SRX

 View Only
last person joined: 21 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  OSPF neighbor not routing

    Posted 02-16-2022 14:32
    I have a network like:

    srx ospf routing
    I can ping the 192.168.30.1 from the remote Mikrotik LAN interface 172.16.30.3/24, but it won't route out to the internet. OSPF "seems" to be working fine, just don't know why it doesn't NAT through the SRX to the internet. I can ping my laptop from the srx at 172.16.30.254. Other subnets on ge-0/0/2 NAT to internet fine. Am I missing a route?

    Relevant config:

    root@ospftest1# show routing-options 
    static {
        route 0.0.0.0/0 next-hop 1.2.3.4;
    }
    root@ospftest1# show interfaces
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 1.2.3.4/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.30.1/24;
            }
        }
    }
    
    protocols {
        ospf {
            export REDISTRIBUTE_ALL_STATIC; 
            area 1.1.1.1 {
                interface ge-0/0/1.0;
            }
        }
        stp;
    }
    policy-options {
        policy-statement REDISTRIBUTE_ALL_STATIC {
            term 1 {
                from protocol direct;
                then accept;
            }
        }
    }
    
    [edit security nat]
    root@ospftest1# show
    source {
        rule-set tower1-internet {
            from zone tower1;
            to zone untrust;
            rule tower1-internet {
                match {
                    source-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
    }
    
    [edit security policies]
    root@ospftest1# show                                        
    from-zone tower1 to-zone untrust {
        policy tower1-untrust {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }
    
    [edit security zones]
    root@ospftest1# show 
    
    security-zone tower1 {
        host-inbound-traffic {
            system-services {
                ping;
            }
            protocols {
                all;
            }                               
        }
        interfaces {
            ge-0/0/1.0;
        }
    }
    ​


    OSPF info:

    root@ospftest1> show ospf route 
    Topology default Route Table:
    
    Prefix             Path  Route      NH       Metric NextHop       Nexthop      
                       Type  Type       Type            Interface     Address/LSP
    172.16.30.1        Intra Router     IP            1 ge-0/0/1.0    192.168.30.2
    192.168.30.0/24    Intra Network    IP            1 ge-0/0/1.0
    
    root@ospftest1> show ospf neighbor 
    Address          Interface              State     ID               Pri  Dead
    192.168.30.2     ge-0/0/1.0             Full      172.16.30.1        1    33
    
    root@ospftest1> show ospf overview    
    Instance: master
      Router ID: 10.30.10.1
      Route table index: 0
      AS boundary router
      LSA refresh time: 50 minutes
      DoNotAge uncapable
        Area scope LSAs received with no DC bit: 1
      Area: 1.1.1.1
        Stub type: Not Stub
        Authentication Type: None
        Area border routers: 0, AS boundary routers: 0
        Neighbors
          Up (in full state): 1
        DoNotAge uncapable
          Area scope LSAs received with no DC bit: 1
      Topology: default (ID 0)
        Prefix export count: 3
        Full SPF runs: 18
        SPF delay: 0.200000 sec, SPF holddown: 5 sec, SPF rapid runs: 3
        Backup SPF: Not Needed
    


  • 2.  RE: OSPF neighbor not routing

    Posted 02-18-2022 15:48
    Edited by emacdermid 02-18-2022 17:08
    I found out the SRX wasn't pushing a default route to the Mikrotik, so I added:

    set policy-options policy-statement ospf-default from protocol static
    set policy-options policy-statement ospf-default from route-filter 0.0.0.0/0 exact
    set policy-options policy-statement ospf-default then accept
    set protocols ospf export ospf-default​


    Now it works, the routing table on my Mikrotik looks like:

    [admin@MikroTik] > /ip route print
    Flags: X - disabled, A - active, D - dynamic,
    C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
    B - blackhole, U - unreachable, P - prohibit
     #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
     0 ADo  0.0.0.0/0                          192.168.30.1            110
     1 ADo  1.2.3.1/29                         192.168.30.1            110
     2  DC  172.16.30.0/24     172.16.30.1     ether2-master           255
     3 ADo  192.168.20.0/24                    192.168.30.1            110
     4 ADC  192.168.30.0/24    192.168.30.2    ether5                    0


  • 3.  RE: OSPF neighbor not routing

    Posted 02-21-2022 05:43
    Your original configuration, was just Redistributing the directly connected interfaces, and not the default,. That is default gateway wasn't being exported.
    policy-options {
        policy-statement REDISTRIBUTE_ALL_STATIC {
            term 1 {
                from protocol direct;
                then accept;
            }
        }
    }​


    ------------------------------
    JASON ROBERTSON
    ------------------------------