For When You Can't Have The Real Thing
[ start | index | login ]
start > Netscreen > Reverse-Route Lookup

Reverse-Route Lookup

Created by dave. Last edited by dave, 11 years and 209 days ago. Viewed 3,724 times. #3
[diff] [history] [edit] [rdf]
(18 September 2012)


When packets come in to my firewall, I want the replys to those conversations to go out the way they came in, not necessarily the way the routing table says they should.

Say I have this situation:

set interface "ethernet0/0" zone "Trust"
set interface ethernet0/0 ip
set interface ethernet0/0 nat
set interface ethernet0/0 ip manageable
set interface ethernet0/3 zone untrust
set interface ethernet0/2 ip
set interface ethernet0/3 ip
set interface ethernet0/2 mip host netmask vr trust-vr
set interface ethernet0/3 mip host netmask vr trust-vr
set route gateway
set route gateway appropriate policies, I want packets for connections to to be returned via, and packets for connections to to be returned via

(Note that the two MIPs are intentionally pointed at the same private address. This scenario deals only with incoming connections; MIP selection for outbound connections is a different problem.)


The flow option reverse-route clear-text selects whether the firewall will try to look up a return route, or just cache the mac address of the emitting hop. By default the firewall looks up the return route, but you can turn that behavior off with this setting:

unset flow reverse-route clear-text

(See >>this page and >>this page for details on clear-text.)

This option was introduced in 6.0.0.

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful: | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt