prottos2003 wrote:
我再補充一下可以看...(恕刪)
其實想一想FG讓我覺得還是怪怪的
我在L2 上面做一個DNAT 我從內部直接access 我FG WAN上的public ip
預設來說他會直接幫我帶SNAT 轉成FG的Internal IP 按照flow 他是去比對了Policy 5 做SNAT的
但是說真的我的Policy 5 其實是WAN to Internal DNAT 我也不懂他這時候卻又寫SNAT (雖然這時候就是要SNAT,否則連線就失敗了,他的flow 並沒有判斷說在什麼情況之下要做SNAT)
id=20085 trace_id=101 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=6, 10.0.0.3:58434->124.109.117.59:80) from internal1. flag [S], seq 2683576816, ack 0, win 8192"
id=20085 trace_id=101 func=init_ip_session_common line=4569 msg="allocate a new session-0025f842"
id=20085 trace_id=101 func=fw_pre_route_handler line=176 msg="VIP-10.0.0.252:80, outdev-unkown"
id=20085 trace_id=101 func=__ip_session_run_tuple line=2564 msg="DNAT 124.109.117.59:80->10.0.0.252:80"
id=20085 trace_id=101 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.0.0.252 via internal1"
id=20085 trace_id=101 func=fw_forward_handler line=671 msg="Allowed by Policy-5: SNAT"
id=20085 trace_id=101 func=__ip_session_run_tuple line=2550 msg="SNAT 10.0.0.3->10.0.0.254:58434"
補充我的Policy 5
edit 5
set srcintf "wan1"
set dstintf "internal1"
set srcaddr "all"
set dstaddr "test" (這個是DNAT的VIP Object)
set action accept
set schedule "always"
set service "HTTP"
set logtraffic all
next
