Hi guys,
Yes you are right and I am sorry for the confussion.
I represented 2 different addresses with the same letter.
So,
Topology is, as correctly mentioned lpaniagua:
OpenVPN_Server------------(reth2.110)-SRX-(reth2.150)-------------INTERNET------------OpenVPN_Client
10.0.110.11------------------(reth2.110)-SRX-(reth2.150)-------------Internet----------------1.1.1.1 (let's say)
Let's define the public ips
OpenvpnServer public ip 2.2.2.198/28
OpenvpnServer internal ip 10.0.110.11/32
Openvpn client public ip 1.1.1.1/32
So the flow goes like this
May 27 17:55:14 17:55:14.397463:CID-1:RT:<10.0.110.11/1201->1.1.1.1/1194;17> matched filter PF2:
show security na static
from zone ISP_ALL_EMPL; rule Openvpn-fiber match { destination-address 2.2.2.198/32; } then { static-nat { prefix { 10.0.110.11/32; } } }
show security nat proxy-arp
interface reth2.150 {
address { 2.2.2.198/32; other_public_ip_of_the_same_block_for_other_service/32;As for the PBR this interface is not configured anymore with the filter. i deleted before the issue and the issue persists
show interfaces reth2.110
description DMZ-ZONE;
vlan-id 110;
family inet {
address 10.0.110.1/24;
}the filter that WAS applied is:
# show firewall filter redirect-traffic-fiber
term default-table {
from {
destination-address {
10.0.0.0/8;
192.168.0.0/16;
172.16.0.0/22;
}
}
then accept;
}
term to-fiber{
then {
routing-instance routing-table-fiber;
}
}and the instance is
# show routing-instances routing-table-fiber
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 2.2.2.193/32;--->the gw of my ISP from the /28 block
}
}So now for the question concerning under which routing-instance(s) are reth2.110, reth2.150 and pp0.3 we have:
reth2.110 is a DMZ int and is not applied in any routing-instance because is not a provider's interface
reth2.150 is applied with my ISP's gw 2.2.2.193
pp0.3 is also applied
# show routing-instances
routing-smtng-inf {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop pp0.4;
}
}
}
routing-table-Dept1-to-Internet {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 2.2.2.193;---->my ISP gw
}
}
}
routing-table-Dpt2-to-Specific public_srv {
instance-type forwarding;
routing-options {
static {
route a.a.a.a/32 next-hop pp0.3;
}
}
}
routing-table-all-empl {
instance-type forwarding;
routing-options {
static {
route ...... /32 next-hop pp0.3;
route ......./32 next-hop pp0.3;
route 0.0.0.0/0 next-hop [ pp0.1 reth2.2222 pp0.3 pp0.5 2.2.2.193 ];
route ....../32 next-hop pp0.1;
route ...../32 next-hop pp0.1;
route ...../32 next-hop pp0.3;
route 192.168.0.0/16 next-hop 10.0.111.254;----->DMZ-lan for internal openvpn communication (2nd interface)
}
}
}
routing-table-email {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop pp0.2;
}
}
}
routing-table-fiber{
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 2.2.2.193;
}
}
}
routing-table-guests {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop pp0.0;
}
}
}
routing-table-serv-vpns {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop b.b.b.b/32;
}
}
}
routing-table-servers-fiber {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop [ b.b.b.b 2.2.2.193 ];
}
}
}right now traceoptions are configured to rewrite until maximux size is reached, so until now, i don't have any disconnections. i will post as soon as i notice any disconnection
Version: Model: srx550
JUNOS Software Release [12.3X48-D55.4] clustered
