(18 September 2012)
Problem
When packets come in to my firewall, I want the replys to those conversations to go out the way they came in, not necessarily the way the routing table says they should.
Say I have this situation:
set interface "ethernet0/0" zone "Trust"
set interface ethernet0/0 ip 192.168.1.1/24
set interface ethernet0/0 nat
set interface ethernet0/0 ip manageable
set interface ethernet0/3 zone untrust
set interface ethernet0/2 ip 10.0.0.1/24
set interface ethernet0/3 ip 10.0.1.1/24
set interface ethernet0/2 mip 10.0.0.10 host 192.168.1.10 netmask 255.255.255.255 vr trust-vr
set interface ethernet0/3 mip 10.0.1.10 host 192.168.1.10 netmask 255.255.255.255 vr trust-vr
set route 0.0.0.0/0 gateway 10.0.0.254
set route 0.0.0.0/0 gateway 10.0.1.254
...plus appropriate policies, I want packets for connections to 10.0.0.10 to be returned via 10.0.0.254, and packets for connections to 10.0.1.10 to be returned via 10.0.1.254.
(Note that the two MIPs are intentionally pointed at the same private address. This scenario deals only with incoming connections; MIP selection for outbound connections is a different problem.)
Solution
The flow option reverse-route clear-text selects whether the firewall will try to look up a return route, or just cache the mac address of the emitting hop. By default the firewall looks up the return route, but you can turn that behavior off with this setting:
unset flow reverse-route clear-text
(See
this page and
this page for details on clear-text.)
This option was introduced in 6.0.0.