謝michaelwan，那邊也是說用PBR或source routing...然後自己看文件.......

## set up the access-lists
SSG140-> set vrouter trust-vr
SSG140(trust-vr)-> set access-list extended 10 src-ip 192.168.1.0/24 entry 1

SSG140(trust-vr)-> set access-list extended 20 src-ip 192.168.1.5/24 entry 1
SSG140(trust-vr)-> set access-list extended 20 src-ip 192.168.1.2/24 entry 2
SSG140(trust-vr)-> set access-list extended 20 src-ip 192.168.1.3/24 entry 3
SSG140(trust-vr)-> set access-list extended 20 src-ip 192.168.1.4/24 entry 4
SSG140(trust-vr)-> set access-list extended 20 src-ip 192.168.1.5/24 entry 5

## create the match groups and assign the extended acl to the group
SSG140(trust-vr)-> set match-group name ISPAPTG
SSG140(trust-vr)-> set match-group ISPAPTG ext-acl 10 match-entry 10

SSG140(trust-vr)-> set match-group name ISPCHT
SSG140(trust-vr)-> set match-group ISPCHT ext-acl 20 match-entry 10

## create action groups and set next hop
SSG140(trust-vr)-> set action-group name toISPAPTG
SSG140(trust-vr)-> set action-group toISPAPTG next-hop XX.XX.XX.254 action-entry 1

SSG140(trust-vr)-> set action-group name toISPCHT
SSG140(trust-vr)-> set action-group toISPCHT next-hop XX.XX.XX.254 action-entry 1

## create pbr and bind action group with match group
SSG140(trust-vr)-> set pbr policy name separate-traffic
SSG140(trust-vr)-> set pbr policy separate-traffic match-group ISPAPTG action-group toISPAPTG 1
SSG140(trust-vr)-> set pbr policy separate-traffic match-group ISPCHT action-group toISPCHT 2
SSG140(trust-vr)-> exit

## enable PBR on the ingress interface (in the LAN zone !!!!)
SSG140-> set interface bgroup0/0 pbr PBR

## enable the PBR policy on the entire zone
SSG140-> set zone trust pbr PBR

## create policy to allow traffic
SSG140-> set policy from Lan to Internet any any any nat src permit

目前的設定如上面指令，但是沒有生效192.168.1.0/24 還是不會走ISPAPTG那條線路，還是說不能用192.168.1.0/24 及192.168.1.2~5/24來區分？