Dear,
We have two sites that are connected with glass fiber cable(rental from ISP) and we have site-site VPN over it for internal traffic. We would share the Internet at each site as a backup connection for another side. I created probes so when the link is down, it will failover to another site's connection. The Internet traffic will be outside of the VPN. Please see the diagram and my config below. The failover with probe works for the Internet route but the return traffic still preferring VPN since it is first in the routing table. How can send the Internet(external) return traffic outside of VPN? Maybe you better advice for the below scenario?
Thank you very much in advance.
Cheers,
Isac
SITE1 FIREWALL
set routing-options static route 0/0 qualified-next-hop 10.13.1.2 preference 10
edit routing-instances
set to-SITE2-ISP instance-type virtual-router
set to-SITE2-ISP interface reth2.0
set to-SITE2-ISP routing-options static route 0/0 next-hop 10.13.1.2
top
set routing-options rib-groups to-SITE2-ISP-RouteGr import-rib [inet.0 to-SIE2-ISP.inet.0]
set routing-options interface-routes rib-group inet to-SITE2-ISP-RouteGr
set routing-instances to-SITE2-ISP routing-options interface-routes rib-group inet to-SITE2-ISP-RouteGr
#HEALTH CHECK FOR SITE1 INTERNET CONNECTION
set services rpm probe INTERNET-probe test TEST-Route-google probe-type icmp-ping
set services rpm probe INTERNET-probe test TEST-Route-google target address 8.8.8.8
set services rpm probe INTERNET-probe test TEST-Route-google probe-count 3
set services rpm probe INTERNET-probe test TEST-Route-google probe-interval 15
set services rpm probe INTERNET-probe test TEST-Route-google test-interval 10
set services rpm probe INTERNET-probe test TEST-Route-google thresholds successive-loss 3
set services rpm probe INTERNET-probe test TEST-Route-google thresholds total-loss 3
set services rpm probe INTERNET-probe test TEST-Route-google destination-interface reth1.0
set services rpm probe INTERNET-probe test TEST-Route-google next-hop 1.1.1.1
set services ip-monitoring policy Server-Tracking match rpm-probe INTERNET-probe
set services ip-monitoring policy Server-Tracking then preferred-route route 0.0.0.0/0 next-hop 10.13.1.2
SITE1 FIREWALL - NAT for Incoming traffic from SITE2
set security nat source rule-set ZONEP2P-nat-INTERNET from zone ZONEP2P
set security nat source rule-set ZONEP2P-nat-INTERNET to zone INTERNET
set security nat source rule-set ZONEP2P-nat-INTERNET rule ZONEP2P-nat match destination-address 0.0.0.0/0
set security nat source rule-set ZONEP2P-nat-INTERNET rule ZONEP2P-nat match destination-address-name internet-ipv4
set security nat source rule-set ZONEP2P-nat-INTERNET rule ZONEP2P-nat match application any
set security nat source rule-set ZONEP2P-nat-INTERNET rule ZONEP2P-nat then source-nat interface
SITE1 FIREWALL - Security Policy for Incoming traffic from SITE2
set security policies from-zone ZONEP2P to-zone INTERNET policy ZONEP2P-INTERNET description "From:ZONEP2P:any To:INTERNET:any Application: any Policy:permit"
set security policies from-zone ZONEP2P to-zone INTERNET policy ZONEP2P-INTERNET match source-address any
set security policies from-zone ZONEP2P to-zone INTERNET policy ZONEP2P-INTERNET match destination-address any
set security policies from-zone ZONEP2P to-zone INTERNET policy ZONEP2P-INTERNET match application any
set security policies from-zone ZONEP2P to-zone INTERNET policy ZONEP2P-INTERNET then permit
set security policies from-zone ZONEP2P to-zone INTERNET policy ZONEP2P-INTERNET then log session-init
set security policies from-zone ZONEP2P to-zone INTERNET policy ZONEP2P-INTERNET then log session-close
SITE1 FIREWALL - Allow LAN to access ZONEP2P for backup Internet
set security policies from-zone LAN to-zone ZONEP2P policy LAN-ZONEP2P description "From:LAN:any To:ZONEP2P:any Application: any Policy:permit"
set security policies from-zone LAN to-zone ZONEP2P policy LAN-ZONEP2P match source-address any
set security policies from-zone LAN to-zone ZONEP2P policy LAN-ZONEP2P match destination-address any
