Hello. I ma trying to set up filter based routing and cant get it working. Everything seems fine to me.
1. Applied firewall filter to interface:
show interfaces vlan unit 20
family inet {
filter {
input FILTER1;
}
address 172.17.20.1/24;
}2. Created firewall filter:
how firewall filter FILTER1
term pod-allow {
from {
destination-address {
192.168.0.0/16;
}
}
then accept;
}
term mgmt-allow {
from {
destination-address {
172.16.0.0/12;
}
}
then accept;
}
term TERM-test {
from {
source-address {
172.17.20.28/32;
}
}
then {
routing-instance rt-cifra1-test;
}
}
term default {
then {
routing-instance rt-cifra1-all;
}
} 3. Set up routing-instances:
rt-cifra1-all {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 213.167.56.133;
qualified-next-hop 213.167.60.117 {
preference 100;
}
}
}
}
}
rt-cifra1-test {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 213.167.60.117;
qualified-next-hop 213.167.56.133 {
preference 100;
}
}
}
}
}
rt-rcs {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 217.12.253.225;
}
}
} 4. set up routing-options:
interface-routes {
rib-group inet IMPORT-CIFRA1;
}
static {
route 0.0.0.0/0 {
next-hop [ 217.12.253.225 213.167.56.133 213.167.60.117 ];
preference 20;
}
}
rib-groups {
IMPORT-CIFRA1 {
import-rib [ inet.0 rt-cifra1-test.inet.0 rt-cifra1-all.inet.0 rt-rcs.inet.0 ];
}
} 5. and source nat:
pool cifra1-test { address { 213.167.60.118/32; }
}
pool cifra1-all { address { 213.167.56.134/32; }
}
rule-set rs1 { from zone trust; to zone untrust; rule test-cifra1 { match { source-address 172.17.20.28/32; destination-address 0.0.0.0/0; } then { source-nat { pool { cifra1-test; } } } } rule r1 { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { pool { cifra1-all ; } } } }
} But traceroute shows that traffic goes trought 213.167.56.133 gateway, insted of 213.167.60.117
Can anyone explain to me why?