I'm trying to set up an SRX with two consumer-style ISPs.
Design goals:
- Concurrent IPSec/GRE tunnels over both ISPs. I think this means I need to put both WAN interfaces into VRFs.
- Handful of internal VLANs / security zones for inside purposes (internal/guest WiFi/management)
- Tagged handoff to internal L2 switches.
- Internal traffic NATs toward internet with failover based on ISP health (no load balancing requirement for internet-bound traffic)
My first time through, I set up the internet-facing stuff in virtual-router type VRFs, peered them with the global table using BGP (over lt interfaces), monitored internet health with rpm-probes, and even managed a clunky route filter to withdraw routes based on RPM probe failures. ...But then I got overwhelmed by security zones and NAT with this setup.
So, I'm taking a few steps back, looking for a simpler strategy with fewer moving parts.
What VRF type should I use for the internet-facing interfaces?
What route leaking strategy should I use?
How can I tie that route leaking strategy to an RPM probe (or similar) to effect ISP failover?
When I'm over this hurdle, I'll probably find myself similarly over my head in terms of security zones and NAT but hey, one thing at a time.
Thanks!