有些客户有两个或者多个ISP Internet 接口的需求 比如服务器就可以有多个不同公网地址服务客户
如下图 WEB 服务器有三个公网地址 分别来自不同的服务商 ISP1 ISP2 ISP3
有几个重要的点
- 必须开启ECMP
防火墙要开启ECMP 功能这样才能三条默认路由同时工作,请注意 Symmetric Return 也一定要开启,这样服务器要客户端的回程路由就会走远来进来的口出去,这很重要,如果不这样数据就会被防火墙扔掉
给出诸如此类的log
Packet forwarded to different zone 2 than zone 4 in session 754
Packet dropped, forwarding does not match security rule
- 因为有多个出口,所以NAT 转换是需要加额外的配置 查看NAT2 部分
NAT 部分也相当重要, 因为默认有3个不通的出口,所以NAT 我们一般是这样的,当时防火墙在检查ECMP的时候,创建session的时候
会把egress变为ethernet1/4 ,这里就是OUTSIDE3 导致不能hit中下面的NAT 就会被防火墙丢掉
Session setup: ingress interface ethernet1/1 egress interface ethernet1/4 (zone 9)
#所以要加上 NAT 2 的部分
#正常NAT 部分 Internet 流量尝试访问服务器公网地址8.8.8.100 会hit 下面的NAT
set rulebase nat rules DST-8.8.8.100 from OUTSIDE1
set rulebase nat rules DST-8.8.8.100 source any
set rulebase nat rules DST-8.8.8.100 to OUTSIDE1
set rulebase nat rules DST-8.8.8.100 destination H-8.8.8.100
set rulebase nat rules DST-8.8.8.100 service any
set rulebase nat rules DST-8.8.8.100 destination-translation translated-address
H-192.168.1.100
set rulebase nat rules DST-8.8.8.100-1 from OUTSIDE1
##NAT 2
set rulebase nat rules DST-8.8.8.100-1 from OUTSIDE1
set rulebase nat rules DST-8.8.8.100-1 source any
set rulebase nat rules DST-8.8.8.100-1 to OUTSIDE3
set rulebase nat rules DST-8.8.8.100-1 destination H-8.8.8.100
set rulebase nat rules DST-8.8.8.100-1 service any
set rulebase nat rules DST-8.8.8.100-1 destination-translation translated-address
H-192.168.1.100
set rulebase nat rules DST-8.8.8.100-1 destination-translation dns-rewrite
direction forward下图是网络拓扑图eve-ng 搭建,Net是我的家庭lab.
下面是完整的防火墙配置信息
防火墙接口情况
------------------- ----- ---- ---------------- ------------------------ ------ ------------------
ethernet1/1 16 1 OUTSIDE1 vr:default 0 1.1.1.1/24
ethernet1/2 17 1 INSIDE vr:default 0 192.168.1.1/24
ethernet1/3 18 1 OUTSIDE2 vr:default 0 2.2.2.1/24
ethernet1/4 19 1 OUTSIDE3 vr:default 0 3.3.3.1/24
#防火墙路由情况可以看到是三个默认路由 分别指向不通的运营商网关
admin@PA-VM> show routing route
flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast
VIRTUAL ROUTER: default (id 1)
==========
destination nexthop metric flags age interface next-AS
0.0.0.0/0 1.1.1.254 10 A S E ethernet1/1
0.0.0.0/0 2.2.2.254 10 A S E ethernet1/3
0.0.0.0/0 3.3.3.254 10 A S E ethernet1/4
1.1.1.0/24 1.1.1.1 0 A C ethernet1/1
1.1.1.1/32 0.0.0.0 0 A H
2.2.2.0/24 2.2.2.1 0 A C ethernet1/3
2.2.2.1/32 0.0.0.0 0 A H
3.3.3.0/24 3.3.3.1 0 A C ethernet1/4
3.3.3.1/32 0.0.0.0 0 A H
192.168.1.0/24 192.168.1.1 0 A C ethernet1/2
192.168.1.1/32 0.0.0.0 0 A H
#开启ECMP enable symmetric-retrun 和max-path = 4
set network virtual-router default ecmp algorithm ip-modulo
set network virtual-router default ecmp enable yes
set network virtual-router default ecmp symmetric-return yes
set network virtual-router default ecmp max-path 4
set network virtual-router default ecmp strict-source-path no
#NAT 部分
set rulebase nat rules SRC-2.2.2.100 from INSIDE
set rulebase nat rules SRC-2.2.2.100 source H-192.168.1.100
set rulebase nat rules SRC-2.2.2.100 to OUTSIDE2
set rulebase nat rules SRC-2.2.2.100 destination any
set rulebase nat rules SRC-2.2.2.100 service any
set rulebase nat rules SRC-2.2.2.100 source-translation static-ip translated-address H-2.2.2.100
set rulebase nat rules SRC-2.2.2.100 source-translation static-ip bi-directional no
