Routing

Expand all | Collapse all

Two ISP routing solution

  • 1.  Two ISP routing solution

    Posted 12-09-2020 17:03
    Hey Everyone,

    I have an SRX300 firewall configured with two ISP connections.  ISP1 is the main connection, carries regular internet data traffic from two internal subnets, staff and semi-trust (visitors).  In addition an IPSec VPN connection comes in for 23 remote users.  I have 5 static IPs from the ISP.  On the staff network there are two web servers and an ftp server, they are using static NAT from the static IPs assigned by the ISP to point to these servers.  I have another subnet with my phone equipment connected, it is pointed to ISP2 router internal address which bridges through to the external address.  Lastly I have another subnet that isolates my credit card equipment but is not in use at this time and can be repurposed. 

    During these times when video conferencing is important, we have unfortunately been experiencing choppy connections through ISP1.  We have experimented with routing through ISP2 and it cleans things up considerably, but all VPN and web/ftp server connections are disconnected when I change the default route to point to ISP2.  What I want to do is keep my VPN connections, web and ftp servers connecting through ISP1, routing traffic from those back through ISP1 the way they came and route traffic that originates from either the staff or semi-trusted network to ISP2.

    Current route is this:
    routing-options {
    static {
    route 64.28.113.0/24 next-hop 192.168.40.6;          (192.168.40.6 is ISP2)
    route 64.28.114.0/24 next-hop 192.168.40.6;
    route 64.28.116.0/24 next-hop 192.168.40.6;
    route 64.28.122.103/32 next-hop 192.168.40.6;
    route 64.28.122.100/32 next-hop 192.168.40.6;
    route 64.28.121.101/32 next-hop 192.168.40.6;
    route 96.72.4.184/29 next-hop 96.72.4.190;                (96.72.4.190 is ISP1)
    route 0.0.0.0/0 next-hop 96.72.4.190;

    I think the solution lies in filter based forwarding, and I have found this article: How to configure Filter Based Forwarding on SRX for a typical dual-ISP scenario - Juniper Networks 
    but it uses ports to identify traffic.  I want to send all traffic whose source is the staff or semi-trust subnets through ISP2.  I am not sure how to filter for that traffic.

    Also, I can manage the CLI but have better luck with the web interface.  Not sure where to even attempt this filter based forwarding, any example would help.

    If it helps to move the web/ftp servers to the credit card subnet I can do that as long as I can make a route from the staff and semi-trust networks to get there and back. 

    I need to keep access from the VPN subnet / interface to the staff subnet and route that traffic back through the VPN connections to the remote users.

    Thanks in advance for any help.  If more config details are needed let me know.  I dumped the config into a text file, so be specific about what section and I can cut/paste.

    Doug

    ------------------------------
    Doug Dearden
    ------------------------------


  • 2.  RE: Two ISP routing solution

    Posted 12-09-2020 17:25
    Did you try applying the Filter directly on the interface (reth) for Staff or semi-trust?  I have a similar set up to route voice and guest traffic via ISP2 and all other traffic via ISP1 here's a sample 

    FBF
    Routing Instance  ISP2 instance type forwarding
    routing-instances ISP2 routing-options static route 0.0.0.0/0 next-hop ISP2 IP
    routing-instances ISP2 routing-options static route 0.0.0.0/0 qualified-next hop ISP1 IP pref 
    routing-instances ISP2 routing-options static route 0.0.0.0/0 qualified-next hop ISP1 IP metric 

    import route to inet table 

    routing-options rib-groups ISP2 import-rib inet.0
    routing-options rib-groups ISP2 import-rib ISP2.inet.0 

    routing-options interface-routes rib-group inet ISP2

    Filter to route traffic from specific ip

    firewall family inet filter STAFF term 0 from source_address 
    firewall family inet filter STAFF term 0 then routing-instance ISP2
    firewall family inet filter STAFF term 1 then accept 

    Apply the filter to the Staff interface
     interface reth x unit xx family inet filter input STAFF


