Hi,
1. So you dont have default static route 0.0.0.0/0 to any of the ISP beside the qualified next hop route on each forwarding instances?
I use qualified next hop to prioritize each ISP differenlty on each routing instance.
For routing instance ISP-1, isp-1 interface is selected as primary interface. If this interface disconnects, isp-2 interface will be used for all traffic. You do not need to add each isp route to each routing instance but in case you only add one default route and that interface is disconnects, then all traffic destined on that routing instance will be discarded.
2. I only have 1 LAN interface that receives several subnets of the LAN Segments. I cant use 3 filters on 1 LAN Interface like your configuration. Any workaround how to solve this?
It is matter of using one firewall filter with many terms to differentiate traffic and forward them to their corresponding routing instance.
An example filter and interface configuration is like this
[edit]
root# show firewall
family inet {
filter FBF {
term T1 {
from {
source-address {
192.168.1.0/24;
}
}
then {
routing-instance ISP-1;
}
}
term T2 {
from {
source-address {
192.168.2.0/24;
}
}
then {
routing-instance ISP-2;
}
}
term T3 {
from {
source-address {
192.168.3.0/24;
}
}
then {
routing-instance ISP-3;
}
}
}
}
[edit]
root# show interfaces ge-0/0/3
unit 0 {
family inet {
filter {
input FBF;
}
address 10.0.0.1/24;
}
}
I am assuming you have the needed static route for LAN networks and it is distributed with rib-group configuration.
3. When it comes to NAT Destination, is there any additional config that needs to be done? In order on respective subnet can use the Dedicated IP Public from each ISP?
Ex: 192.168.1.0/24 can use Public IP from ISP-1 and 2, while 192.168.2.0/24 will be using Public IP from ISP-2 and 3
Destination nat is kinda tricky since you are using ISP assigned IP addresses. If you use interface IP addresses and that interface is disconnected what will happen?
For multi ISP access scenarios it is best not to use ISP assigned IP addresses but use owned private IP addresses.
------------------------------
MEHMET SUEL
------------------------------
Original Message:
Sent: 01-11-2022 06:04
From: KARANG DIKA KUSUMA
Subject: SRX345 Implementing Triple ISP Failover & NAT Destination
Hi @MEHMET SUEL
Thanks for your response. I have several questions for the config that you provided.
1. So you dont have default static route 0.0.0.0/0 to any of the ISP beside the qualified next hop route on each forwarding instances?
2. I only have 1 LAN interface that receives several subnets of the LAN Segments. I cant use 3 filters on 1 LAN Interface like your configuration. Any workaround how to solve this?
3. When it comes to NAT Destination, is there any additional config that needs to be done? In order on respective subnet can use the Dedicated IP Public from each ISP?
Ex: 192.168.1.0/24 can use Public IP from ISP-1 and 2, while 192.168.2.0/24 will be using Public IP from ISP-2 and 3
Thank you mehmet. Sorry if it looks silly to you.
------------------------------
KARANG DIKA KUSUMA
Original Message:
Sent: 01-11-2022 04:43
From: MEHMET SUEL
Subject: SRX345 Implementing Triple ISP Failover & NAT Destination
Hi,
you can find a working config example down below. In this setup all ISP interfaces are grouped under ISP security zone and all local area interfaces are grouped under LAN security zone. If you need different rules for different subnets, you can change them as per your requirement.