set rulebase nat rules DST-2.2.2.100 from OUTSIDE2
set rulebase nat rules DST-2.2.2.100 source any
set rulebase nat rules DST-2.2.2.100 to OUTSIDE2
set rulebase nat rules DST-2.2.2.100 destination H-2.2.2.100
set rulebase nat rules DST-2.2.2.100 service any
set rulebase nat rules DST-2.2.2.100 destination-translation translated-address H-192.168.1.100
set rulebase nat rules SRC-3.3.3.100 from INSIDE
set rulebase nat rules SRC-3.3.3.100 source H-192.168.1.100
set rulebase nat rules SRC-3.3.3.100 to OUTSIDE3
set rulebase nat rules SRC-3.3.3.100 destination any
set rulebase nat rules SRC-3.3.3.100 service any
set rulebase nat rules SRC-3.3.3.100 source-translation static-ip translated-address H-3.3.3.100
set rulebase nat rules SRC-3.3.3.100 source-translation static-ip bi-directional no
set rulebase nat rules DST-3.3.3.100 from OUTSIDE3
set rulebase nat rules DST-3.3.3.100 source any
set rulebase nat rules DST-3.3.3.100 to OUTSIDE3
set rulebase nat rules DST-3.3.3.100 destination H-3.3.3.100
set rulebase nat rules DST-3.3.3.100 service any
set rulebase nat rules DST-3.3.3.100 destination-translation translated-address H-192.168.1.100
set rulebase nat rules SRC-1.1.1.200 from INSIDE
set rulebase nat rules SRC-1.1.1.200 source H-192.168.1.200
set rulebase nat rules SRC-1.1.1.200 to OUTSIDE1
set rulebase nat rules SRC-1.1.1.200 destination any
set rulebase nat rules SRC-1.1.1.200 service any
set rulebase nat rules SRC-1.1.1.200 source-translation static-ip translated-address H-1.1.1.200
set rulebase nat rules SRC-1.1.1.200 source-translation static-ip bi-directional no
set rulebase nat rules DST-1.1.1.200 from OUTSIDE1
set rulebase nat rules DST-1.1.1.200 source any
set rulebase nat rules DST-1.1.1.200 to OUTSIDE1
set rulebase nat rules DST-1.1.1.200 destination H-1.1.1.200
set rulebase nat rules DST-1.1.1.200 service any
set rulebase nat rules DST-1.1.1.200 destination-translation translated-address H-192.168.1.200
set rulebase nat rules SRC-1.1.1.220 from DMZ
set rulebase nat rules SRC-1.1.1.220 source H-192.168.2.100
set rulebase nat rules SRC-1.1.1.220 to OUTSIDE1
set rulebase nat rules SRC-1.1.1.220 destination any
set rulebase nat rules SRC-1.1.1.220 service any
set rulebase nat rules SRC-1.1.1.220 source-translation static-ip translated-address H-1.1.1.220
set rulebase nat rules SRC-1.1.1.220 source-translation static-ip bi-directional no
set rulebase nat rules DST-1.1.1.220 from OUTSIDE1
set rulebase nat rules DST-1.1.1.220 source any
set rulebase nat rules DST-1.1.1.220 to OUTSIDE1
set rulebase nat rules DST-1.1.1.220 destination H-1.1.1.220
set rulebase nat rules DST-1.1.1.220 service any
set rulebase nat rules DST-1.1.1.220 destination-translation translated-address H-192.168.2.100
set rulebase nat rules SRC-8.8.8.100 from INSIDE
set rulebase nat rules SRC-8.8.8.100 source H-192.168.1.100
set rulebase nat rules SRC-8.8.8.100 to OUTSIDE1
set rulebase nat rules SRC-8.8.8.100 destination any
set rulebase nat rules SRC-8.8.8.100 service any
set rulebase nat rules SRC-8.8.8.100 source-translation static-ip translated-address H-8.8.8.100
set rulebase nat rules SRC-8.8.8.100 source-translation static-ip bi-directional no
set rulebase nat rules DST-8.8.8.100 from OUTSIDE1