set security policies from-zone LAN to-zone ZONEP2P policy LAN-ZONEP2P match application any
set security policies from-zone LAN to-zone ZONEP2P policy LAN-ZONEP2P then permit
set security policies from-zone LAN to-zone ZONEP2P policy LAN-ZONEP2P then log session-init
set security policies from-zone LAN to-zone ZONEP2P policy LAN-ZONEP2P then log session-close
#SITE2 FIREWALL - Virtual Router
set routing-options static route 0/0 qualified-next-hop 10.13.1.1 preference 10
edit routing-instances
set to-SITE1-ISP instance-type virtual-router
set to-SITE1-ISP interface reth2.0
set to-SITE1-ISP routing-options static route 0/0 next-hop 10.13.1.1
set routing-options rib-groups to-SITE1-ISP-RouteGr import-rib [inet.0 to-SITE1-ISP.inet.0]
set routing-options interface-routes rib-group inet to-SITE1-ISP-RouteGr
set routing-instances to-SITE1-ISP routing-options interface-routes rib-group inet to-SITE1-ISP-RouteGr
#HEALTH CHECK FOR SITE2 INTERNET CONNECTION
set services rpm probe INTERNET-probe test TEST-Route-google probe-type icmp-ping
set services rpm probe INTERNET-probe test TEST-Route-google target address 8.8.8.8
set services rpm probe INTERNET-probe test TEST-Route-google probe-count 3
set services rpm probe INTERNET-probe test TEST-Route-google probe-interval 15
set services rpm probe INTERNET-probe test TEST-Route-google test-interval 10
set services rpm probe INTERNET-probe test TEST-Route-google thresholds successive-loss 3
set services rpm probe INTERNET-probe test TEST-Route-google thresholds total-loss 3
set services rpm probe INTERNET-probe test TEST-Route-google destination-interface reth1.0
set services rpm probe INTERNET-probe test TEST-Route-google next-hop 2.2.2.2 #Public IP SITE1 GW
set services ip-monitoring policy Server-Tracking match rpm-probe INTERNET-probe
set services ip-monitoring policy Server-Tracking then preferred-route route 0.0.0.0/0 next-hop 10.13.1.1
SITE2 FIREWALL - NAT for Incoming traffic from SITE1
set security nat source rule-set ZONEP2P-nat-INTERNET from zone ZONEP2P
set security nat source rule-set ZONEP2P-nat-INTERNET to zone INTERNET
set security nat source rule-set ZONEP2P-nat-INTERNET rule ZONEP2P-nat match destination-address 0.0.0.0/0
set security nat source rule-set ZONEP2P-nat-INTERNET rule ZONEP2P-nat match destination-address-name internet-ipv4
set security nat source rule-set ZONEP2P-nat-INTERNET rule ZONEP2P-nat match application any
set security nat source rule-set ZONEP2P-nat-INTERNET rule ZONEP2P-nat then source-nat interface
SITE2 FIREWALL - Security Policy for Incoming traffic from SITE2
set security policies from-zone ZONEP2P to-zone INTERNET policy ZONEP2P-INTERNET description "From:ZONEP2P:any To:INTERNET:any Application: any Policy:permit"
set security policies from-zone ZONEP2P to-zone INTERNET policy ZONEP2P-INTERNET match source-address any
set security policies from-zone ZONEP2P to-zone INTERNET policy ZONEP2P-INTERNET match destination-address any
set security policies from-zone ZONEP2P to-zone INTERNET policy ZONEP2P-INTERNET match application any
set security policies from-zone ZONEP2P to-zone INTERNET policy ZONEP2P-INTERNET then permit
set security policies from-zone ZONEP2P to-zone INTERNET policy ZONEP2P-INTERNET then log session-init
set security policies from-zone ZONEP2P to-zone INTERNET policy ZONEP2P-INTERNET then log session-close
SITE2 FIREWALL - Allow LAN to access ZONEP2P for backup Internet
set security policies from-zone LAN to-zone ZONEP2P policy LAN-ZONEP2P description "From:LAN:any To:ZONEP2P:any Application: any Policy:permit"
set security policies from-zone LAN to-zone ZONEP2P policy LAN-ZONEP2P match source-address any
set security policies from-zone LAN to-zone ZONEP2P policy LAN-ZONEP2P match destination-address any
set security policies from-zone LAN to-zone ZONEP2P policy LAN-ZONEP2P match application any
set security policies from-zone LAN to-zone ZONEP2P policy LAN-ZONEP2P then permit
set security policies from-zone LAN to-zone ZONEP2P policy LAN-ZONEP2P then log session-close