Junos OS

 View Only
last person joined: yesterday 

Ask questions and share experiences about Junos OS.
  • 1.  GRE not working

    Posted 06-20-2021 12:30
    Good day,

    My provider doens't provide extra ip's
    So i found another provider that provide a small subnet over a GRE tunnel. Sound perfect. however they don't support juniper.
    since they support many other types of firewall's i think this shouldn't be a problem.

    however i can't get it to work.

    Some interesting parts of my configration.
    the security policies from and to the zone lan <> extraip are currently set to any.
    interfaces {
        gr-0/0/0 {
            unit 0 {
                tunnel {
                    source [local wan ip];
                    destination [tunnel servers ip];
                }
                family inet {
                    address [provided subenet first ip]/29;
                }
            }
        }
    security {
        nat {
            source {
                rule-set extraip {
                    from zone lan;
                    to zone untrust-extraip;
                    rule source-nat-rule-extraip {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
    		destination {
                rule-set extraip {
                    from zone untrust-extraip;
                    rule mark-nas3-http-extraip {
                        match {
                            destination-address 0.0.0.0/0;
                            destination-port {
                                80;
                            }
                        }
                        then {
                            destination-nat {
                                pool {
                                    webserver-80;
                                }
                            }
                        }
                    }
                }
            }
    	zones {
    		security-zone untrust-extraip
    			interfaces {
    				gr-0/0/0.0 {
    					host-inbound-traffic {
    						system-services {
    							ping;
    						}
    					}
    				}
    			}
    
    
    routing-instances {
    	extraip {
    		instance-type virtual-router;
    		interface gr-0/0/0.0;
    		routing-options {
    			static {
    				route 0.0.0.0/0 next-hop gr-0/0/0.0;
    			}
    		}
    	}
    	​


    If i do a  "show interfaces gr-0/0/0 " the output looks prommising. however there are no input packages

    Physical interface: gr-0/0/0, Enabled, Physic``al link is Up
      Interface index: 143, SNMP ifIndex: 521
      Type: GRE, Link-level type: GRE, MTU: Unlimited, Speed: 800mbps
      Link flags     : Scheduler Keepalives DTE
      Device flags   : Present Running
      Interface flags: Point-To-Point
      Input rate     : 0 bps (0 pps)
      Output rate    : 0 bps (0 pps)
    
      Logical interface gr-0/0/0.0 (Index 91) (SNMP ifIndex 544)
        Flags: Point-To-Point SNMP-Traps 0x0 IP-Header [tunnel-server]:[local-wan-ip]:47:df:64:0000000000000000 Encapsulation: GRE-NULL
        Copy-tos-to-outer-ip-header: Off
        Gre keepalives configured: Off, Gre keepalives adjacency state: down
        Input packets : 0
        Output packets: 108
        Security: Zone: untrust-extraip
        Allowed host-inbound traffic : bfd bgp dvmrp igmp ldp msdp nhrp ospf ospf3 pgm pim rip ripng router-discovery rsvp sap vrrp ping
        Protocol inet, MTU: 1350
          Flags: Sendbcast-pkt-to-re, Is-Primary, User-MTU
          Addresses, Flags: Is-Default Is-Preferred Is-Primary
            Destination: [networkadres/29, Local: [provided subenet first ip], Broadcast: [broadcast]
    


    Also a ping isn't doing much good.

    run ping 1.1.1.1 routing-instance extraip
    PING 1.1.1.1 (1.1.1.1): 56 data bytes
    ^C
    --- 1.1.1.1 ping statistics ---
    5 packets transmitted, 0 packets received, 100% packet loss
    
    

    I have 5 day's left in the trial. and need to make sure there are no errors in my configuration.



  • 2.  RE: GRE not working

    Posted 06-25-2021 02:55
    please also let me know if there is nothing wrong.
    i have to know :)


  • 3.  RE: GRE not working

    Posted 06-26-2021 12:47
    I think putting the gre interface itself into a routing instance may be the issue for you.  The tunnel interface needs to have access to the internet to reach over the internet and setup the tunnel with the other side.  So unless you create a path for that communications out of this virtual router it can't setup the tunnel.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 4.  RE: GRE not working

    Posted 06-27-2021 12:59
    Good day Spuluka,

    Thanks for the response.
    i have requested another trial and can continue to test another week.

    so for the first test i deactivated the routing-instance.
    for test i made a route to a single ip. this works. (confirmed with a traceroute)

    show interface gr-0/0/0 shows data flowing
    Input packets : 1512
    Output packets: 282


    incoming  isn't working.can't ping the external ip from a mobile connection (it is working from the local lan.)

    changed the routing-instance to bellow so the tunnel server is routed trough the default connection.
    extraip {
        instance-type virtual-router;
        interface gr-0/0/0.0;
        routing-options {
            static {
                route 0.0.0.0/0 {
                    next-hop gr-0/0/0.0;
                    metric 10;
                }
                route 37.148.196.33/32 {
                    next-hop pp0.0;
                    metric 1;
                }
            }
        }
    }
    

    however this is still not working.




  • 5.  RE: GRE not working

    Posted 06-28-2021 05:54
    Not sure why you need the tunnel to be in a separate virtual router.   From your description you want a standard gre tunnel where the ingress traffic is going to process and forward to your dmz or server zone.  So there is no need to create a routing domain for this.  In fact creating a separate routing domain just adds complexity because at the end of the process you need the traffic to hit your main router anyway to work.  So why move the gre interface outside the main router in the first place then reconnect all the inbound and outbound routes needed.

    If your going us a virtual router then you need to treat this like a different router from all perspectives both ingress and egress routing.  So now you added the single route that allows reachability for the tunnel itself.  But you now have to deal with the traffic coming out of the gre tunnel and destined for your internal server. 
    You destination nat this from the inbound public to your internal .
    You add a security policy from the gre tunnel zone to the server zone
    You create a route from this virtual route to the servers.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 6.  RE: GRE not working

    Posted 06-29-2021 04:00
    Your right, sometimes we make it complex for some reason.
    removed the routing instance. extra untrust zone, extra nat rules.
    added the interface to the normal untrust zone. (there are now 2 interfaces).
    and we are good to go.

    Thanks for you great support.