SRX

Expand all | Collapse all

PBR between zones

Jump to Best Answer
  • 1.  PBR between zones

    Posted 07-16-2017 13:03

     Hi I am trying to configure transparent proxy with SRX240 and SQUID. SRX240 is my GW and I want to forward traffic using PBR to SQUID server but it's not working.

     

    . Here's my related config.

     

    LAN testing station [security zone LAN]  - 192.168.1.98  

    SQUID proxy          [security zone DMZ] - 192.168.200.22

     

    I've configured firewall filter and placed as input on SRX LAN GW interface

     

    # run show configuration firewall family inet filter SQUID
    term 1 { from { source-address { 192.168.1.98/32; } destination-address { 0.0.0.0/0; } protocol tcp; destination-port [ 80 443 ]; } then { log; routing-instance SQUID-VRF; } } term 2 { then accept; }
    # run show configuration interfaces reth5     
    description LAN;
    redundant-ether-options {
        redundancy-group 5;
        minimum-links 1;
    }
    unit 0 {
        family inet {
            filter {
                input SQUID;
            }
            sampling {
                input;
                output;
            }
            address 192.168.1.1/24;
        }
    }
    
    

    I've configure VRF and routing-options

     

    # run show configuration routing-instances 
    SQUID-VRF {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 192.168.200.22;
            }
        }
    }
    
    rib-groups {
        IMPORT-PHY {
            import-rib [ inet.0 SQUID-VRF.inet.0 ];
        }
    }
    

    and here's my security policy between zones

     

    # run show security policies from-zone LAN to-zone DMZ policy-name allow-web   
    node0:
    --------------------------------------------------------------------------
    From zone: LAN, To zone: DMZ
      Policy: allow-web, State: enabled, Index: 100, Scope Policy: 0, Sequence number: 15
        Source addresses: any
        Destination addresses: squid
        Applications: junos-http, junos-https
        Action: permit, log
    

    When I initiate http or https traffic from my testing station, no traffic comes on SQUID server

     

    [root@squid ~]# tcpdump -ni eno16780032 not port 22 | grep -i 192.168.1.98
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eno16780032, link-type EN10MB (Ethernet), capture size 65535 bytes
    ^C
    0 packets captured
    0 packets received by filter
    0 packets dropped by kernel
    [root@squid ~]# iptables -nvL -t nat
    Chain PREROUTING (policy ACCEPT 95 packets, 5100 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DNAT       tcp  --  *      *       192.168.0.0/23       0.0.0.0/0            tcp dpt:443 to:192.168.200.22:3129
        0     0 DNAT       tcp  --  *      *       192.168.0.0/23       0.0.0.0/0            tcp dpt:80 to:192.168.200.22:3128
    

    Firewall filter match the traffic but it looks like it's not routed properly

    # run show firewall log interface reth5 
    Log :
    Time      Filter    Action Interface     Protocol        Src Addr                         Dest Addr
    21:22:59  pfe       A      reth5.0       TCP             192.168.1.98                     2.21.74.91
    21:22:59  pfe       A      reth5.0       TCP             192.168.1.98                     35.167.151.38
    21:22:59  pfe       A      reth5.0       TCP             192.168.1.98                     172.217.23.206
    21:22:59  pfe       A      reth5.0       TCP             192.168.1.98                     54.229.224.146
    21:22:58  pfe       A      reth5.0       TCP             192.168.1.98                     35.167.184.4
    21:22:58  pfe       A      reth5.0       TCP             192.168.1.98                     2.21.74.91
    21:22:58  pfe       A      reth5.0       TCP             192.168.1.98                     2.21.74.105
    

    and here's my routing table 

    inet.0: 24 destinations, 25 routes (24 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    0.0.0.0/0          *[Static/5] 19w1d 10:40:40
                        > to x.x.x.x via reth1.0
    x.x.x.x/29         *[Direct/0] 19w1d 10:40:40
                        > via reth1.0
                        [Direct/0] 19w1d 10:29:15
                        > via reth1.0
    x.x.x.x/32         *[Local/0] 19w1d 11:26:02
                          Local via reth1.0
    x.x.x.x/32         *[Local/0] 19w1d 10:29:15
                          Local via reth1.0
    192.168.1.0/24     *[Direct/0] 19w1d 10:23:37
                        > via reth5.0
    192.168.1.1/32     *[Local/0] 35w3d 23:02:46
    
    192.168.200.0/24   *[Direct/0] 19w1d 10:24:53
                        > via reth6.0       
    192.168.200.1/32   *[Local/0] 35w3d 23:02:46
    
    
    
    SQUID-VRF.inet.0: 18 destinations, 19 routes (18 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    0.0.0.0/0          *[Static/5] 00:29:07
                        > to 192.168.200.22 via reth6.0
    x.x.x.x/29         *[Direct/0] 00:29:07
                        > via reth1.0
                        [Direct/0] 00:29:07
                        > via reth1.0
    x.x.x.x/32         *[Local/0] 00:29:07
                          Local via reth1.0
    x.x.x.x/32         *[Local/0] 00:29:07
                          Local via reth1.0
    
    192.168.1.0/24     *[Direct/0] 00:29:07
                        > via reth5.0
    192.168.1.1/32     *[Local/0] 00:29:07
                          Local via reth5.0
    192.168.200.1/32   *[Local/0] 00:29:07
    

    I thank you for your advice. If you need more detail, please let me know.

     



  • 2.  RE: PBR between zones

     
    Posted 07-16-2017 17:43

    Do you have the routing options > interface routes configured.

    routing-options {
        interface-routes {
            rib-group inet IMPORT-PHY;
        }


  • 3.  RE: PBR between zones

    Posted 07-17-2017 04:29

    yes I do

     

    > show configuration routing-options 
    interface-routes {
        rib-group inet IMPORT-PHY;
    }
    static {
        route 10.253.253.0/24 next-hop 172.31.0.6;
        route 172.22.0.0/16 next-hop 172.31.0.6;
        route 0.0.0.0/0 next-hop x.x.x.x;
        route 192.168.168.0/23 next-hop 192.168.200.11;
        route 192.168.0.0/24 next-hop st0.1;
        route 192.168.201.0/24 next-hop st0.1;
        route 192.168.170.0/24 next-hop 192.168.200.11;
    }
    rib-groups {
        IMPORT-PHY {
            import-rib [ inet.0 SQUID-VRF.inet.0 ];
        }
    }
    


  • 4.  RE: PBR between zones
    Best Answer

     
    Posted 07-19-2017 15:45

    This policy will not apply to your original traffic.

    # run show security policies from-zone LAN to-zone DMZ policy-name allow-web   
    node0:
    --------------------------------------------------------------------------
    From zone: LAN, To zone: DMZ
      Policy: allow-web, State: enabled, Index: 100, Scope Policy: 0, Sequence number: 15
        Source addresses: any
        Destination addresses: squid
        Applications: junos-http, junos-https
        Action: permit, log

    The policy will applied will be for the destination address in the original packet to the reth1.0 interface zone.

    The policy should be to this zone and for "any" destination.

    0.0.0.0/0          *[Static/5] 19w1d 10:40:40
                        > to x.x.x.x via reth1.0