Route ssg140



  • Hello
    I have question about route (ssg140  dual ISP )
    eth1 - isp1
    eth2 - isp2
    both in Untrust zone

    if config is
    set route 0.0.0.0/0 interface ethernet0/2 gateway ISP1
    set route 0.0.0.0/0 interface ethernet0/3 gateway ISP2 10
    i cant ping from internet to ISP2
    when i change to
    set route 0.0.0.0/0 interface ethernet0/2 gateway ISP1
    set route 0.0.0.0/0 interface ethernet0/3 gateway ISP2
    i can but it is  unstable, route change from time to time on IS1 to ISP2
    what is wrong in my idea ?



  • my config: one untrust zone , one untrust-vr



  • hmm ok , but what i can do when my booth isp1 & isp2 are in untrust ?


  • Global Moderator

    Allow ICMP from untrust 1 to untrust 2 and from 2 to 1. That’d what I’d try.



  • i think that you right for option 1. can you explain me what rule i must add ?


  • Global Moderator

    Probably the packet is coming in one interface (ISP2) but the return packet is going out ISP1 (the only route that’s active for default traffic) and the firewall doesn’t have a rule to accept that?

    Or maybe the firewall is actually sending a reply with the source address is ISP2 which the requesting host doesn’t expect.

    You should do a debug flow to examine what’s actually happening though, I don’t know what the exact problem is.  I suspect it’s option 1 above, you might need a rule.



  • NO.
    My question is
    why i cant ping from internet to ISP2 when my config is :
    set route 0.0.0.0/0 interface ethernet0/2 gateway ISP1
    set route 0.0.0.0/0 interface ethernet0/3 gateway ISP2 10

    i cant ping from internet to ISP2
    when i change to
    set route 0.0.0.0/0 interface ethernet0/2 gateway ISP1
    set route 0.0.0.0/0 interface ethernet0/3 gateway ISP2

    can you explain it ?


  • Global Moderator

    You don’t explain what you’re actually trying to do here, you just say “What is wrong with my idea” but don’t explain your idea!

    Two default routes with equal cost won’t work. - You get some packets going out one and some out the other - thus the “unstable”

    The other option, ISP2 isn’t used, all packets will go out ISP1.

    What are you actually trying to do?



  • @chunkpunk:

    Hello
    I have question about route (ssg140  dual ISP )
    eth1 - isp1
    eth2 - isp2
    both in Untrust zone

    if config is
    set route 0.0.0.0/0 interface ethernet0/2 gateway ISP1
    set route 0.0.0.0/0 interface ethernet0/3 gateway ISP2 10
    i cant ping from internet to ISP2
    when i change to
    set route 0.0.0.0/0 interface ethernet0/2 gateway ISP1
    set route 0.0.0.0/0 interface ethernet0/3 gateway ISP2
    i can but it is  unstable, route change from time to time on IS1 to ISP2
    what is wrong in my idea ?

    No answers 🙂
    for double default route , solve problem is create 2 separate zone and  create double policy 😕


 

31
Online

38.4k
Users

12.7k
Topics

44.5k
Posts