SRX

Expand all | Collapse all

SRX300 - Filter Based Forwarding

Jump to Best Answer
  • 1.  SRX300 - Filter Based Forwarding

    Posted 10-10-2018 14:22

        Hi all,

    I am trying (and failing) to configure Filter Based Forwarding on a SRX300 running 15.1X49-D140.2 . In a nutshell I am trying to forward traffic for a small number of hosts towards a RPi running an OpenVPN connection, to use as their default outbound connection.

    I have followed this KB article:

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB23300

     

    .... and ended up with the following config:

     

    firewall {                              
        family inet {
            filter ARM02-OPENVPN {
                term 0 {
                    from {
                        source-address {
                            10.83.30.5/32;
                            10.83.30.12/32;
                        }
                    }
                    then {
                        count ARM02-OPENVPN-COUNTER;
                        syslog;
                        routing-instance ARM02-ROUTER;
                    }
                }
                term 1 {
                    then accept;
                }
            }
        }
    }

     

     

    routing-options {
        interface-routes {
            rib-group inet ARM02-ROUTER;
        }
        rib-groups {
            ARM02-ROUTER {
                import-rib [ inet.0 ARM02-ROUTER.inet.0 ];
            }
        }
    } 
    routing-instances {
        ARM02-ROUTER {
            instance-type forwarding;
            routing-options {
                static {
                    route 0.0.0.0/0 next-hop 10.83.42.1;
                }
            }
        }                                   
    } 
    

     

     

    interfaces {
        irb {
            unit 30 {
                description INSIDE_VLAN;
                family inet {
                    filter {
                        input ARM02-OPENVPN;
                    }
                    address 10.83.30.254/24;
                    address 10.83.48.254/24;
                }
            }
        }
    }

     

    I can see the filter is working:

     

    Filter: ARM02-OPENVPN                                          
    Counters:
    Name                                                Bytes              Packets
    ARM02-OPENVPN-COUNTER                              821189                 9257
    

     

    The routing looks good:

     

    Routing table: ARM02-ROUTER.inet
    Internet:
    Destination        Type RtRef Next hop           Type Index    NhRef Netif
    default            user     0 b8:27:eb:e1:e0:a4  ucst     1370     3 ge-0/0/3.0
    

    ...the outbound interface and MAC address match the RPi.

     

     

    However whilst the counter 'ARM02-OPENVPN-COUNTER' increments, if I run tcpdump on the RPi eth0 interface I don't see ant of the HTTPS packets I am expecting. The SRX seems to be correctly detecting the packets on ingress but then dropping them on egress.

    I am still in my early days of junos so troubleshooting skills are certainly lacking!

     

    Any help is much appreciated.

     

    cheers,

    Seb.



  • 2.  RE: SRX300 - Filter Based Forwarding

    Posted 10-10-2018 14:35

    Hi, Seb

     

    Is the /32 prefix on the filter expected? meaning that only 10.83.30.5 and 10.83.30.12 will be affected by this FBF config?

     

    The routing looks fine, what about the security-policies? are they permitting the traffic? Check if a session is getting created:

     

    > show security flow session destination-prefix [dst_adress] source-prefix [src_address] destination-port 443

     

     

     

     



  • 3.  RE: SRX300 - Filter Based Forwarding

    Posted 10-11-2018 12:43

    Hi,

    thanks for the reply.

    Yes currently I only want two hosts from 10.83.30.0/24 to be re-directed. The security policy looks like:

    policy ARM02 {
        match {
            source-address any-ipv4;
            destination-address ARM02;
            application [ junos-dns-udp junos-dns-tcp junos-ssh junos-https junos-http ];
        }
        then {
            permit;
        }
    }

    I know this works fine as ARM02 runs pi-hole and I can browse to the webGUI for that serivce on HTTPS without issue.

     

    Running your suggested command gives me:

    show security flow session source-prefix 10.83.30.12    
    Session ID: 10908, Policy name: INSIDE-TO-OUTSIDE/4, Timeout: 1722, Valid
      In: 10.83.30.12/43221 --> 216.58.213.74/443;tcp, Conn Tag: 0x0, If: irb.30, Pkts: 15, Bytes: 3526, 
      Out: 216.58.213.74/443 --> x.x.x.x/24804;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 11, Bytes: 4156, 
    
    Session ID: 12969, Policy name: INSIDE-TO-OUTSIDE/4, Timeout: 1462, Valid
      In: 10.83.30.12/50593 --> 157.240.1.32/443;tcp, Conn Tag: 0x0, If: irb.30, Pkts: 10, Bytes: 1249, 
      Out: 157.240.1.32/443 --> x.x.x.x/20051;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 8, Bytes: 3842, 
    
    Session ID: 12977, Policy name: INSIDE-TO-OUTSIDE/4, Timeout: 1790, Valid
      In: 10.83.30.12/38191 --> 64.233.184.188/5228;tcp, Conn Tag: 0x0, If: irb.30, Pkts: 47, Bytes: 3641, 
      Out: 64.233.184.188/5228 --> x.x.x.x/9314;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 34, Bytes: 12745, 
    
    Session ID: 13034, Policy name: INSIDE-TO-OUTSIDE/4, Timeout: 1720, Valid
      In: 10.83.30.12/55815 --> 216.58.206.46/443;tcp, Conn Tag: 0x0, If: irb.30, Pkts: 11, Bytes: 914, 
      Out: 216.58.206.46/443 -->x.x.x.x/5889;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 11, Bytes: 4649, 
    Total sessions: 4
    

    So it looks like traffic is leaving via ge-0/0/0 which is connected to the internet link, which is not the ge-0/0/3 that the routing table indicates should be used!?