set rulebase nat rules DST-8.8.8.100 source any
set rulebase nat rules DST-8.8.8.100 to OUTSIDE1
set rulebase nat rules DST-8.8.8.100 destination H-8.8.8.100
set rulebase nat rules DST-8.8.8.100 service any
set rulebase nat rules DST-8.8.8.100 destination-translation translated-address H-192.168.1.100
#非常重要的NAT 补充部分,NAT2
set rulebase nat rules DST-8.8.8.100-1 from OUTSIDE1
set rulebase nat rules DST-8.8.8.100-1 source any
set rulebase nat rules DST-8.8.8.100-1 to OUTSIDE3
set rulebase nat rules DST-8.8.8.100-1 destination H-8.8.8.100
set rulebase nat rules DST-8.8.8.100-1 service any
set rulebase nat rules DST-8.8.8.100-1 destination-translation translated-address H-192.168.1.100
set rulebase nat rules DST-8.8.8.100-1 destination-translation dns-rewrite direction forward
set network virtual-router default routing-table ip static-route ISP1 nexthop ip-address 1.1.1.254
set network virtual-router default routing-table ip static-route ISP1 bfd profile None
set network virtual-router default routing-table ip static-route ISP1 path-monitor enable no
set network virtual-router default routing-table ip static-route ISP1 path-monitor failure-condition any
set network virtual-router default routing-table ip static-route ISP1 path-monitor hold-time 2
set network virtual-router default routing-table ip static-route ISP1 interface ethernet1/1
set network virtual-router default routing-table ip static-route ISP1 metric 10
set network virtual-router default routing-table ip static-route ISP1 destination 0.0.0.0/0
set network virtual-router default routing-table ip static-route ISP1 route-table unicast
set network virtual-router default routing-table ip static-route ISP3 nexthop ip-address 3.3.3.254
set network virtual-router default routing-table ip static-route ISP3 bfd profile None
set network virtual-router default routing-table ip static-route ISP3 path-monitor enable no
set network virtual-router default routing-table ip static-route ISP3 path-monitor failure-condition any
set network virtual-router default routing-table ip static-route ISP3 path-monitor hold-time 2
set network virtual-router default routing-table ip static-route ISP3 interface ethernet1/4
set network virtual-router default routing-table ip static-route ISP3 metric 10
set network virtual-router default routing-table ip static-route ISP3 destination 0.0.0.0/0
set network virtual-router default routing-table ip static-route ISP3 route-table unicast
set network virtual-router default routing-table ip static-route ISP2 nexthop ip-address 2.2.2.254
set network virtual-router default routing-table ip static-route ISP2 bfd profile None
set network virtual-router default routing-table ip static-route ISP2 path-monitor enable no
set network virtual-router default routing-table ip static-route ISP2 path-monitor failure-condition any
set network virtual-router default routing-table ip static-route ISP2 path-monitor hold-time 2
set network virtual-router default routing-table ip static-route ISP2 interface ethernet1/3
set network virtual-router default routing-table ip static-route ISP2 metric 10
set network virtual-router default routing-table ip static-route ISP2 destination 0.0.0.0/0
set network virtual-router default routing-table ip static-route ISP2 route-table unicast
,
