vSRX

 View Only
last person joined: 9 days ago 

Ask questions and share experiences with vSRX Virtual Firewall deployments and how to scale firewall protection.

vSRX Filter-Based Forwarding & Unicast RPF Check

  • 1.  vSRX Filter-Based Forwarding & Unicast RPF Check

    Posted 04-04-2022 05:43
    Hi Folks,

    I have setup LAB to test Unicast RPF behavior for filter-based forwarding. My filter-based forwarding is working fine. I am able to route to different upstreams by changing the source IP at vsrx-1-CE. There is simple eBGP between vSRX-1,2,3,4 advertising directly connected routes and accepting all. The issue lies with Unicast RPF.

    What is the vSRX /SRX behavior when FBF is enabled along with Unicast RPF ?
    Is this EVE-NG/vSRX limitation ?


    LAN PC (192.168.1.2) ---------------------------------------( vsrx-1-CE ge-0/0/2.0 192.168.1.1)--------------------upstream--------------(destination 172.16.31.0/24)
    LAN PC (Spoofed IP 192.168.100.1) ---------------------------------------( vsrx-1-CE ge-0/0/2.0 192.168.1.1)--------------------upstream--------------(destination 172.16.31.0/24)

    Though there is no route existing for source (192.168.100.1) on vsrx-1-CE as well vsrx-2-ISP-1 and vsrx-3-ISP-2.

    root@vsrx-1-CE> show route 192.168.100.1

    root@vsrx-1-CE>
    When I generate ping traffic with source 192.168.100.1 , no session is created. However, if I run traceroute form linux host with source 192.168.100.1, session is created on vsrx-1-CE as well vsrx-3-ISP-2. Please see the output below.



    
    
    root@vsrx-1-CE> show configuration interfaces 
    ge-0/0/0 {
        unit 0 {
            description to_ISP-1;
            family inet {
                rpf-check fail-filter rpf-special-case-dhcp;
                address 10.10.10.1/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            description to_ISP-2;
            family inet {
                rpf-check fail-filter rpf-special-case-dhcp;
                address 10.10.11.1/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            description LAN;
            family inet {
                rpf-check fail-filter rpf-special-case-dhcp;
                filter {
                    input FBF;
                }
                address 192.168.1.1/24;
            }
        }
    }
    fxp0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    
    root@vsrx-1-CE> 
    
    Firewall Filter
    
    ########################################################
    root@vsrx-1-CE> show configuration firewall 
    family inet {
        filter FBF {
            term 1 {
                from {
                    source-address {
                        192.168.1.2/32;
                    }
                }
                then {
                    count ISP-A;
                    routing-instance ISP-A;
                }
            }
            term 2 {
                from {
                    source-address {
                        192.168.1.3/32;
                        192.168.100.1/32;
                    }
                }
                then {
                    count ISP-B;
                    routing-instance ISP-B;
                }
            }
        }
    }
    filter rpf-special-case-dhcp {
        term allow-dhcp {
            from {
                source-address {
                    0.0.0.0/32;
                }
                destination-address {
                    255.255.255.255/32;
                }
            }
            then {
                count rpf-dhcp-traffic;
                accept;
            }
        }
        term allow-icmp {
            from {
                source-address {
                    192.168.100.1/32;
                }
                destination-address {
                    172.16.31.0/24;
                }
            }
            then {
                count rpf-icmp-traffic;     
                log;
                syslog;
                accept;
            }
        }
        term default {
            then {
                log;
                reject;
            }
        }
    }
    ###################################################
    No session created for ping traffic.
    
    root@vsrx-1-CE> show security flow session 
    Session ID: 1, Policy name: self-traffic-policy/1, Timeout: 1776, Valid
      In: 10.10.10.1/60935 --> 10.10.10.2/179;tcp, Conn Tag: 0x0, If: .local..0, Pkts: 148, Bytes: 9577, 
      Out: 10.10.10.2/179 --> 10.10.10.1/60935;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 140, Bytes: 8989, 
    
    Session ID: 2, Policy name: self-traffic-policy/1, Timeout: 1778, Valid
      In: 10.10.11.1/56168 --> 10.10.11.2/179;tcp, Conn Tag: 0x0, If: .local..0, Pkts: 171, Bytes: 10844, 
      Out: 10.10.11.2/179 --> 10.10.11.1/56168;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 168, Bytes: 10531, 
    
    
    However, if I run traceroute from linux box, it is creating session
    
    
    
    vsrx-1-CE
    
    Session ID: 347, Policy name: default-permit/5, Timeout: 48, Valid
      In: 192.168.100.1/57173 --> 172.16.31.1/33447;udp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 60, 
      Out: 172.16.31.1/33447 --> 192.168.100.1/57173;udp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 0, Bytes: 0,
    
    vsrx-3-ISP-2
    Session ID: 10, Policy name: permit_all/6, Timeout: 32, Valid
      In: 192.168.100.1/32816 --> 172.16.31.1/33440;udp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 60, 
      Out: 172.16.31.1/33440 --> 192.168.100.1/32816;udp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 0, Bytes: 0, 
    