     

    Any ideas? 🙂

     

    cheers,

    Seb.



  • 4.  RE: SRX300 - Filter Based Forwarding

    Posted 10-11-2018 13:05

    Lets see how is the SRX processing the packets,

     

    Configure flow traceoptions for HTTPS packets coming from 10.83.30.5 to the ARM02 address:

     

    set security flow traceoptions file TEST
    set security flow traceoptions flag basic-datapath
    set security flow traceoptions packet-filter TEST source-prefix 10.83.30.5/32
    set security flow traceoptions packet-filter TEST destination-prefix [ARM02_ADDRESS]
    set security flow traceoptions packet-filter TEST destination-port 443

    Commit the configuration and try sending traffic from .5 and after that see that data was saved to the file TEST:

     

    > show log TEST

    Please share with us the information saved to TEST file. Ideally attach the file itself.

     

     



  • 5.  RE: SRX300 - Filter Based Forwarding

    Posted 10-12-2018 03:11

    Hello again,

    OK so the traceoptions look like:

    show configuration security flow traceoptions    
    file TEST;
    flag basic-datapath;
    packet-filter TEST {
        source-prefix 10.83.30.12/32;
        destination-prefix 10.83.42.1/32;
        destination-port 443;
    }
    

    ..but the log file looks like:

    show log TEST    
    Oct 12 10:07:27 CS7-HQ-FW02 clear-log[20259]: logfile cleared
    
    

    ...as a sanity test if I directly connect to https://10.83.42.1 from 10.83.30.12 the log file shows loads of output, but just relying on the FBF nothing happens.

     

    Is this looking like a bug?

     

    cheers,

    Seb.



  • 6.  RE: SRX300 - Filter Based Forwarding

    Posted 10-12-2018 08:54

    @seb_rupik

    ...as a sanity test if I directly connect to https://10.83.42.1 from 10.83.30.12 the log file shows loads of output,


    Yes, this is what I will expect, can  you share the file with that info?

     

    What is the other way you would use to connect? if it is by using a URL (a domain-name) then maybe there is a DNS problem where your PC is not being able to resolve IP address 10.83.42.1 from the URL being used.

     



  • 7.  RE: SRX300 - Filter Based Forwarding

    Posted 10-12-2018 12:10

    OK, so attempting to connect to any random website from 10.83.30.12 shows nothing in the log. If I connect directly to http://10.83.42.1 the connection is succesful and the log starts to fill. Attached 'FBF_traceoption_log.txt'

     

    Then I had a brain wave, altered the flow traceoption and attempted to browse to some website:

    show configuration security flow traceoptions packet-filter TEST 
    source-prefix 10.83.30.12/32;
    destination-port 80-443;

    See log file 'FBF_working_maybe.txt' . This has the encouraging line:

    Oct 12 18:48:34 18:48:34.674250:CID-0:RT:  routed (x_dst_ip 143.204.229.127) from INSIDE (irb.30 in 0) to irb.22, Next-hop: 10.83.42.1

    ...but then a liitle later:

    Oct 12 18:48:34 18:48:34.674250:CID-0:RT:  denied by policy default-policy-logical-system-00(2), dropping pkt

    Where is that policy coming from. I have a policy for INSIDE -> SERVERS :

    show configuration security policies from-zone INSIDE to-zone SERVERS 
    policy ARM02 {
        match {
            source-address any-ipv4;
            destination-address ARM02;
            application [ junos-dns-udp junos-dns-tcp junos-ssh junos-https junos-http ];
        }
        then {
            permit;
        }
    }
    

    Thanks for your patience with this 🙂

     

    cheers,

    Seb.

    Attachment(s)

    txt
    FBF_working_maybe.txt   4 K 1 version
    txt
    FBF_traceoption_log.txt   33 K 1 version


  • 8.  RE: SRX300 - Filter Based Forwarding
    Best Answer

    Posted 10-12-2018 16:24

    Can you share the output from: 

     

    root@srx# show | display set | match ARM02

    Note that your polciy only permits traffic destined to ARM02 (I assume it represent IP address 10.83.42.1). If this is the case, then it is expected that the rest of the traffic is getting blocked.

     

    If you need to send traffic from 10.83.30.12 to several IP addresses, you either need to specify all these addresses in the destinaiton section of the security-policy or use the "any" option.

     

     



  • 9.  RE: SRX300 - Filter Based Forwarding

    Posted 10-13-2018 12:29

    That was it! For the record this is the policy to got it working:

     

    policies {
    from-zone INSIDE to-zone SERVERS {
    policy ARM02_FBF { match { source-address INSIDE-NET-10.83.30; destination-address any-ipv4; application [ junos-https junos-http ]; } then { permit; } }
    }
    }

     

    Many thanks!!

     

    cheers,

    Seb.