SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  filter-based routing.

    Posted 10-24-2016 00:33

    Hello. I ma trying to set up filter based routing and cant get it working. Everything seems fine to me.

    1. Applied firewall filter to interface:

    show interfaces vlan unit 20 
    family inet {
        filter {
            input FILTER1;
        }
        address 172.17.20.1/24;
    }
    

    2. Created firewall filter:

    how firewall filter FILTER1 
    term pod-allow {
        from {
            destination-address {
                192.168.0.0/16;
            }
        }
        then accept;
    }
    term mgmt-allow {
        from {
            destination-address {
                172.16.0.0/12;
            }
        }
        then accept;
    }
    term TERM-test {
        from {
            source-address {
                172.17.20.28/32;
            }
        }
        then {                              
            routing-instance rt-cifra1-test;
        }                                   
    }                                       
    term default {                          
        then {                              
            routing-instance rt-cifra1-all; 
        }                                   
    }                

    3. Set up routing-instances:

    rt-cifra1-all {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 {
                    next-hop 213.167.56.133;
                    qualified-next-hop 213.167.60.117 {
                        preference 100;
                    }
                }
            }
        }
    }
    rt-cifra1-test {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 {
                    next-hop 213.167.60.117;
                    qualified-next-hop 213.167.56.133 {
                        preference 100;
                    }
                }                           
            }                               
        }                                   
    }                                       
    rt-rcs {                                
        instance-type forwarding;           
        routing-options {                   
            static {                        
                route 0.0.0.0/0 next-hop 217.12.253.225;
            }                               
        }                                   
    }        

    4. set up routing-options:

    interface-routes {
        rib-group inet IMPORT-CIFRA1;
    }
    static {
        route 0.0.0.0/0 {
            next-hop [ 217.12.253.225 213.167.56.133 213.167.60.117 ];
            preference 20;
        }
    }                                       
    rib-groups {                            
        IMPORT-CIFRA1 {                     
            import-rib [ inet.0 rt-cifra1-test.inet.0 rt-cifra1-all.inet.0 rt-rcs.inet.0 ];
        }                                   
    }           

    5. and source nat:

    pool cifra1-test { 
       address { 
           213.167.60.118/32; 
       } 
    } 
    pool cifra1-all { 
       address { 
           213.167.56.134/32; 
       } 
    } 
    rule-set rs1 { 
       from zone trust; 
       to zone untrust;                                                        
       rule test-cifra1 {              
           match {                          
               source-address 172.17.20.28/32; 
               destination-address 0.0.0.0/0; 
           }                                
           then {                           
               source-nat {                 
                   pool {                   
                       cifra1-test;    
                   }                        
               }                            
           }                                
       }                                    
       rule r1 {                            
           match {                          
               source-address 0.0.0.0/0;    
               destination-address 0.0.0.0/0; 
           }                                
           then {                           
               source-nat {                 
                   pool {                   
                       cifra1-all ;            
                   }                        
               }                            
           }                                
       }                                    
    }

            But traceroute shows that traffic goes trought  213.167.56.133  gateway, insted of  213.167.60.117

    Can anyone explain to me why?


    #SRX
    #filter-basedrouting


  • 2.  RE: filter-based routing.

    Posted 10-24-2016 08:26
    From which 'source address' you're generating the traceroute traffic ?


  • 3.  RE: filter-based routing.

    Posted 10-24-2016 22:10

    Just running command from 172.17.20.28

    traceroute 8.8.8.8
    traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
     1  gateway (172.17.20.1)  1.429 ms  1.395 ms  1.407 ms
     2  213.167.56.133 (213.167.56.133)  7.342 ms  7.353 ms  7.362 ms


  • 4.  RE: filter-based routing.

    Posted 10-24-2016 22:29
    Please re-order the terms; command:

    insert firewall filter FILTER1 term TERM-test before term mgmt-allow


  • 5.  RE: filter-based routing.

    Posted 10-24-2016 22:40

    It didn't help.



  • 6.  RE: filter-based routing.

    Posted 10-26-2016 05:38

    Can you enable count on filter FILTER1 TERM-test , and check if there is any accepted hits ?

    Here you can see how to configure it:
    http://www.juniper.net/documentation/en_US/junos16.1/topics/example/firewall-filter-stateless-example-count-accepted-and-rejected-packets.html

    I have another question for you:
    Is all the [217.12.253.225 213.167.56.133 213.167.60.117] resides under the same zone which is "untrust" ?

     

    And sorry for missleading you in the previous post , there was no nead to re-order it , I just the 172.16.0.0/12 another LAN .. My bad 😐

     



  • 7.  RE: filter-based routing.

    Posted 10-26-2016 05:56

    I cheked it with "log" rule before and there is accepted hits.

    Oct 25 12:24:30  tco tco PFE_FW_SYSLOG_IP: FW: vlan.20      A  udp 172.17.20.28 93.158.134.3 40423 33434 (1 packets) 
    Oct 25 12:24:30  tco tco PFE_FW_SYSLOG_IP: FW: vlan.20      A  udp 172.17.20.28 93.158.134.3 36985 33435 (1 packets) 
    

    @Abed AL-R wrote:

    I have another question for you:
    Is all the [217.12.253.225 213.167.56.133 213.167.60.117] resides under the same zone which is "untrust" ?

     


    They should be, as it ISP's IP adresses

    Is it possible that problem is address 213.167.60.118  and 213.167.59.134 are configured on the same interface?

     



  • 8.  RE: filter-based routing.

    Posted 10-26-2016 07:48
    How 213.167.60.118 and 213.167.59.134 are configured under the same interface ? are we talking here in subnet /21 ? could you attach configuration under [edit interfaces] hierarchy ?
    Also attach the show route output


  • 9.  RE: filter-based routing.

    Posted 10-26-2016 08:24
    Also and if its possible , explain further more the topology and how those three ISPs is connected to get all the picture clear for us .


  • 10.  RE: filter-based routing.

    Posted 10-26-2016 23:12

    interfaces: 

    show interfaces fe-0/0/1  
    unit 0 {
        family inet {
            address 213.167.60.118/30;
            address 213.167.59.134/30;
        }
    }
    

    I'll attach show route is here http://pastebin.com/PdB4rgST it's pretty long

    Now about topology:

    There is two isp, so 2 ports in juniper is used.

    "cifra1" isp gives us 2 IPs on the same cable

    all LANs directly attached to juniper.

     

     

     



  • 11.  RE: filter-based routing.
    Best Answer

    Posted 10-27-2016 09:45
      |   view attached

    Hi,

     

    I was trying to replicate your issue in my lab whithin Proxy-ARP (see attached configuration)

    And it's working fine after I configured your NATed addresses

     

    Screenshot_3.png

     

    Attachment(s)