    ###################################################
    
    root@vsrx-1-CE> show interfaces ge-0/0/2.0 extensive | match rpf 
          Flags: Sendbcast-pkt-to-re, uRPF
          RPF Failures: Packets: 0, Bytes: 0
    
    No route present counter increasing 
    
    root@vsrx-1-CE> show interfaces ge-0/0/2.0 extensive
    
      No route present:                  128 
    
    
    root@vsrx-1-CE> 
    ###################################################
    
    root@vsrx-1-CE> show route 
    
    inet.0: 13 destinations, 20 routes (13 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    
    10.10.10.0/24      *[Direct/0] 00:10:23
                        >  via ge-0/0/0.0
                        [BGP/170] 00:10:12, localpref 100
                          AS path: 65002 I, validation-state: unverified
                        >  to 10.10.10.2 via ge-0/0/0.0
    10.10.10.1/32      *[Local/0] 00:10:23
                           Local via ge-0/0/0.0
    10.10.11.0/24      *[Direct/0] 00:10:23
                        >  via ge-0/0/1.0
                        [BGP/170] 00:10:11, localpref 100
                          AS path: 65003 I, validation-state: unverified
                        >  to 10.10.11.2 via ge-0/0/1.0
    10.10.11.1/32      *[Local/0] 00:10:23
                           Local via ge-0/0/1.0
    10.10.12.0/24      *[BGP/170] 00:10:12, localpref 100
                          AS path: 65002 I, validation-state: unverified
                        >  to 10.10.10.2 via ge-0/0/0.0
                        [BGP/170] 00:10:05, localpref 100
                          AS path: 65003 65004 I, validation-state: unverified
                        >  to 10.10.11.2 via ge-0/0/1.0
    10.10.13.0/24      *[BGP/170] 00:10:11, localpref 100
                          AS path: 65003 I, validation-state: unverified
                        >  to 10.10.11.2 via ge-0/0/1.0
                        [BGP/170] 00:10:10, localpref 100
                          AS path: 65002 65004 I, validation-state: unverified
                        >  to 10.10.10.2 via ge-0/0/0.0
    10.210.18.0/23     *[Direct/0] 00:05:20
                        >  via fxp0.0
                        [BGP/170] 00:10:12, localpref 100
                          AS path: 65002 I, validation-state: unverified
                        >  to 10.10.10.2 via ge-0/0/0.0
                        [BGP/170] 00:10:11, localpref 100
                          AS path: 65003 I, validation-state: unverified
                        >  to 10.10.11.2 via ge-0/0/1.0
    10.210.18.0/24     *[Static/5] 00:05:20
                        >  to 10.210.18.1 via fxp0.0
    10.210.18.209/32   *[Local/0] 00:05:20
                           Local via fxp0.0
    172.16.31.0/24     *[BGP/170] 00:10:10, localpref 100
                          AS path: 65002 65004 I, validation-state: unverified
                        >  to 10.10.10.2 via ge-0/0/0.0
                        [BGP/170] 00:10:05, localpref 100
                          AS path: 65003 65004 I, validation-state: unverified
                        >  to 10.10.11.2 via ge-0/0/1.0
    192.168.1.0/24     *[Direct/0] 00:10:23
                        >  via ge-0/0/2.0
    192.168.1.1/32     *[Local/0] 00:10:23  
                           Local via ge-0/0/2.0
    
    ISP-A.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    10.10.10.0/24      *[Direct/0] 00:10:23
                        >  via ge-0/0/0.0
    10.10.10.1/32      *[Local/0] 00:10:23
                           Local via ge-0/0/0.0
    10.10.11.0/24      *[Direct/0] 00:10:23
                        >  via ge-0/0/1.0
    10.10.11.1/32      *[Local/0] 00:10:23
                           Local via ge-0/0/1.0
    172.16.31.0/24     *[Static/5] 00:10:23
                        >  to 10.10.10.2 via ge-0/0/0.0
    192.168.1.0/24     *[Direct/0] 00:10:23
                        >  via ge-0/0/2.0
    192.168.1.1/32     *[Local/0] 00:10:23
                           Local via ge-0/0/2.0
    
    ISP-B.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    10.10.10.0/24      *[Direct/0] 00:10:23
                        >  via ge-0/0/0.0
    10.10.10.1/32      *[Local/0] 00:10:23
                           Local via ge-0/0/0.0
    10.10.11.0/24      *[Direct/0] 00:10:23
                        >  via ge-0/0/1.0
    10.10.11.1/32      *[Local/0] 00:10:23
                           Local via ge-0/0/1.0
    172.16.31.0/24     *[Static/5] 00:10:23
                        >  to 10.10.11.2 via ge-0/0/1.0
    192.168.1.0/24     *[Direct/0] 00:10:23
                        >  via ge-0/0/2.0
    192.168.1.1/32     *[Local/0] 00:10:23
                           Local via ge-0/0/2.0
    
    ​


    ------------------------------
    Muhammad Yasir Nawaz
    ------------------------------