Hi Folks,
I have setup LAB to test Unicast RPF behavior for filter-based forwarding. My filter-based forwarding is working fine. I am able to route to different upstreams by changing the source IP at vsrx-1-CE. There is simple eBGP between vSRX-1,2,3,4 advertising directly connected routes and accepting all. The issue lies with Unicast RPF.
What is the vSRX /SRX behavior when FBF is enabled along with Unicast RPF ?
Is this EVE-NG/vSRX limitation ?
LAN PC (192.168.1.2) ---------------------------------------( vsrx-1-CE ge-0/0/2.0 192.168.1.1)--------------------upstream--------------(destination 172.16.31.0/24)
LAN PC (Spoofed IP 192.168.100.1) ---------------------------------------( vsrx-1-CE ge-0/0/2.0 192.168.1.1)--------------------upstream--------------(destination 172.16.31.0/24)
Though there is no route existing for source (192.168.100.1) on vsrx-1-CE as well vsrx-2-ISP-1 and vsrx-3-ISP-2.
root@vsrx-1-CE> show route 192.168.100.1
root@vsrx-1-CE>
When I generate ping traffic with source 192.168.100.1 , no session is created. However, if I run traceroute form linux host with source 192.168.100.1, session is created on vsrx-1-CE as well vsrx-3-ISP-2. Please see the output below.
root@vsrx-1-CE> show configuration interfaces
ge-0/0/0 {
unit 0 {
description to_ISP-1;
family inet {
rpf-check fail-filter rpf-special-case-dhcp;
address 10.10.10.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
description to_ISP-2;
family inet {
rpf-check fail-filter rpf-special-case-dhcp;
address 10.10.11.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
description LAN;
family inet {
rpf-check fail-filter rpf-special-case-dhcp;
filter {
input FBF;
}
address 192.168.1.1/24;
}
}
}
fxp0 {
unit 0 {
family inet {
dhcp;
}
}
}
root@vsrx-1-CE>
Firewall Filter
########################################################
root@vsrx-1-CE> show configuration firewall
family inet {
filter FBF {
term 1 {
from {
source-address {
192.168.1.2/32;
}
}
then {
count ISP-A;
routing-instance ISP-A;
}
}
term 2 {
from {
source-address {
192.168.1.3/32;
192.168.100.1/32;
}
}
then {
count ISP-B;
routing-instance ISP-B;
}
}
}
}
filter rpf-special-case-dhcp {
term allow-dhcp {
from {
source-address {
0.0.0.0/32;
}
destination-address {
255.255.255.255/32;
}
}
then {
count rpf-dhcp-traffic;
accept;
}
}
term allow-icmp {
from {
source-address {
192.168.100.1/32;
}
destination-address {
172.16.31.0/24;
}
}
then {
count rpf-icmp-traffic;
log;
syslog;
accept;
}
}
term default {
then {
log;
reject;
}
}
}
###################################################
No session created for ping traffic.
root@vsrx-1-CE> show security flow session
Session ID: 1, Policy name: self-traffic-policy/1, Timeout: 1776, Valid
In: 10.10.10.1/60935 --> 10.10.10.2/179;tcp, Conn Tag: 0x0, If: .local..0, Pkts: 148, Bytes: 9577,
Out: 10.10.10.2/179 --> 10.10.10.1/60935;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 140, Bytes: 8989,
Session ID: 2, Policy name: self-traffic-policy/1, Timeout: 1778, Valid
In: 10.10.11.1/56168 --> 10.10.11.2/179;tcp, Conn Tag: 0x0, If: .local..0, Pkts: 171, Bytes: 10844,
Out: 10.10.11.2/179 --> 10.10.11.1/56168;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 168, Bytes: 10531,
However, if I run traceroute from linux box, it is creating session
vsrx-1-CE
Session ID: 347, Policy name: default-permit/5, Timeout: 48, Valid
In: 192.168.100.1/57173 --> 172.16.31.1/33447;udp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 60,