security { nat { source { rule-set ISP-NAT { from zone LAN; to zone ISP; rule R1 { match { source-address 192.168.0.0/16; } then { source-nat { interface; } } } } } } policies { from-zone LAN to-zone ISP { policy ALLOW-ANY { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone ISP to-zone LAN { policy ALLOW-ANY { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { security-zone ISP { interfaces { ge-0/0/0.0; ge-0/0/1.0; ge-0/0/2.0; } } security-zone LAN { interfaces { ge-0/0/3.0; ge-0/0/4.0; ge-0/0/5.0; } } }}interfaces { ge-0/0/0 { unit 0 { family inet { address 1.1.1.1/24; } } } ge-0/0/1 { unit 0 { family inet { address 2.2.2.2/24; } } } ge-0/0/2 { unit 0 { family inet { address 3.3.3.3/24; } } } ge-0/0/3 { unit 0 { family inet { filter { input ISP-1; } address 192.168.1.1/24; } } } ge-0/0/4 { unit 0 { family inet { filter { input ISP-2; } address 192.168.2.1/24; } } } ge-0/0/5 { unit 0 { family inet { filter { input ISP-3; } address 192.168.3.1/24; } } }}firewall { family inet { filter ISP-1 { term t1 { then { routing-instance ISP-1; } } } filter ISP-2 { term t2 { then { routing-instance ISP-2; } } } filter ISP-3 { term t1 { then { routing-instance ISP-3; } } } }}routing-instances { ISP-1 { routing-options { static { route 0.0.0.0/0 { qualified-next-hop 1.1.1.254 { preference 6; } qualified-next-hop 2.2.2.254 { preference 7; } qualified-next-hop 3.3.3.254 { preference 8; } } } } instance-type forwarding; } ISP-2 { routing-options { static { route 0.0.0.0/0 { qualified-next-hop 1.1.1.254 { preference 8; } qualified-next-hop 2.2.2.254 { preference 6; } qualified-next-hop 3.3.3.254 { preference 7; } } } } instance-type forwarding; } ISP-3 { routing-options { static { route 0.0.0.0/0 { qualified-next-hop 1.1.1.254 { preference 7; } qualified-next-hop 2.2.2.254 { preference 8; } qualified-next-hop 3.3.3.254 { preference 6; } } } } instance-type forwarding; }}routing-options { interface-routes { rib-group inet ISP-RIB; } rib-groups { ISP-RIB { import-rib [ inet.0 ISP-1.inet.0 ISP-2.inet.0 ISP-3.inet.0 ]; } }}
Here is the session table
root> show security flow sessionSession ID: 46, Policy name: ALLOW-ANY/4, Timeout: 32, Valid In: 192.168.3.10/38232 --> 8.8.8.8/0;icmp, Conn Tag: 0x0, If: ge-0/0/5.0, Pkts: 1, Bytes: 84, Out: 8.8.8.8/0 --> 3.3.3.3/24645;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 0, Bytes: 0,Session ID: 47, Policy name: ALLOW-ANY/4, Timeout: 48, Valid In: 192.168.2.10/41560 --> 8.8.8.8/0;icmp, Conn Tag: 0x0, If: ge-0/0/4.0, Pkts: 1, Bytes: 84, Out: 8.8.8.8/0 --> 2.2.2.2/3137;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 0, Bytes: 0,Session ID: 48, Policy name: ALLOW-ANY/4, Timeout: 58, Valid In: 192.168.1.10/43352 --> 8.8.8.8/0;icmp, Conn Tag: 0x0, If: ge-0/0/3.0, Pkts: 1, Bytes: 84, Out: 8.8.8.8/0 --> 1.1.1.1/3296;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 0, Bytes: 0,Total sessions: 3
Here is the routing table of the device
root> show route | no-moreinet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both1.1.1.0/24 *[Direct/0] 00:36:02 > via ge-0/0/0.01.1.1.1/32 *[Local/0] 00:36:02 Local via ge-0/0/0.02.2.2.0/24 *[Direct/0] 00:36:01 > via ge-0/0/1.02.2.2.2/32 *[Local/0] 00:36:01 Local via ge-0/0/1.03.3.3.0/24 *[Direct/0] 00:36:01 > via ge-0/0/2.03.3.3.3/32 *[Local/0] 00:36:01 Local via ge-0/0/2.0192.168.1.0/24 *[Direct/0] 00:36:01 > via ge-0/0/3.0192.168.1.1/32 *[Local/0] 00:36:01 Local via ge-0/0/3.0192.168.2.0/24 *[Direct/0] 00:36:01 > via ge-0/0/4.0192.168.2.1/32 *[Local/0] 00:36:01 Local via ge-0/0/4.0192.168.3.0/24 *[Direct/0] 00:36:01 > via ge-0/0/5.0192.168.3.1/32 *[Local/0] 00:36:01 