Hi, I am getting a issues when using NAT with FBF in my configuration as below.
As attached image. I have an Internal Server (192.168.1.96) using static NAT to external WAN fixed IP (126.96.36.199). If I just use direct setting (no other Internet access), its success.
But after I added another faster WAN access (188.8.131.52) for default Internet access and using other routing-instance (wtt-bb) through FBF for the dedicated server, I cannot access the server from Internet anymore. But the server can successfully using static NAT to access the Internet (I just check IP website that the server got the right WAN IP and trace route using the right port).
Can anyone help? thanks!!
set interfaces ge-0/0/2 unit 0 family inet address 184.108.40.206/24set interfaces ge-0/0/4 unit 0 family inet address 220.127.116.11/24set interfaces ge-0/0/6 unit 0 family inet address 192.168.1.254/24set interfaces ge-0/0/6 unit 0 family inet filter input serverDedicatedRoute
set routing-options interface-routes rib-group inet allRouteset routing-options static route 0.0.0.0/0 next-hop 18.104.22.168set routing-options rib-groups allRoute import-rib inet.0set routing-options rib-groups allRoute import-rib wtt-bb.inet.0
set security nat static rule-set tempTest from interface ge-0/0/4.0set security nat static rule-set tempTest rule tempNAT match destination-address 22.214.171.124/32set security nat static rule-set tempTest rule tempNAT then static-nat prefix 192.168.1.96/32
set security policies from-zone untrust to-zone trust policy tempFullAccess match source-address anyset security policies from-zone untrust to-zone trust policy tempFullAccess match destination-address anyset security policies from-zone untrust to-zone trust policy tempFullAccess match application anyset security policies from-zone untrust to-zone trust policy tempFullAccess then permitset security policies default-policy permit-all
set security zones security-zone trust interfaces ge-0/0/6.0set security zones security-zone untrust interfaces ge-0/0/4.0set security zones security-zone untrust interfaces ge-0/0/2.0
set firewall filter serverDedicatedRoute term serverService from source-address 192.168.1.96/32set firewall filter serverDedicatedRoute term serverService then routing-instance wtt-bbset firewall filter serverDedicatedRoute term default then accept
set routing-instances wtt-bb instance-type forwardingset routing-instances wtt-bb routing-options static route 0.0.0.0/0 next-hop 126.96.36.199
The issue seems to be because the NAT is set for interface.
Instead try setting it for the zone and it should be able to work.
The firewall filter always gets hit first even before the nat and other functions kick in.
I have changed it to "from zone untrust" but still cannot make it. I wonder if there are any problems due to the routing instance?
wtt-bb.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 20:54:42> to 188.8.131.52 via ge-0/0/4.02.2.2.0/24 *[Direct/0] 20:54:42> via ge-0/0/2.02.2.2.254/24 *[Local/0] 20:54:42Local via ge-0/0/2.0192.168.1.0/24 *[Direct/0] 20:54:42> via ge-0/0/6.0192.168.1.232/32 *[Local/0] 20:54:42Local via ge-0/0/6.01.1.1.0/24 *[Direct/0] 20:54:42> via ge-0/0/4.01.1.1.254/32 *[Local/0] 20:54:42Local via ge-0/0/4.0
Or any other things I can try to test?
Looks like an ARP issue.
Can you please try setting proxy-arp for the desired IP address on your egress/wan facing interface?
I have try but with the same result. As if I have not add the routing-instance setting, it goes well. So, may not be the issues of proxy-arp.
I found another interest result. If I updated the static route in route option to include a 0.0.0.0/0 next-hop 184.108.40.206/32, it goes well too...... So, i think the problme are cause by the routing table? or the return path of the NAT from 220.127.116.11/32 go to the wrong WAN link (going to 18.104.22.168/32)?
Hope anyone can help on it..... Thanks!!!!
Just change the instance type from forwarding to Virtual-route will solve this issues. Still checking the details on it.
Just searched your problem. I have got same problem as yours. But after I changed routing-instance type from "forwarding" to "virtual-router", the problem was still not solved.
Is it only need to change routing-instance type? Could you show me more details? Thanks.