控制流量转发

流量 1 → 3 →6→3→4 （in/out 同理，不管进出流量，都要从防火墙上经过）

****  配置出现routed-id冲突

1：#
ospf 10
 default-route-advertise always 
 area 0.0.0.0
  network 100.1.1.1 0.0.0.0
#
 ip unreachables enable
 ip ttl-expires enable

#
interface LoopBack0
 ip address 100.1.1.1 255.255.255.255
#
interface GigabitEthernet0/0
 ip address 12.1.1.1 255.255.255.0
 ospf 10 area 0.0.0.0
#
interface GigabitEthernet0/1
 ip address 13.1.1.1 255.255.255.0
 ospf 10 area 0.0.0.0          R4 同理

2：#
ip vpn-instance in
#
ip vpn-instance out
#
ospf 1
#
ospf 10 router-id 2.2.2.2 vpn-instance in
 description in
 area 0.0.0.0
#
ospf 20 router-id 2.2.2.3 vpn-instance out
 area 0.0.0.0
#
 ip unreachables enable
 ip ttl-expires enable

#
interface LoopBack0
 ip address 2.2.2.2 255.255.255.255
#
interface LoopBack1
 ip address 2.2.2.3 255.255.255.255
#
interface GigabitEthernet0/0
 ip binding vpn-instance in
 ip address 12.1.1.2 255.255.255.0
 ospf 10 area 0.0.0.0
#
interface GigabitEthernet0/1
 ip binding vpn-instance out
 ip address 24.1.1.2 255.255.255.0
 ospf 20 area 0.0.0.0
#
interface GigabitEthernet0/2.10
 ip binding vpn-instance in
 ip address 23.1.1.2 255.255.255.0
 ospf 10 area 0.0.0.0
 vlan-type dot1q vid 10
#
interface GigabitEthernet0/2.20
 ip binding vpn-instance out
 ip address 32.1.1.2 255.255.255.0
 ospf 20 area 0.0.0.0
 vlan-type dot1q vid 20
#
interface GigabitEthernet5/0.10
 ip binding vpn-instance in
 ip address 25.1.1.2 255.255.255.0
 ospf 10 area 0.0.0.0
 vlan-type dot1q vid 10
#
interface GigabitEthernet5/0.20
 ip binding vpn-instance out
 ip address 52.1.1.2 255.255.255.0
 ospf 20 area 0.0.0.0
 vlan-type dot1q vid 20    R3 同理

5：

 #
ospf 10 router-id 5.5.5.5
 import-route ospf 20
 area 0.0.0.0
#
ospf 20 router-id 5.5.5.6
 default-route-advertise always
 area 0.0.0.0
#
 ip unreachables enable
 ip ttl-expires enable
#
remote-backup group                      心跳线 主备
 data-channel interface GigabitEthernet1/0/2
 configuration sync-check interval 12
 local-ip 10.2.1.1
 remote-ip 10.2.1.2
 device-role primary

#
interface LoopBack0
 ip address 5.5.5.5 255.255.255.255
#
interface LoopBack1
 ip address 5.5.5.6 255.255.255.255
#
interface GigabitEthernet1/0/0.10
 ip address 25.1.1.5 255.255.255.0
 ospf 10 area 0.0.0.0
 vlan-type dot1q vid 10
#
interface GigabitEthernet1/0/0.20
 ip address 52.1.1.5 255.255.255.0
 ospf 20 area 0.0.0.0
 vlan-type dot1q vid 20
#
interface GigabitEthernet1/0/2
 ip address 10.2.1.1 255.255.255.0

#
security-zone name Trust                          划分安全区域
 import interface GigabitEthernet1/0/0.10
#
security-zone name Untrust
 import interface GigabitEthernet1/0/0.20

#
security-policy ip                                    书写安全规则
 rule 5 name untrust-trust
  action pass                                         F6同理

本人理解，仅供参考