Local via ge-0/0/5.0ISP-1.inet.0: 13 destinations, 15 routes (13 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both0.0.0.0/0 *[Static/6] 00:36:02 > to 1.1.1.254 via ge-0/0/0.0 [Static/7] 00:36:01 > to 2.2.2.254 via ge-0/0/1.0 [Static/8] 00:36:01 > to 3.3.3.254 via ge-0/0/2.01.1.1.0/24 *[Direct/0] 00:36:02 > via ge-0/0/0.01.1.1.1/32 *[Local/0] 00:36:02 Local via ge-0/0/0.02.2.2.0/24 *[Direct/0] 00:36:01 > via ge-0/0/1.02.2.2.2/32 *[Local/0] 00:36:01 Local via ge-0/0/1.03.3.3.0/24 *[Direct/0] 00:36:01 > via ge-0/0/2.03.3.3.3/32 *[Local/0] 00:36:01 Local via ge-0/0/2.0192.168.1.0/24 *[Direct/0] 00:36:01 > via ge-0/0/3.0192.168.1.1/32 *[Local/0] 00:36:01 Local via ge-0/0/3.0192.168.2.0/24 *[Direct/0] 00:36:01 > via ge-0/0/4.0192.168.2.1/32 *[Local/0] 00:36:01 Local via ge-0/0/4.0192.168.3.0/24 *[Direct/0] 00:36:01 > via ge-0/0/5.0192.168.3.1/32 *[Local/0] 00:36:01 Local via ge-0/0/5.0ISP-2.inet.0: 13 destinations, 15 routes (13 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both0.0.0.0/0 *[Static/6] 00:36:01 > to 2.2.2.254 via ge-0/0/1.0 [Static/7] 00:36:01 > to 3.3.3.254 via ge-0/0/2.0 [Static/8] 00:36:02 > to 1.1.1.254 via ge-0/0/0.01.1.1.0/24 *[Direct/0] 00:36:02 > via ge-0/0/0.01.1.1.1/32 *[Local/0] 00:36:02 Local via ge-0/0/0.02.2.2.0/24 *[Direct/0] 00:36:01 > via ge-0/0/1.02.2.2.2/32 *[Local/0] 00:36:01 Local via ge-0/0/1.03.3.3.0/24 *[Direct/0] 00:36:01 > via ge-0/0/2.03.3.3.3/32 *[Local/0] 00:36:01 Local via ge-0/0/2.0192.168.1.0/24 *[Direct/0] 00:36:01 > via ge-0/0/3.0192.168.1.1/32 *[Local/0] 00:36:01 Local via ge-0/0/3.0192.168.2.0/24 *[Direct/0] 00:36:01 > via ge-0/0/4.0192.168.2.1/32 *[Local/0] 00:36:01 Local via ge-0/0/4.0192.168.3.0/24 *[Direct/0] 00:36:01 > via ge-0/0/5.0192.168.3.1/32 *[Local/0] 00:36:01 Local via ge-0/0/5.0ISP-3.inet.0: 13 destinations, 15 routes (13 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both0.0.0.0/0 *[Static/6] 00:36:01 > to 3.3.3.254 via ge-0/0/2.0 [Static/7] 00:36:02 > to 1.1.1.254 via ge-0/0/0.0 [Static/8] 00:36:01 > to 2.2.2.254 via ge-0/0/1.01.1.1.0/24 *[Direct/0] 00:36:02 > via ge-0/0/0.01.1.1.1/32 *[Local/0] 00:36:02 Local via ge-0/0/0.02.2.2.0/24 *[Direct/0] 00:36:01 > via ge-0/0/1.02.2.2.2/32 *[Local/0] 00:36:01 Local via ge-0/0/1.03.3.3.0/24 *[Direct/0] 00:36:01 > via ge-0/0/2.03.3.3.3/32 *[Local/0] 00:36:01 Local via ge-0/0/2.0192.168.1.0/24 *[Direct/0] 00:36:01 > via ge-0/0/3.0192.168.1.1/32 *[Local/0] 00:36:01 Local via ge-0/0/3.0192.168.2.0/24 *[Direct/0] 00:36:01 > via ge-0/0/4.0192.168.2.1/32 *[Local/0] 00:36:01 Local via ge-0/0/4.0192.168.3.0/24 *[Direct/0] 00:36:01 > via ge-0/0/5.0192.168.3.1/32 *[Local/0] 00:36:01 Local via ge-0/0/5.0
------------------------------
MEHMET SUEL
Original Message:
Sent: 01-07-2022 00:48
From: KARANG DIKA KUSUMA
Subject: SRX345 Implementing Triple ISP Failover & NAT Destination
Hi,
I'm still learning on using SRX as Router and Firewall. I'm trying to implementing Triple ISP as Failover and NAT Destination on my Local Zone. I've read documents about Dual ISP Failover either using FBF or Virtual Router & Separate Security Zones on each ISP. But when i put it on my Implementation Plan on Triple ISP, it doesnt work on both FBF and Virtual Router. I'm wondering if my SRX345 is having a limitation regarding multiple default route or something?
Currently my SRX345 configuration still on like this
Local (192.168.1.0-3.0) -> Default Static Route on ISP 1 (NAT Source & Destination using ISP1)
Local (192.168.4.0) -> Filter Based Forwarding on ISP2 (NAT Source & Destination using ISP2)
Both ISP1 & ISP2 are in the same Security Zone as Internet.
