Hello @gfleming @akristof
Thanks for your answers.
"Typically all you need to avoid RPF drops is a route for the source IP out the interface it is coming in." -> not possible because the source-ip is a random public one
"Do you have a default route pointing to your Inter-VDOM link?" -> No, the default route is pointing to the 3rd party firewall.
"Alternatively, and you should consider perhaps configuring an SD-WAN zone/interface" -> If i understand correctly your idea, i create an SDWAN zone containing the inter-vdom interface and the interface to the 3rd-party fw on our vdom on the 100F ?
In my case in don't want to use both of the internet access (3rd-party fw & ISP-vdom) in same time, the idea is to migrate progressively from the 3rd-party firewall to the 100F:
- The outcoming trafic from our LAN/our vdom with policy routes (based on source LAN subnet) to got out to the internet by the ISP-vdom.
- The incoming trafic by switching progressively each /32 public IP of our pool to the 100F, on the ISP-vdom, creating appropriate dNAT & fw rules, etc.
@akristof you say "[...] unless route towards 3rd party firewall will disappear. And at the same time, this will achieve that the traffic will not be dropped by RPF." -> So if i create the 2nd default route to the inter-vdom interface with higher priority, it will not be used and RPF will let my packet going back by its inter-vdom interface ?