Это такая особенность оборудования Juniper. Нужно явно разделить провадеров по разным vrf. обязательно две разные секурити зоны.
В своё время делал как-то так и работало как часы:
routing-options {
interface-routes {
rib-group inet inside;
}
static {
route 0.0.0.0/0 next-table beeline.inet.0;
}
rib-groups {
inside {
import-rib [ inet.0 metronet.inet.0 beeline.inet.0 ];
}
}
}
nat {
source {
rule-set trust-to-untrust {
from routing-instance default;
to routing-instance beeline;
rule source-nat-rule {
match {
source-address-name NET_LOCAL;
}
then {
source-nat {
interface;
}
}
}
rule nat-off {
match {
source-address 0.0.0.0/0;
destination-address 10.0.0.0/8;
}
then {
source-nat {
off;
}
}
}
}
rule-set trust-to-untrust2 {
from routing-instance default;
to routing-instance metronet;
rule source-nat-rule2 {
match {
source-address-name NET_LOCAL;
}
then {
source-nat {
interface;
}
}
}
rule source-nat-off2 {
match {
source-address 0.0.0.0/0;
destination-address 10.0.0.0/8;
}
then {
source-nat {
off;
}
}
}
}
}
destination {
pool CORE_SSH {
address 10.240.240.5/32 port 22;
}
rule-set DNAT {
from zone untrust;
rule dnat_for_core_ssh {
match {
destination-address 0.0.0.0/0;
destination-port 27200;
}
then {
destination-nat pool CORE_SSH;
}
}
}
rule-set DNAT-2 {
from zone untrust2;
rule dnat_for_core_ssh2 {
match {
destination-address 0.0.0.0/0;
destination-port 27200;
}
then {
destination-nat pool CORE_SSH;
}
}
}
}
}
routing-instances {
beeline {
instance-type virtual-router;
interface ge-0/0/1.0;
routing-options {
interface-routes {
rib-group inet inside;
}
static {
route 0.0.0.0/0 next-hop X.X.X.X;;
}
}
}
metronet {
instance-type virtual-router;
interface ge-0/0/0.0;
routing-options {
interface-routes {
rib-group inet inside;
}
static {
route 0.0.0.0/0 next-hop X.X.X.X;;
}
}
}
}
services {
rpm {
probe ISP1-GW {
test uplink {
probe-type icmp-ping;
target address X.X.X.X;;
probe-count 5;
probe-interval 3;
test-interval 30;
source-address X.X.X.X;;
routing-instance beeline;
thresholds {
successive-loss 5;
total-loss 5;
}
}
}
}
ip-monitoring {
policy ISP1_DOWN {
match {
rpm-probe ISP1-GW;
}
then {
preferred-route {
routing-instances beeline {
route 0.0.0.0/0 {
next-hop X.X.X.X;
}
}
}
}
}
}