How do i implement in ISP 3 so i can use it as NAT Source and Destination on Local 192.168.3.0? I tried to put ISP3 on same Security Zone and created another FBF and put the filter on Local Interface and still not working. Do i need to create Virtual Router on each ISP and created separate Security Zone? When i do Virtual Router, is the failover plan using Probe willl work?
And also for Failover, i'm planning to use Probe for that (Haven't implemented yet)
Please enlight me on my learning.
Thank you.
Here is my complete Show Configuration of my SRX345root@BSRX-FW-001> show configuration ## Last commit: 2022-01-06 00:44:59 GMT+7 by rootversion 15.1X49-D170.4;groups { global { system { services { ssh; } } }}system { host-name SRX-FW-001; time-zone GMT+7; root-authentication { encrypted-password "$5$ndM/6sJc$WxfEVxaQoVyu6WlLKdzpBkLPYBW4iPR6e/1jzVYXVY4"; ## SECRET-DATA } name-server { 8.8.8.8; } services { ssh; telnet; xnm-clear-text; web-management { https { system-generated-certificate; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } }}security { nat { source { rule-set Production-to-Internet { from zone Production; to zone Internet; rule internet-access { match { source-address [ 192.168.1.0/24 192.168.2.0/24 192.168.10.0/24 192.168.4.0/24 192.168.3.0/24 ]; } then { source-nat { interface; } } } } destination { pool PRISM { address 192.168.2.10/32 port 9440; } pool test-ssh { address 192.168.4.1/32 port 22; } rule-set Internet-to-Production { from zone Internet; rule PRISM { match { destination-address 114.5.230.165/32; destination-port { 9440; } } then { destination-nat { pool { PRISM; } } } } rule Test-SSH { match { destination-address 114.7.229.97/32; destination-port { 22; } } then { destination-nat { pool { test-ssh; } } } } } policies { from-zone Internet to-zone Production { policy All_Internet_Production { match { source-address any; destination-address any; application any; } then { permit { application-services { utm-policy junos-av-wf-policy; } } } } from-zone Production to-zone Internet { policy All_Internet_Production { match { source-address any; destination-address any; application any; } then { permit { application-services { utm-policy junos-av-wf-policy; } } } } } zones { security-zone Production { host-inbound-traffic { system-services { all; } } interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { ssh; http; https; ping; } } } } } security-zone Internet { host-inbound-traffic { system-services { all; } } interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { ping; } } } ge-0/0/3.0 { host-inbound-traffic { system-services { ping; } } } ge-0/0/5.0 { host-inbound-traffic { system-services { ping; } } } } } }}interfaces { ge-0/0/0 { speed 1g; link-mode full-duplex; unit 0 { family inet { address 114.4.249.170/24; } } } ge-0/0/1 { speed 1g; link-mode full-duplex; unit 0 { family inet { filter { input Internet2; } address 192.168.10.254/24; } } } ge-0/0/3 { speed 1g; link-mode full-duplex; unit 0 { description Internet-2; family inet { address 114.7.241.90/30; } } } ge-0/0/5 { speed 1g; link-mode full-duplex; unit 0 { description Internet-3 family inet { address 36.95.235.82/29; } } }}routing-options { interface-routes { rib-group inet Internet2; } static { route 0.0.0.0/24 next-hop 114.4.249.169; route 192.168.10.253/32 next-hop 192.168.10.254; route 192.168.1.0/24 next-hop 192.168.1.1; route 192.168.255.0/24 next-hop 192.168.10.253; route 192.168.200.0/24 next-hop 192.168.10.253; route 192.168.2.0/24 next-hop 192.168.10.253; route 192.168.3.0/24 next-hop 192.168.10.253; route 192.168.4.0/24 next-hop 192.168.10.253; } rib-groups { Internet2 { import-rib [ inet.0 Internet2.inet.0 ]; } }}protocols { l2-learning { global-mode switching; } rstp { interface all; }}firewall { family inet { filter Internet2 { term 0 { from { source-address { 192.168.4.0/24; } } then { routing-instance Internet2; } } term 1 { then accept; } } }}routing-instances { Internet2 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 114.7.241.89; } } }}
| ISP2 | ISP3 |
| | |
SRX345 Failover NAT Source & Destination |
| | |
Local | Local | Local |
192.168.1.0 | 192.168.4.0 | 192.168.3.0 |
192.168.2.0 | | |
------------------------------
KARANG DIKA KUSUMA
------------------------------