SRX

Expand all | Collapse all

do firewall filters override static routes?

Jump to Best Answer
  • 1.  do firewall filters override static routes?

    Posted 04-25-2012 09:51

    Hello,

     

    We have 2 ISP connections,  of which one isn't performing as well as expected.    The ISP asked me to test against their internal speedtest host.    To ensure we would use the proper ISP for this test  I added a static route to the config:

     

    set routing-options static route 204.248.140.0/24 next-hop 76.10.176.12

     

    where 176.12 is our gateway to the ISP in question.

     

    I commit this then test inside using MTR or traceroute to confirm all is well.  but it is not,  packets continue to go down our primary ISP;   unless the traceroute is done on the SRX itself.  in this case it takes the proper route.

     

     

    I make use of firewall fiters to inspect TOS tags,  destination networks and ports to determind which ISP will be used.

     

    would these over ride the static routes?  Does anything? ( I also set up route fail over using routing-options.qualified-net-hop statments,  which favor the primary ISP,  not the ISP being tested..)

     

    thanks,

    greg

     

     

     

     

     



  • 2.  RE: do firewall filters override static routes?
    Best Answer

    Posted 04-25-2012 18:37

    Hi,

     

    It seems that you are using Filter-based Forwarding , to choose between the two ISP conenctions. For this you might have a custom routing instance created with a route (staic probably) pointing to one of the ISPs and the same route in default instance (inet.0) pointing to the other ISP. 

     

    Depending on your firewall filter configuration ( match conditions), traffic coming on the interface (where you have applied this firewall filter) will be redirected to one of these two routing instances for route lookup.

     

    When you add a route like this,  this will be installed in inet.0 (default) instance. 

    set routing-options static route 204.248.140.0/24 next-hop 76.10.176.12

     

    and when you do traceroute on the SRX, because this is a self traffic , it always take the route present in inet.0 .

     If you do traceroute from your internal network, it will be entering SRX on your interface with firewall filter applied.

     

     So depending on the filter match , it might take inet.0 route or custom routing-instance route. So please check your filter definition . That should give you an idea of why its taking a different path( firewall filter counters may help here) .

     



  • 3.  RE: do firewall filters override static routes?

    Posted 04-26-2012 09:28

    Thanks for the reply Pradeep,

     

     

     

    I added this to my firewall fiters and i am good.

     

     

    set firewall filter FILTER1 term TEKTEST from destination-address 204.248.140.0/24
    set firewall filter FILTER1 term TEKTEST then routing-instance routing-table-ISP2

     

     

    my first reply was it didn't work,  but then I realized i didn't plug the gateway back in after my 'laptop direct to modem' test.  😎

     

    more coffee!

     

    -g