I'm having trouble visualizing the flow in your configuration. But this might help someone else see the process. The flow chart below is how nat is applied during SRX processing. The firewall filter is applied before nat rule processing.
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
Original Message:
Sent: 07-18-2023 17:03
From: c3pO
Subject: Filter based forwarding prior NAT
Hi all,
After spending time configuring and testing, I finally have an explanation for the behavior I observed regarding NAT and routing. Now, the remaining task is to find the proper configuration (and it would be helpful to understand the flow between RE/PFE and the service).
During my testing, I removed the input/output service from ae2.3072, and as a result, the Google DNS traffic stopped passing through. However, the firewall counter "pbr-1276" continued to increment, indicating that the packet was forwarded to the RI specific to ae2.3072 but got lost.
# show | compare[edit interfaces ae2 unit 3072 family inet]- service {- input {- service-set NAT service-filter NAT-SPEFIC-in;- }- output {- service-set NAT service-filter NAT-out;- }- }
This discovery helps me understand why my implementation didn't work as expected and challenges my previous assumptions. It seems that after the NAT service evaluation, the packet is sent back to the RE for the routing decision.
Unfortunately, I couldn't find any JunOS packet flow documentation specifically related to NAT service evaluation. If any of you have any thoughts or references to share, they would be greatly appreciated.
Thank you.
------------------------------
Volodymyr Shunkov
Original Message:
Sent: 07-10-2023 16:02
From: c3pO
Subject: Filter based forwarding prior NAT
Hello, I believe additional FBF configuration on outgoing interface is redundant. I have already working FBF configuration on MX80, but without NAT. Up on my understanding once the packet forwarded to the RI specific with default route/next-hop (btw, I had config typo on posting initial config cpecific -> specific ) and was targeted to the specific interface the only thing if left to leave the device. And I am not if this behaviour can be caused by extra NAT configuration.
------------------------------
Volodymyr Shunkov
Original Message:
Sent: 07-08-2023 02:31
From: Md.Kamruzzaman Khan
Subject: Filter based forwarding prior NAT
I think, you need to configure the firewall filter SPECIFIC-PBR on the ae2.3072 interface as well. It will ensure, all specific traffic is forwarded to the ae2.3072 interface, where it can be NAT by the NAT rule NAT-permit.
------------------------------
Md.Kamruzzaman Khan
Original Message:
Sent: 07-06-2023 16:35
From: c3pO
Subject: Filter based forwarding prior NAT
Hello all,
I faced weird traffic behaviour by forwarding specific traffic to the specific interface for NAT... I am not 100% sure I am will describe the statement clear but I will try all my best :)
My task requirement is to NAT traffic from the specific prefix-list on certain interface (with the NAT pool allocation). From the implementation point of view I decided to forward specific traffic on incoming interface ae2.1276 towards ae2.3072.
I am getting full-view from the Uplink-1 and Uplink-2, Uplink-3 - no routes. All 3 outgoing interfaces have the same nat rule but with two terms. Term NAT-SPECIFIC has source and destination prefix-list conditions and should be evaluated only on ae2.3072, terms NAT-ALG and NAT-noALG should be evaluated on ae0.384, ae1.810 accordingly for the non specific traffic.
Configuration block:
NAT interface and service-set:
# show services service-set NATnat-rules NAT-permit;interface-service { service-interface ams0.1; load-balancing-options { hash-keys { ingress-key source-ip; egress-key destination-ip; } }}# show interfaces ams0description "AMS NAT";load-balancing-options { member-interface mams-0/0/0; member-interface mams-0/1/0; member-interface mams-0/2/0; member-interface mams-0/3/0; member-failure-options { drop-member-traffic { rejoin-timeout 1000; enable-rejoin; } }}services-options { jflow-log { message-rate-limit 50000; }}unit 1 { family inet;}
Nat pool and rule:
# show services natpool NAT { address XX.XX.XX.XX/25; port { automatic { random-allocation; } } address-allocation round-robin; mapping-timeout 300;}pool SPECIFIC-POOL { address YY.YY.YY.YY/28; port { automatic { random-allocation; } } address-allocation round-robin; mapping-timeout 300;}rule NAT-permit { match-direction output; term NAT-SPECIFIC { from { source-prefix-list { NAT-SERVERS; NAT-CLIENTS; } destination-prefix-list { SPECIFIC-LIST; } } then { translated { source-pool SPECIFIC-POOL; translation-type { napt-44; } } } } term NAT-ALG { from { source-prefix-list { NAT-SERVERS; NAT-CLIENTS; } applications junos-pptp; } then { translated { source-pool NAT; translation-type { napt-44; } address-pooling paired; } } } term NAT-noALG { from { source-prefix-list { NAT-SERVERS; NAT-CLIENTS; } } then { translated { source-pool NAT; translation-type { napt-44; } address-pooling paired; } } }}
Uplink interfaces overview:
