Имеется железка Juniper ssg20, и 2 входящих инет канала от разных провайдеров
1-й канал полный интернет (на этом канале висит корпоративный почтовый сервак)
2-й чтото типа локального контента + полный инетдля использования локалки от 2-го провайдера прописан статический маршрут, на подсети данного провайдера ходить через интерфейс 2-го прова.
Всё в данной схеме работает кроме одного, клиент из подсети 2-го прова не цепляется на интерфейс 1-го прова, если удалить статический маршрут для локалки прова то всё работает.Получается следующая картина пакет приходит на 1-й канал, а вот уходить с негоже отказывается, что посоветуете куда копать, хотябы при помощи чего это можно настроить
Пастни сюда плс полный конфигурак - а то в голову приходит только RTFM BGP в качестве ответа :)
>Пастни сюда плс полный конфигурак - а то в голову приходит только
>RTFM BGP в качестве ответа :)Ну вот както так:
X1.X1.X1.X1 Пров 1
X2.X2.X2.X2 Пров 2 pppoe
X1.X1.X1.GT Шлюз Прова 1
88.147.0.0/16
78.29.64.0/18
95.84.0.0/18
В эти 3 подсети ходить надо через 2-го прова, но клиенты из этих подсетей должны цеплятся на почтовик который висит на X1.X1.X1.X1
Собственно прблему я частично решил настроив source routing почтового сервака чтобы он выходил в свет только через X1.X1.X1.X1, почта в таком варианте ходит, но например пинги не ходят.
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 101 "untrust_san1"
set zone id 102 "untrust_san2"
set zone id 103 "untrust_xdsl"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
unset zone "untrust_san1" tcp-rst
unset zone "untrust_san2" tcp-rst
unset zone "untrust_xdsl" tcp-rst
unset zone "Untrust" screen tear-drop
unset zone "Untrust" screen syn-flood
unset zone "Untrust" screen ping-death
unset zone "Untrust" screen ip-filter-src
unset zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set zone "Untrust" screen icmp-flood threshold 100
set zone "untrust_san2" screen icmp-flood threshold 100
set zone "Untrust" screen port-scan threshold 1000
set zone "untrust_san2" screen port-scan threshold 1000
set zone "Untrust" screen udp-flood threshold 100
set zone "untrust_san2" screen udp-flood threshold 100
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "untrust_xdsl"
set interface "ethernet0/2" zone "untrust_san2"
set interface "ethernet0/3" zone "untrust_san2"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/4
unset interface vlan1 ip
set interface ethernet0/0 ip X1.X1.X1.X1/30
set interface ethernet0/0 route
set interface ethernet0/1 ip 10.1.1.1/24
set interface ethernet0/1 route
set interface ethernet0/2 ip X2.X2.X2.X2/32
set interface ethernet0/2 route
set interface ethernet0/3 ip X3.X3.X3.X3/32
set interface ethernet0/3 route
set interface bgroup0 ip 192.168.2.9/24
set interface bgroup0 nat
set interface bgroup0 ip 192.168.4.9 255.255.255.0 secondary
set interface "ethernet0/0" pmtu ipv4
set interface ethernet0/2 proxy dns
set interface ethernet0/3 proxy dns
set interface bgroup0 proxy dns
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/2 ip manageable
set interface ethernet0/3 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/1 manage ping
set interface ethernet0/2 manage ping
set interface ethernet0/3 manage ping
unset interface ethernet0/0 monitor track-ip dynamic
set interface ethernet0/1 monitor track-ip ip 10.1.1.2 interval 60
unset interface ethernet0/1 monitor track-ip dynamic
set interface ethernet0/0 protocol irdp enable
set pak-poll p2queue pak-threshold 32
set flow tcp-mss
set flow all-tcp-mss 1304
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set dns host dns1 192.168.4.170 src-interface bgroup0
