Hi Mark, On 28 May 2010 06:37, Mark Hermsdorfer <mark@hermsdorfer.net> wrote:
Ken,
As others have pointed out typically interfaces are not kept track of in state tables. Having said that, I've worked in the past with the ScreenOS based SSG platforms that do this. So if you're coming from an SSG background this makes sense.
Yes sir I have used SSG for several years but mainly used BSD for the last decade and most recently OpenBSD. There is an easy fix for this on PF for OpenBSD and that is to tag the packets from each provider (as in not using 802.1q but a specific function in PF). This works extremely well
These devices seem to keep track of source interface in their state tables. For example I've worked on a one-arm'ed Load Balancer with no Source NAT such that one would typically require some policy based routing to get the traffic back to the LB, to be have the Destination NAT handled. However, with a Juniper SSG, as the router, it's state tables kept track of the interfaces and routed traffic correctly without any policy based routing required. When I took over administration of that environment I spent some time trying to figure out how the routing worked since there was no configuration such as policy based routes that would make sense.
Having said that, If the JunOS based SRX platform does not do session tracking in the same was as the SSG platform it would seem that the most reasonable solution would be to NAT the traffic as has already been pointed out.
Mark
-- Cheers! Mark Hermsdorfer