Hey Everyone,
I have an SRX300 firewall configured with two ISP connections. ISP1 is the main connection, carries regular internet data traffic from two internal subnets, staff and semi-trust (visitors). In addition an IPSec VPN connection comes in for 23 remote users. I have 5 static IPs from the ISP. On the staff network there are two web servers and an ftp server, they are using static NAT from the static IPs assigned by the ISP to point to these servers. I have another subnet with my phone equipment connected, it is pointed to ISP2 router internal address which bridges through to the external address. Lastly I have another subnet that isolates my credit card equipment but is not in use at this time and can be repurposed.
During these times when video conferencing is important, we have unfortunately been experiencing choppy connections through ISP1. We have experimented with routing through ISP2 and it cleans things up considerably, but all VPN and web/ftp server connections are disconnected when I change the default route to point to ISP2. What I want to do is keep my VPN connections, web and ftp servers connecting through ISP1, routing traffic from those back through ISP1 the way they came and route traffic that originates from either the staff or semi-trusted network to ISP2.
Current route is this:
routing-options {
static {
route 64.28.113.0/24 next-hop 192.168.40.6; (192.168.40.6 is ISP2)
route 64.28.114.0/24 next-hop 192.168.40.6;
route 64.28.116.0/24 next-hop 192.168.40.6;
route 64.28.122.103/32 next-hop 192.168.40.6;
route 64.28.122.100/32 next-hop 192.168.40.6;
route 64.28.121.101/32 next-hop 192.168.40.6;
route 96.72.4.184/29 next-hop 96.72.4.190; (96.72.4.190 is ISP1)
route 0.0.0.0/0 next-hop 96.72.4.190;
I think the solution lies in filter based forwarding, and I have found this article:
How to configure Filter Based Forwarding on SRX for a typical dual-ISP scenario - Juniper Networks but it uses ports to identify traffic. I want to send all traffic whose source is the staff or semi-trust subnets through ISP2. I am not sure how to filter for that traffic.
Also, I can manage the CLI but have better luck with the web interface. Not sure where to even attempt this filter based forwarding, any example would help.
If it helps to move the web/ftp servers to the credit card subnet I can do that as long as I can make a route from the staff and semi-trust networks to get there and back.
I need to keep access from the VPN subnet / interface to the staff subnet and route that traffic back through the VPN connections to the remote users.
Thanks in advance for any help. If more config details are needed let me know. I dumped the config into a text file, so be specific about what section and I can cut/paste.
Doug
------------------------------
Doug Dearden
------------------------------