For When You Can't Have The Real Thing
[ start | index | login ]
start > Netscreen > Reverse-Route Lookup

Reverse-Route Lookup

Created by dave. Last edited by dave, 6 years and 81 days ago. Viewed 2,311 times. #3
[diff] [history] [edit] [rdf]
labels
attachments
(18 September 2012)

Problem

When packets come in to my firewall, I want the replys to those conversations to go out the way they came in, not necessarily the way the routing table says they should.

Say I have this situation:

set interface "ethernet0/0" zone "Trust"
set interface ethernet0/0 ip 192.168.1.1/24
set interface ethernet0/0 nat
set interface ethernet0/0 ip manageable
set interface ethernet0/3 zone untrust
set interface ethernet0/2 ip 10.0.0.1/24
set interface ethernet0/3 ip 10.0.1.1/24
set interface ethernet0/2 mip 10.0.0.10 host 192.168.1.10 netmask 255.255.255.255 vr trust-vr
set interface ethernet0/3 mip 10.0.1.10 host 192.168.1.10 netmask 255.255.255.255 vr trust-vr
set route 0.0.0.0/0 gateway 10.0.0.254
set route 0.0.0.0/0 gateway 10.0.1.254

...plus appropriate policies, I want packets for connections to 10.0.0.10 to be returned via 10.0.0.254, and packets for connections to 10.0.1.10 to be returned via 10.0.1.254.

(Note that the two MIPs are intentionally pointed at the same private address. This scenario deals only with incoming connections; MIP selection for outbound connections is a different problem.)

Solution

The flow option reverse-route clear-text selects whether the firewall will try to look up a return route, or just cache the mac address of the emitting hop. By default the firewall looks up the return route, but you can turn that behavior off with this setting:

unset flow reverse-route clear-text

(See >>this page and >>this page for details on clear-text.)

This option was introduced in 6.0.0.

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt