Routing

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

Routing multiple subnets over the same external interface

  • 1.  Routing multiple subnets over the same external interface

    Posted 08-17-2021 15:21

    Dear Juniperians,

    It has been a while since I've touched a Junos device but I'm happy to say most of it feels like riding a bike. Especially when you've learned it the hard (CLI) way.

    At this moment I'm looking at a SRX240 running the latest Junos version. We have one ISP uplink configured at this moment there will be a second uplink in the near future but we have to start somewhere.  We have two ASNs configured on the SRX. Both ASNs have their own public routable subnet. The BGP part is working fine but now comes the routing part.

    The subnet for ASN1 is configured on the external interface:

    ge-0/0/15 {
    enable;
    unit 0 {
    family inet {
    mtu 1500;
    address SUBNET1/29;
    }
    family inet6 {
    mtu 1500;
    address SUBNET1/120;

    The subnet for ASN2 is configured on a VLAN because we want to assign these IP addresses to machines behind that VLAN directly without using NAT:
    vlan {
    unit 10 {
    family inet {
    address SUBNET2/24;
    family inet6{
    address SUBNET2/29;
    }}

    I have assigned a couple of machines with a public IP from SUBNET2. Routing over interface 15 works fine and I'm able to ping outside. The only issue is that when I do a curl on something like IPinfo I get the IP from SUBNET1/ASN1 back instead of the external IP I've configured from the SUBNET2 block.

    Should I switch interface 15 to ethernet-switching or apply some other kind of routing setting to make sure traffic from SUBNET2 is properly routed to and from SUBNET2?

    Many thanks!



  • 2.  RE: Routing multiple subnets over the same external interface

    Posted 08-24-2021 12:27
    What this all comes down to basically:

    What is the recommended way of configuring 2 public subnets on one external interface?

    ------------------------------
    Casper
    Security Engineer
    ------------------------------



  • 3.  RE: Routing multiple subnets over the same external interface

     
    Posted 08-26-2021 05:48
    I'm not sure I follow but I think what is happening is your traffic is hitting a global source nat rule that comes by default on the SRX.  

    If this is the case you will need to modify that nat rule to only cover the rfc1918 space instead of all traffic as it is by default.  Once narrowed to that scope your public ip traffic from the new subnet should remain unchanged.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 4.  RE: Routing multiple subnets over the same external interface

    Posted 08-26-2021 09:07

    Hi Steve,

    I've been able to trace back the issue here. In the end, the configuration above should have been working. I should have picked a small subnet of the /24 for some reason because when I configure the full /24 on a VLAN the announcement to BGP drops and it doesn't work. Now I have a /27 configured out of that /24 block and it works fine.

    I've tested the routing and the machine in VLAN10 is connected and routingSUBNET2 without NAT (NAT  is not preferred for our setup).

    There is one more issue now. If I do some scanning from that machine our VPN tunnel that IS behind NAT on SUBNET1 still goes down. I've checked "show security flow session nat extensive". That only shows the NAT flow for the VPN tunnel I'm using so I can safely say NAT is not the issue here.  There must be something else clogging up when we do NMAP and ZMAP scans. The firewall itself is still reachable and functions fine, it is however remarkably slower when I execute commands in the CLI.

    Any idea where to look next?

    Many thanks!



    ------------------------------
    Casper
    Security Engineer
    ------------------------------



  • 5.  RE: Routing multiple subnets over the same external interface

     
    Posted 08-27-2021 05:57
    When you add the full /24 to an interface this local route will become the active on in the local table.  As a result any bgp policy you have will have to also accept direct routes and not just bgp ones in the policy accept statement to advertise that route again.

    When you do scans on the SRX you are creating sessions for each of those connections that are permitted.  If you do enough of them fast enough you can fill the session table and cause the slow downs you are seeing in the cli.  This i because the cli gets lower priority over traffic to keep things moving.

    I am having trouble understanding what the nat question is.  Do you want nat on or off?
    Is nat currently on or off for the desired traffic?

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------