I have 2 ISP, which currently automatically switches well, however when my SRX box switches from ISP1 ( primary, ge-0/0/5.0) to ISP2 (backup, ge-0/0/0.0 ), routing does not considering 1-1 NAT rule in ISP2 zone ( outbound NAT is using different IP, not the one which has static NAT).
Example : 192.168.1.0 is my email MTA, for which SPF records are either 1.1.1.3 or 2.2.2.3 in my DNS server, when primary link is up outgoing email is going through 1.1.1.3 as expected, but say example if I disconnect primary ISP cable, then email will be going through 2.2.2.2, which is not correct, it has to use 1-1 static NAT of ISP2 which is 2.2.2.3.
ISP1 default gateway : 1.1.1.1
ISP2 default gateway : 2.2.2.1
I don't know what I am missing, internet and other services are working fine in ISP2, and 1-1 NAT rules also defined like ISP1 in ISP2 zone. I expect outbound traffic should be from 2.2.2.3 when on ISP2, currently outbound traffic is using 2.2.2.2.
Please someone help me to fix issue, not sure whats going wrong.
Static NAT
static {
rule-set Server-ISP1 {
from zone ISP1;
rule mta-isp1 {
match {
destination-address 1.1.1.3/32;
}
then {
static-nat {
prefix {
192.168.1.0/32;
}
}
}
}
}
rule-set Server-ISP2 {
from zone ISP2;
rule mta-isp2 {
match {
destination-address 2.2.2.3/32;
}
then {
static-nat {
prefix {
192.168.1.0/32;
}
}
}
}
}
}
Proxy ARP
proxy-arp {
interface ge-0/0/5.0 {
address {
1.1.1.3/32;
}
}
interface ge-0/0/0.0 {
address {
2.2.2.3/32;
}
}
}
Policies
policies {
from-zone DMZ to-zone ISP1 {
policy isp2-mta {
match {
source-address 192.168.1.0/32;
destination-address any;
application [ junos-smtp ];
}
then {
permit;
}
}
}
from-zone DMZ to-zone ISP2 {
policy isp2-mta {
match {
source-address 192.168.1.0/32;
destination-address any;
application [ junos-smtp ];
}
then {
permit;
}
}
}
}
Routing Options
routing-options {
static {
route 0.0.0.0/0 {
next-hop 1.1.1.1;
preference 10;
}
}
instance-import from_ISP2-VR_to_master;
}
policy-options {
policy-statement from_ISP2-VR_to_master {
term policy1 {
from {
instance ISP2-VR;
route-filter 0.0.0.0/0 exact;
}
then accept;
}
term policy2 {
then next policy;
}
}
policy-statement from_master_to_ISP2-VR {
term policy1 {
from {
instance master;
route-filter 192.168.1.10/24 exact;
}
then accept;
}
term policy2 {
then reject;
}
}
}
routing-instances {
ISP2-VR {
instance-type virtual-router;
interface ge-0/0/0.0;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 2.2.2.1;
preference 20;
}
}
instance-import from_master_to_ISP2-VR;
}
}
}
RPM services for automatic switchover
services {
rpm {
probe ISP_1 {
test link {
probe-type icmp-ping;
target address 8.8.8.8;
probe-count 3;
probe-interval 5;
test-interval 10;
thresholds {
successive-loss 3;
total-loss 3;
}
destination-interface ge-0/0/5.0;
next-hop 1.1.1.1;
}
}
probe ISP_2 {
test link {
probe-type icmp-ping;
target address 8.8.8.8;
probe-count 3;
probe-interval 5;
test-interval 10;
thresholds {
successive-loss 3;
total-loss 3;
}
destination-interface ge-0/0/0.0;
next-hop 2.2.2.1;
}
}
}
application-identification {
enable-heuristics;
}
ip-monitoring {
policy ISP_1 {
match {
rpm-probe ISP_1;
}
then {
preferred-route {
routing-instances ISP2-VR {
route 0.0.0.0/0 {
next-hop 2.2.2.1;
}
}
}
}
}
policy ISP_2 {
match {
rpm-probe ISP_2;
}
then {
preferred-route {
routing-instances master {
route 0.0.0.0/0 {
next-hop 1.1.1.1;
}
}
}
}
}
}
}
#SRX#routing