    ------------------------------
    ANKUR
    ------------------------------



  • 3.  RE: Two ISP routing solution

    Posted 12-10-2020 17:46
    Hey Ankur,

    Thanks for responding.  Translating your instructions into my specific situation I came up with the statements below.  Have I interpreted your instructions correctly?  I wasn't able to find syntax examples in the doc.  I suspect I may need something to replace pref and metric or a number following those.  192.168.40.6 is CenturyLink, ISP2 in my original example.  96.72.4.190 is ISP1 in my original example.  192.168.30.0/24 is my staff network.  I appreciate the help. - Doug

    set routing-instances CenturyLink routing-options static route 0.0.0.0/0 next-hop 192.168.40.6
    set routing-instances CenturyLink routing-options static route 0.0.0.0/0 qualified-next hop 96.72.4.190 pref
    set routing-instances CenturyLink routing-options static route 0.0.0.0/0 qualified-next hop 96.72.4.190 metric

    set routing-options rib-groups CenturyLink import-rib inet.0
    set routing-options rib-groups CenturyLink import-rib CenturyLink.inet.0

    set routing-options interface-routes rib-group inet CenturyLink

    set firewall family inet filter STAFF term 0 from 192.168.30.0/24
    set firewall family inet filter STAFF term 0 then routing-instance CenturyLink
    set firewall family inet filter STAFF term 1 then accept

    set interface irb.0 family inet filter input STAFF

    ------------------------------
    Doug Dearden
    ------------------------------



  • 4.  RE: Two ISP routing solution

    Posted 12-10-2020 18:18
    Looks good, as for the Pref try 8 and for metric try 100

    ------------------------------
    ANKUR
    ------------------------------



  • 5.  RE: Two ISP routing solution

    Posted 12-10-2020 18:31
    OK, thanks again for your help.  Snowing here so I will be working from home tomorrow.  Will try it next week and let you know results.

    ------------------------------
    Doug Dearden
    ------------------------------



  • 6.  RE: Two ISP routing solution

    Posted 12-15-2020 14:26
    Hey Ankur,

    I was able to put in the config you outlined but packets are still routing the old way.  Config pasted below and first few lines from a tracert.  I can't figure out what I'm missing.  Any help appreciated. - Thanks, Doug 

    SRX300# show interfaces irb.0
    family inet {
    filter {
    input STAFF;
    }
    address 192.168.30.10/24;
    }

    [edit]
    SRX300# show firewall family inet filter STAFF
    term 0 {
    from {
    address {
    192.168.30.0/24;
    }
    }
    }

    [edit]
    SRX300# show routing-instances CenturyLink
    routing-options {
    static {
    route 0.0.0.0/0 {
    next-hop 192.168.40.6;
    qualified-next-hop 96.72.4.190 {
    preference 8;
    metric 100;
    }
    }
    }
    }
    SRX300# show routing-options
    interface-routes {
    rib-group inet CenturyLink;
    }
    static {
    route 64.28.113.0/24 next-hop 192.168.40.6;
    route 64.28.114.0/24 next-hop 192.168.40.6;
    route 64.28.116.0/24 next-hop 192.168.40.6;
    route 64.28.122.103/32 next-hop 192.168.40.6;
    route 64.28.122.100/32 next-hop 192.168.40.6;
    route 64.28.121.101/32 next-hop 192.168.40.6;
    route 0.0.0.0/0 next-hop 96.72.4.190;
    route 96.72.4.184/29 next-hop 96.72.4.190;
    }
    rib-groups {
    CenturyLink {
    import-rib [ inet.0 CenturyLink.inet.0 ];
    }
    }


    First few lines of tracert

    Tracing route to vps33669.inmotionhosting.com [205.134.251.33]
    over a maximum of 30 hops:
    1 <1 ms <1 ms <1 ms 192.168.30.10
    2 2 ms 11 ms 7 ms 96-72-4-190-static.hfc.comcastbusiness.net [96.72.4.190]

    ------------------------------
    Doug Dearden
    ------------------------------



  • 7.  RE: Two ISP routing solution

    Posted 12-15-2020 14:54
    Your filter syntax and routing instance looks incorrect see the highlighted missing syntax 

    set firewall family inet filter STAFF term 0 from source-address 192.168.30.0/24
    set firewall family inet filter STAFF term 0 then routing-instance CenturyLink
    set firewall family inet filter STAFF term 1 then accept

    show routing-instances CenturyLink
    set routing-instances CenturyLink instance-type forwarding
    routing-options {
    static {
    route 0.0.0.0/0 {
    next-hop 192.168.40.6;
    qualified-next-hop 96.72.4.190 {
    preference 8;
    metric 100;
    }


    ------------------------------
    ANKUR
    ------------------------------



  • 8.  RE: Two ISP routing solution

    Posted 12-15-2020 17:49
    Hey Ankur,

    Thanks for the help.  That did it, and I was able to set up a second filter for my semi-trust network similar to the one for the staff network.  Both are working correctly.  Appreciate your efforts.

    Doug

    ------------------------------
    Doug Dearden
    ------------------------------