Currently I'm testing DNAT through the Fiber-untrust interface (1.2.3.10).
But I do believe you are correct: the Comcast-Fiber routing instance is unaware of the LAN routes, and redirects the incoming traffic out to the Internet (see trace log at bottom).
I added the inet.0 routing tables to the import-rib statement, but that does not seem to have an effect according to the routes showing.
#show config routing-instance
Comcast-Cable {
instance-type virtual-router;
interface reth1.0;
routing-options {
interface-routes {
rib-group inet Fiber-to-Cable;
}
static {
route 0.0.0.0/0 next-hop 10.20.30.9;
}
}
}
Comcast-Fiber {
instance-type virtual-router;
interface reth0.0;
routing-options {
interface-routes {
rib-group inet Cable-to-Fiber;
}
static {
route 0.0.0.0/0 next-hop 1.2.3.9;
}
}
}
#show routing-options
rib-groups {
Fiber-to-Cable {
import-rib [ Comcast-Fiber.inet.0 Comcast-Cable.inet.0 inet.0 ];
}
Cable-to-Fiber {
import-rib [ Comcast-Cable.inet.0 Comcast-Fiber.inet.0 inet.0 ];
}
}
>show route table Comcast-Fiber.inet.0
Comcast-Fiber.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 16:01:30
> to 1.2.3.9 via reth0.0
10.20.30.9/30 *[Direct/0] 16:01:30
> via reth1.0
10.20.30.10/32 *[Local/0] 16:01:30
Local via reth1.0
1.2.3.8/30 *[Direct/0] 16:01:30
> via reth0.0
1.2.3.10/32 *[Local/0] 16:01:30
Local via reth0.0
>show log debug.log
Jul 15 10:47:27 10:47:27.300439:CID-1:RT: reth0.0:96.66.219.90/25332->1.2.3.10/8080, tcp, flag 2 syn
Jul 15 10:47:27 10:47:27.300439:CID-1:RT: find flow: table 0x536c2b8, hash 18510(0xffff), sa 96.66.219.90, da 1.2.3.10, sp 25332, dp 8080, proto 6, tok 32779, conn-tag 0x00000000
Jul 15 10:47:27 10:47:27.300439:CID-1:RT: no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0
Jul 15 10:47:27 10:47:27.300439:CID-1:RT:search gate for untrust-Fiber:96.66.219.90/25332->1.2.3.10/8080,6
Jul 15 10:47:27 10:47:27.300439:CID-1:RT:gate_search_specific_bucket: no gate found
Jul 15 10:47:27 10:47:27.300439:CID-1:RT:search gate for untrust-Fiber:96.66.219.90/25332->1.2.3.10/8080,6
Jul 15 10:47:27 10:47:27.300439:CID-1:RT:gate_search_specific_bucket: no gate found
Jul 15 10:47:27 10:47:27.300439:CID-1:RT:search widecast gate for untrust-Fiber:96.66.219.90/25332->1.2.3.10/8080,6
Jul 15 10:47:27 10:47:27.300439:CID-1:RT:gate_search_widecast_bucket: no gate found
Jul 15 10:47:27 10:47:27.300439:CID-1:RT:check self-traffic on reth0.0, in_tunnel 0x0
Jul 15 10:47:27 10:47:27.300439:CID-1:RT:retcode: 0x1
Jul 15 10:47:27 10:47:27.300439:CID-1:RT:pak_for_self : proto 6, dst port 8080, action 0x0
Jul 15 10:47:27 10:47:27.300439:CID-1:RT:flow_first_create_session
Jul 15 10:47:27 10:47:27.300439:CID-1:RT:Save init hash spu id 0 to nsp and nsp2!
Jul 15 10:47:27 10:47:27.300439:CID-1:RT:First path alloc and instl pending session, natp=0x8b87270, id=36780
Jul 15 10:47:27 10:47:27.300439:CID-1:RT: flow_first_in_dst_nat: in <reth0.0>, out <N/A> dst_adr 1.2.310, sp 25332, dp 8080
Jul 15 10:47:27 10:47:27.300439:CID-1:RT: chose interface reth0.0 as incoming nat if.
Jul 15 10:47:27 10:47:27.300439:CID-1:RT:flow_first_rule_dst_xlate: DST xlate: 1.2.3.10(8080) to 192.168.1.141(8080), rule/pool id 21/7.
Jul 15 10:47:27 10:47:27.300439:CID-1:RT:[JSF] Do ingress interest check. regd ingress plugins(1)
Jul 15 10:47:27 10:47:27.300439:CID-1:RT:[JSF][0]plugins(0x0) enabled for session = 12884938668 implicit mask(0x0), service request(0x0)
Jul 15 10:47:27 10:47:27.300439:CID-1:RT:-jsf : no plugin ingress interested for session 12884938668
Jul 15 10:47:27 10:47:27.300439:CID-1:RT:flow_first_routing: vr_id 8, call flow_route_lookup(): src_ip 96.66.219.90, x_dst_ip 192.168.1.141, in ifp reth0.0, out ifp N/A sp 25332, dp 8080, ip_proto 6, tos 50
Jul 15 10:47:27 10:47:27.300439:CID-1:RT:Doing DESTINATION addr route-lookup
Jul 15 10:47:27 10:47:27.300439:CID-1:RT:flow_ipv4_rt_lkup success 192.168.1.141, iifl 0x6b, oifl 0x6
Jul 15 10:47:27 10:47:27.300439:CID-1:RT: routed (x_dst_ip 192.168.1.141) from untrust-Fiber (reth0.0 in 1) to reth0.0, Next-hop: 1.2.3.9
Jul 15 10:47:27 10:47:27.300439:CID-1:RT:flow_first_policy_search: policy search from zone untrust-Fiber-> zone untrust-Fiber (0x110,0x62f41f90,0x1f90)
Jul 15 10:47:27 10:47:27.300439:CID-1:RT:Policy lkup: vsys 0 zone(11:untrust-Fiber) -> zone(11:untrust-Fiber) scope:0
Jul 15 10:47:27 10:47:27.300439:CID-1:RT: 96.66.219.90/25332 -> 192.168.1.141/8080 proto 6
Jul 15 10:47:27 10:47:27.300439:CID-1:RT:Policy lkup: vsys 0 zone(5:global) -> zone(5:global) scope:0
Jul 15 10:47:27 10:47:27.300439:CID-1:RT: 96.66.219.90/25332 -> 192.168.1.141/8080 proto 6
Jul 15 10:47:27 10:4727.300439:CID-1:RT:flow_first_policy_search: dynapp_none_policy: 1? is_final: 0x0, is_explicit: 0x0, policy_meta_data: 0x0
Jul 15 10:47:27 10:47:27.300439:CID-1:RT: app 0, timeout 1800s, curr ageout 20s
Jul 15 10:47:27 10:47:27.300439:CID-1:RT: packet dropped, denied by policy
Jul 15 10:47:27 10:47:27.300439:CID-1:RT: denied by policy default-policy-logical-system-00(2), dropping pkt
Jul 15 10:47:27 10:47:27.300439:CID-1:RT: packet dropped, policy deny.
Jul 15 10:47:27 10:47:27.300439:CID-1:RT:flow_initiate_first_path: first pak no session
Jul 15 10:47:27 10:47:27.300439:CID-1:RT: flow find session returns error.
Jul 15 10:47:27 10:47:27.300439:CID-1:RT:flow_proc_rc: -1.
Jul 15 10:47:27 10:47:27.300439:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)