Hi,
thanks for the reply.
Yes currently I only want two hosts from 10.83.30.0/24 to be re-directed. The security policy looks like:
policy ARM02 {
match {
source-address any-ipv4;
destination-address ARM02;
application [ junos-dns-udp junos-dns-tcp junos-ssh junos-https junos-http ];
}
then {
permit;
}
}
I know this works fine as ARM02 runs pi-hole and I can browse to the webGUI for that serivce on HTTPS without issue.
Running your suggested command gives me:
show security flow session source-prefix 10.83.30.12
Session ID: 10908, Policy name: INSIDE-TO-OUTSIDE/4, Timeout: 1722, Valid
In: 10.83.30.12/43221 --> 216.58.213.74/443;tcp, Conn Tag: 0x0, If: irb.30, Pkts: 15, Bytes: 3526,
Out: 216.58.213.74/443 --> x.x.x.x/24804;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 11, Bytes: 4156,
Session ID: 12969, Policy name: INSIDE-TO-OUTSIDE/4, Timeout: 1462, Valid
In: 10.83.30.12/50593 --> 157.240.1.32/443;tcp, Conn Tag: 0x0, If: irb.30, Pkts: 10, Bytes: 1249,
Out: 157.240.1.32/443 --> x.x.x.x/20051;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 8, Bytes: 3842,
Session ID: 12977, Policy name: INSIDE-TO-OUTSIDE/4, Timeout: 1790, Valid
In: 10.83.30.12/38191 --> 64.233.184.188/5228;tcp, Conn Tag: 0x0, If: irb.30, Pkts: 47, Bytes: 3641,
Out: 64.233.184.188/5228 --> x.x.x.x/9314;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 34, Bytes: 12745,
Session ID: 13034, Policy name: INSIDE-TO-OUTSIDE/4, Timeout: 1720, Valid
In: 10.83.30.12/55815 --> 216.58.206.46/443;tcp, Conn Tag: 0x0, If: irb.30, Pkts: 11, Bytes: 914,
Out: 216.58.206.46/443 -->x.x.x.x/5889;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 11, Bytes: 4649,
Total sessions: 4
So it looks like traffic is leaving via ge-0/0/0 which is connected to the internet link, which is not the ge-0/0/3 that the routing table indicates should be used!?
Any ideas? 🙂
cheers,
Seb.