08-22-2022 04:34 AM
Hi @pomologist ,
Looking at your screenshot it seems you have missed one key component when configuring the NAT rules - Destination Interface.
NAT rules are evaluated the same way as security rules - first match, top to bottom.
When you configured only source and destination zone for the NAT (using any for source/dest IPs) traffic will always hit the first rule and never reach the second one.
For that reason you must configure "Destination Interface", this will add the egressing interface as part of the matching criteria when evaluating the NAT rules.
So when your primary ISP is up and traffic is using the primary default route your egress/destination interface will be eth1/1 (primary internet).
When primary ISP is down and path monitor "disable" the primary default, traffic will take the backup default, buth this means egress/destination interface will be different, so this traffic will no longer match the first NAT rule and NAT evaluation will keep looking down reaching the second NAT rule.
Hope that make sense