set dns host dns2 192.168.2.2 src-interface bgroup0
set dns host dns3 192.168.3.7 src-interface bgroup0
set dns host schedule 06:28
set dns proxy
set dns proxy enable
exit
set syslog src-interface bgroup0
set syslog enable
set log usb enable
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set scp enable
set config lock timeout 5
unset license-key auto-update
set ssl port 1025
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
set route-lookup preference destination-routing 2 source-routing 1 sibr-routing 3
set source-routing enable
set sibr-routing enable
set adv-inact-interface
unset add-default-route
set route 10.0.0.0/24 interface bgroup0 gateway 192.168.4.170 preference 20
set route 10.1.1.0/24 interface ethernet0/1 gateway 10.1.1.3 preference 1
set route 0.0.0.0/0 interface ethernet0/0 gateway X1.X1.X1.GT preference 0
set route 192.168.3.0/24 interface bgroup0 gateway 192.168.4.170 preference 20
set route 192.168.5.0/24 interface bgroup0 gateway 192.168.4.170 preference 20
set route 192.168.6.0/24 interface bgroup0 gateway 192.168.4.170 preference 20
set route 192.168.21.0/24 interface bgroup0 gateway 192.168.4.170 preference 20
set route 192.168.77.0/24 interface bgroup0 gateway 192.168.4.170 preference 20
set route 192.168.66.0/24 interface bgroup0 gateway 192.168.4.170 preference 20
set route 192.168.11.0/24 interface bgroup0 gateway 192.168.4.170 preference 20
set route 80.92.215.102/32 interface ethernet0/0 gateway X1.X1.X1.GT preference 20
set route 88.147.0.0/16 interface ethernet0/2 preference 20
set route 78.29.64.0/18 interface ethernet0/2 preference 20
set route 95.84.0.0/18 interface ethernet0/2 preference 20
set route source 192.168.2.3/32 interface ethernet0/0 gateway X1.X1.X1.GT preference 0
set access-list extended 1 src-ip 192.168.2.3/32 protocol any entry 2
set access-list extended 1 src-ip 192.168.2.5/32 protocol any entry 3
set access-list extended 1 src-ip 192.168.2.49/32 entry 5
set access-list extended 1 src-ip 192.168.2.70/32 entry 6
set access-list extended 1 src-ip 192.168.2.60/32 entry 7
set access-list extended 1 src-ip 192.168.2.0/24 dst-port 4890-4900 entry 8
set access-list extended 1 src-ip 192.168.2.54/32 protocol any entry 9
set access-list extended 1 src-ip 192.168.2.52/32 protocol any entry 10
set access-list extended 1 src-ip 192.168.2.53/32 protocol any entry 11
set access-list extended 1 src-ip 192.168.2.48/32 entry 12
set access-list extended 1 src-ip 192.168.2.46/32 entry 13
set access-list extended 1 src-ip 192.168.2.2/32 entry 14
set access-list extended 2 src-ip 192.168.4.170/32 protocol any entry 4
set access-list extended 2 src-ip 192.168.2.0/24 entry 15
set match-group name eth0/3
set match-group eth0/3 ext-acl 2 match-entry 1
set match-group name eth0/0
set match-group eth0/0 ext-acl 1 match-entry 1
set action-group name eth_2
set action-group eth_2 next-interface ethernet0/2 action-entry 1
set action-group name eth_3
set action-group eth_3 next-interface ethernet0/3 action-entry 1
set action-group name eth_0
set action-group eth_0 next-interface ethernet0/0 action-entry 1
set action-group name eth_1
set action-group eth_1 next-interface ethernet0/1 action-entry 1
set pbr policy name out
set pbr policy out match-group eth0/0 action-group eth_0 1
set pbr policy out match-group eth0/3 action-group eth_3 2
set pbr out
exit
set interface bgroup0 pbr out
set interface ethernet0/0 pbr out
set interface ethernet0/2 pbr out
set interface ethernet0/3 pbr out
set zone Trust pbr out
set zone Untrust pbr out
set zone untrust_san2 pbr out
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit