached a flowtrace showing what's happening. st0.1 is bound to a route based VPN that works fine if all the traffic is static routed.
Any assistance/guidance/insight greatly appreciated, thanks!
The attached flow trace is for a session initated from 10.152.172.34 (on the far side of the tunnel) to the local host 10.252.252.100, tcp 445.
It shows a proper inbound route:
routed (x_dst_ip 10.252.252.100) from vpn (st0.1 in 0) to vlan.0, Next-hop: 10.252.252.100
But then the reverse route for that session hits the master default route and gets rejected:
route lookup: dest-ip 10.152.172.34 orig ifp st0.1 output_ifp fe-0/0/0.0 orig-zone 9 out-zone 7 vsd 0
Reject route in make_nsp_ready_no_resolve. zone mismatch
##Interfaces:
vlan {
unit 0 {
family inet {
filter {
input fbf-vpn;
}
address 10.252.252.1/24;
}
}
}
st0 {
unit 1 {
family inet;
}
}
##Filter:
filter fbf-vpn {
term from-10.252.252.0/24 {
from {
source-address {
10.252.252.0/24;
}
}
then {
routing-instance fbf-st0.1;
}
}
term allow {
then accept;
}
}
##Routing instance setup:
fbf-st0.1 {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop st0.1;
}
}
}
##Routing options:
interface-routes {
rib-group inet common;
}
rib-groups {
common {
import-rib [ inet.0 fbf-st0.1.inet.0 ];
}
}