Something that's not immediately evident, especially if you've worked with VRF in RouterOS, is that the SRX does all routing lookups in the context of the interface that received the first packet of the session. All subsequent packets of the same flow, regardless of direction, use the session information determined during first packet processing.
So if the first packet arrives on ge-0/0/0 then after destination / static NAT, both forward and reverse route lookups will be made using the virtual router that interface belongs to. Same for first packet arriving on ge-0/0/1.
This also means that those virtual routers need to have a route to your LAN subnet (address after destination / static NAT).
With FBF you can pick an alternate routing instance for a forward routing lookup (I think it's forward-only but may be forward and reverse, I would have to double check) manually, but again, that's for the first packet of a session. If I understand your scenario correctly, there's no need for FBF in your case.
------------------------------
Nikolay Semov
------------------------------
Original Message:
Sent: 08-02-2024 03:29
From: CHAYNE CHILES
Subject: Advice over best routing solution
Hi Nikolay
Yes that other post was from us.
I didn't think the original question was phrased correctly so have started a new thread.
Thank you for replying i will test with virtual routers
------------------------------
CHAYNE CHILES
Original Message:
Sent: 08-01-2024 14:19
From: Nikolay Semov
Subject: Advice over best routing solution
That guide, and the way they're doing FBF controls how LAN devices go out to the internet. FBF may have no or (possibly) negative effect on traffic that's initiated from the WAN.
To clarify, when I say "initiated from the WAN" I mean both directions of sessions for which the first packet came from the WAN, not just the WAN-to-LAN direction.
Do you need to split connections initiated from the LAN between the two internet supplies? If not, then you don't really need to use FBF.
I could have sworn there was another thread around here discussing this exact scenario but I can't find it right now ...
Personally, I would use two virtual routers for the two internet supplies. I also think destination NAT would work better than static NAT because it would allow you to map multiple WAN address (1 or more old IPs + 1 or more new IPs) to the same LAN host, which makes transitions from old internet supply to new internet supply much easier.
------------------------------
Nikolay Semov
Original Message:
Sent: 08-01-2024 10:06
From: CHAYNE CHILES
Subject: Advice over best routing solution
All IP's have been altered for privacy
I have a juniper SRX 345 with wan IP of 10.0.0.222 on ge-0/0/0 and a gateway of 10.0.0.1
I have added a 2nd Internet supply with a gateway 172.16.0.1 and given the srx the wan ip of 172.16.0.230 on interface ge-0/0/1
lan will use interface ge-0/0/2 with ip of 192.168.50.222
I also have two /24 to use with the new internet supply
I will start allocating the new IP's to my internal networks via Source destination /static ( which would be better, or does it matter?
I would like to route all traffic that is natted to the new IP via the new gateway while leaving the old route and gateway in place.
What would the best way to do this be?
routing instances or policy based routing or is ther a better way?
------------------------------
CHAYNE CHILES
------------------------------