# show interfaces ae0.384description Uplink-1;vlan-id 384;family inet { service { input { service-set NAT service-filter NAT-in; } output { service-set NAT service-filter NAT-out; } } address 192.168.1.1/30;}# show interfaces ae1.810description Uplink-2;vlan-id 810;family inet { service { input { service-set NAT service-filter NAT-in; } output { service-set NAT service-filter NAT-out; } } address 192.168.2.1/31;}# show interfaces ae2.3072description Uplink-2;vlan-id 3072;family inet { service { input { service-set NAT service-filter NAT-SPEFIC-in; } output { service-set NAT service-filter NAT-out; } } address 192.168.3.1/31;}
NAT service filters:
# show firewall family inet service-filter NAT-interm nat-pool-prefix-to-service { from { destination-address { XX.XX.XX.XX/25; } } then service;}term accept-all { then skip;}# show firewall family inet service-filter NAT-outterm nat-networks-to-service { from { source-prefix-list { NAT-SERVERS; NAT-CLIENTS; } } then service;}term accept-all { then skip;}# show firewall family inet service-filter NAT-SPECIFIC-interm nat-pool-prefix-to-service { from { destination-address { YY.YY.YY.YY/28; } } then service;}term accept-all { then skip;}
Incoming interface and filter based forwarding definition:
# show interfaces ae2.1276description OSPF-Bridge;vlan-id 1276;family inet { filter { input SPECIFIC-PBR; } address 10.0.0.62/26;}# show firewall filter SPECIFIC-PBRterm PBR { from { destination-prefix-list { SPECIFIC-LIST; } } then { count pbr-1276; log; next-interface { ae2.3072; routing-instance specific; } }}term ACC { then accept;}# show routing-options rib-groupsspecific { import-rib [ inet.0 scpecific.inet.0 ];}# show routing-options interface-routesrib-group inet cpecific;# show policy-options prefix-list SPECIFIC-LIST8.8.8.8/32
Route:
> show route 8.8.8.8inet.0: 955260 destinations, 2865903 routes (955259 active, 0 holddown, 19 hidden)+ = Active Route, - = Last Active, * = Both8.8.8.0/24 *[BGP/170] 01:52:59, localpref 100 AS path: 28761 15169 I, validation-state: unverified > to 192.168.2.2 via ae1.810 [BGP/170] 10w3d 05:45:51, localpref 100 AS path: 6789 48084 15169 I, validation-state: unverified > to 192.168.1.1 via ae0.384specific.inet.0: 21 destinations, 21 routes (20 active, 0 holddown, 1 hidden)+ = Active Route, - = Last Active, * = Both0.0.0.0/0 *[Static/5] 3w6d 00:05:01 > to 192.168.3.2 via ae2.3072
Device:
> show chassis hardwareHardware inventory:Item Version Part number Serial number DescriptionChassis JN11AAC14AFB MX480Midplane REV 05 710-017414 ACAA6353 MX480 MidplaneFPM Board REV 02 710-017254 YS2154 Front Panel DisplayPEM 0 Rev 10 740-029970 QCS1414U0BV PS 1.4-2.52kW; 90-264V AC inPEM 1 Rev 10 740-029970 QCS1414U041 PS 1.4-2.52kW; 90-264V AC inPEM 2 Rev 10 740-029970 QCS1414U0EU PS 1.4-2.52kW; 90-264V AC inPEM 3 Rev 10 740-029970 QCS1414U0JP PS 1.4-2.52kW; 90-264V AC inRouting Engine 0 REV 08 750-072923 CAMS6211 RE-S-2X00x6Routing Engine 1 REV 08 750-072923 CAMS6208 RE-S-2X00x6CB 0 REV 03 750-055976 CAEN8524 Enhanced MX SCB 2CB 1 REV 05 750-055976 CAEW4284 Enhanced MX SCB 2FPC 0 REV 27 750-038768 CACV0089 MS-MPC CPU BUILTIN BUILTIN MS-MPC-PMB PIC 0 BUILTIN BUILTIN MS-MPC-PIC PIC 1 BUILTIN BUILTIN MS-MPC-PIC PIC 2 BUILTIN BUILTIN MS-MPC-PIC PIC 3 BUILTIN BUILTIN MS-MPC-PICFPC 1 REV 39 750-028467 CABX5917 MPC 3D 16x 10GE CPU REV 12 711-029089 CABX5983 AMPC PMB PIC 0 BUILTIN BUILTIN 4x 10GE(LAN) SFP+ Xcvr 0 NON-JNPR FT20150318008 SFP+-10G-ER Xcvr 1 NON-JNPR JOXPC6122 SFP+-10G-USR Xcvr 2 4 NON-JNPR PT2004300230 SFP+-10G-ER Xcvr 3 GD NON-JNPR PT2004300244 SFP+-10G-ER PIC 1 BUILTIN BUILTIN 4x 10GE(LAN) SFP+ Xcvr 0 NON-JNPR GL2002270047 SFP+-10G-SR PIC 2 BUILTIN BUILTIN 4x 10GE(LAN) SFP+ Xcvr 0 _ NON-JNPR Z2001150124 SFP+-10G-SR Xcvr 1 NON-JNPR Z2001150125 SFP+-10G-SR Xcvr 2 FZ NON-JNPR W2207142415 SFP+-10G-LR Xcvr 3 NON-JNPR W2207142411 SFP+-10G-LR PIC 3 BUILTIN BUILTIN 4x 10GE(LAN) SFP+ Xcvr 3 NON-JNPR FP21061095 SFP+-10G-SRFan Tray
> show chassis firmwarePart Type VersionFPC 0 ROM Juniper ROM Monitor Version 13.2b1 O/S Version 18.4R3-S11.1 by builder on 2022-01-11 00:16:33 UTCFPC 1 ROM Juniper ROM Monitor Version 12.3b1 O/S Version 18.4R3-S11.1 by builder on 2022-01-11 00:10:12 UTC
Tests and problem:
Tracing 8.8.8.8 from the NAT-SERVERS prefix-list is FBF counter increase (pbr-1276) and traffic in the firewall log, but from the trace goes to the Uplink-1 based on the routing table route. Only when I add 8.8.8.8 specific route via ae2.3072 the implementation works correct.
I hope, I described it more or less clear and some one can put the light on my problem.
Kind regards,
Volodymyr.
------------------------------
Vladimir Shunkov
------------------------------