Out: 172.16.31.1/33447 --> 192.168.100.1/57173;udp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 0, Bytes: 0,
vsrx-3-ISP-2
Session ID: 10, Policy name: permit_all/6, Timeout: 32, Valid
In: 192.168.100.1/32816 --> 172.16.31.1/33440;udp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 60,
Out: 172.16.31.1/33440 --> 192.168.100.1/32816;udp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 0, Bytes: 0,
###################################################
root@vsrx-1-CE> show interfaces ge-0/0/2.0 extensive | match rpf
Flags: Sendbcast-pkt-to-re, uRPF
RPF Failures: Packets: 0, Bytes: 0
No route present counter increasing
root@vsrx-1-CE> show interfaces ge-0/0/2.0 extensive
No route present: 128
root@vsrx-1-CE>
###################################################
root@vsrx-1-CE> show route
inet.0: 13 destinations, 20 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.10.10.0/24 *[Direct/0] 00:10:23
> via ge-0/0/0.0
[BGP/170] 00:10:12, localpref 100
AS path: 65002 I, validation-state: unverified
> to 10.10.10.2 via ge-0/0/0.0
10.10.10.1/32 *[Local/0] 00:10:23
Local via ge-0/0/0.0
10.10.11.0/24 *[Direct/0] 00:10:23
> via ge-0/0/1.0
[BGP/170] 00:10:11, localpref 100
AS path: 65003 I, validation-state: unverified
> to 10.10.11.2 via ge-0/0/1.0
10.10.11.1/32 *[Local/0] 00:10:23
Local via ge-0/0/1.0
10.10.12.0/24 *[BGP/170] 00:10:12, localpref 100
AS path: 65002 I, validation-state: unverified
> to 10.10.10.2 via ge-0/0/0.0
[BGP/170] 00:10:05, localpref 100
AS path: 65003 65004 I, validation-state: unverified
> to 10.10.11.2 via ge-0/0/1.0
10.10.13.0/24 *[BGP/170] 00:10:11, localpref 100
AS path: 65003 I, validation-state: unverified
> to 10.10.11.2 via ge-0/0/1.0
[BGP/170] 00:10:10, localpref 100
AS path: 65002 65004 I, validation-state: unverified
> to 10.10.10.2 via ge-0/0/0.0
10.210.18.0/23 *[Direct/0] 00:05:20
> via fxp0.0
[BGP/170] 00:10:12, localpref 100
AS path: 65002 I, validation-state: unverified
> to 10.10.10.2 via ge-0/0/0.0
[BGP/170] 00:10:11, localpref 100
AS path: 65003 I, validation-state: unverified
> to 10.10.11.2 via ge-0/0/1.0
10.210.18.0/24 *[Static/5] 00:05:20
> to 10.210.18.1 via fxp0.0
10.210.18.209/32 *[Local/0] 00:05:20
Local via fxp0.0
172.16.31.0/24 *[BGP/170] 00:10:10, localpref 100
AS path: 65002 65004 I, validation-state: unverified
> to 10.10.10.2 via ge-0/0/0.0
[BGP/170] 00:10:05, localpref 100
AS path: 65003 65004 I, validation-state: unverified
> to 10.10.11.2 via ge-0/0/1.0
192.168.1.0/24 *[Direct/0] 00:10:23
> via ge-0/0/2.0
192.168.1.1/32 *[Local/0] 00:10:23
Local via ge-0/0/2.0
ISP-A.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.10.10.0/24 *[Direct/0] 00:10:23
> via ge-0/0/0.0
10.10.10.1/32 *[Local/0] 00:10:23
Local via ge-0/0/0.0
10.10.11.0/24 *[Direct/0] 00:10:23
> via ge-0/0/1.0
10.10.11.1/32 *[Local/0] 00:10:23
Local via ge-0/0/1.0
172.16.31.0/24 *[Static/5] 00:10:23
> to 10.10.10.2 via ge-0/0/0.0
192.168.1.0/24 *[Direct/0] 00:10:23
> via ge-0/0/2.0
192.168.1.1/32 *[Local/0] 00:10:23
Local via ge-0/0/2.0
ISP-B.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.10.10.0/24 *[Direct/0] 00:10:23
> via ge-0/0/0.0
10.10.10.1/32 *[Local/0] 00:10:23
Local via ge-0/0/0.0
10.10.11.0/24 *[Direct/0] 00:10:23
> via ge-0/0/1.0
10.10.11.1/32 *[Local/0] 00:10:23
Local via ge-0/0/1.0
172.16.31.0/24 *[Static/5] 00:10:23
> to 10.10.11.2 via ge-0/0/1.0
192.168.1.0/24 *[Direct/0] 00:10:23
> via ge-0/0/2.0
192.168.1.1/32 *[Local/0] 00:10:23
Local via ge-0/0/2.0
------------------------------
Muhammad Yasir Nawaz
------------------------------