By default the MX would reply to these requests so I suspect there is a protection firewall filter applied. Which is a good idea for internet active devices.
You will need to locate the filter and expand the allow ping and traceroute terms or add them to get the responses you are looking for from the device.
Typically the filter would be applied to the loopback address to filter traffic destined for the routing engine on the MX.
Filter examples can be seen here in the documentation.
https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/firewall-filter-stateless-overview.html
A longer Day one book with examples is on the Juniper day one book site.
https://www.juniper.net/documentation/en_US/day-one-books/DO_Configuring_Junos_Policies_Filters.zip
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home------------------------------
Original Message:
Sent: 02-07-2023 16:04
From: SETH STANFILL
Subject: Multiple NATs to individual gateways with DHCP relay
The issues we were having were being caused by the ISP incorrectly configuring the IP block. The new service is now functional, but we are trying to run traceroutes that are being blocked by the Juniper. The only traceroutes I can get to show repeat the interface IP connecting to our internal network.
------------------------------
SETH STANFILL
Original Message:
Sent: 01-31-2023 11:19
From: spuluka
Subject: Multiple NATs to individual gateways with DHCP relay
The details will depend on how the spine is constructed.
If the gateway is on the MX and the spine is straight layer 2 connection that it is simply the vlan connection on the spine link coming up to the layer 3 gateway interface on the MX being assigned to the new virtual router routing instance.
If the gateway is on the spine nodes and the connection from the spine set to the MX is layer 3 routed links this will be controlled by routing tables on the spine. So there are a few options.
One option, is to also separate the spine routing tables also using virtual routers so these vlans for the second ISP are also isolated and only connected here with their own default route.
Another option would be to use source based routing in the spine. This creates a forwarding routing instance and some filters to match the source address of traffic and forward it to the second ISP. All other traffic then uses the normal default route to the original ISP.
https://supportportal.juniper.net/s/article/SRX-Source-based-routing-configuration-example
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 01-31-2023 10:19
From: SETH STANFILL
Subject: Multiple NATs to individual gateways with DHCP relay
As these are all on the same Spine, how do we ensure the correct systems are routing back to the correct ISP?
------------------------------
SETH STANFILL
Original Message:
Sent: 01-27-2023 20:21
From: spuluka
Subject: Multiple NATs to individual gateways with DHCP relay
From your description it looks like your simplest solution would allow the existing setup to stay as is.
For this you would create a virtual router routing instance. This creates an isolated router and routing table. Here you would land the new ISP and all the downstream interfaces that are served by this one. This virtual router has it's own default route then to the new ISP.
https://www.juniper.net/documentation/en_US/release-independent/nce/topics/concept/virtual-router-srx-use-case-edu-overview.html
You will likely need a connection from this virtual router to the main instance just in order to forward the dhcp forwarding and other services. But this can be just the needed subnets exchanged by BGP or other internal routing. This connection can use a virtual pair of logical tunnel interfaces so as not to need two physical interfaces on the mx for the communications.
https://www.juniper.net/documentation/us/en/software/junos/interfaces-encryption/topics/topic-map/configuring-tunnel-interfaces.html
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 01-27-2023 10:18
From: SETH STANFILL
Subject: Multiple NATs to individual gateways with DHCP relay
Thanks for the help on this. We have everything working, but now we are looking to add in a second ISP with a different IP range and size. We have our default next hop setup with the original ISP. We are using 1 service set for all our rules with dnat-44 and basic-nat44 translation for our 1:1 internal to external IPs. The new ISP IPs will be setup in the same way as the first. Will this require redoing what is already done? Doing some research, I am reading a lot about setting up ribs and modifying routing tables.
This is the the same MX204.
et-0/0/0 - ISP1
et-0/0/1 - ISP2
et-0/0/2 - Spine distribution port 1
et-0/0/3 - spine distribution port 2
Thanks for the assistance.
------------------------------
SETH STANFILL
Original Message:
Sent: 12-11-2022 13:49
From: spuluka
Subject: Multiple NATs to individual gateways with DHCP relay
On the MX series you would be using carrier grade nat for the distribution. There is a free Juniper Day one book with example configurations for that process here.
https://www.juniper.net/documentation/en_US/day-one-books/DO_CGNAT_UpRunning.zip
DHCP forwarding configurations are in this documentation.
https://www.juniper.net/documentation/us/en/software/junos/dhcp/topics/topic-map/dhcp-relay-agent-security-devices.html
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 12-07-2022 13:55
From: SETH STANFILL
Subject: Multiple NATs to individual gateways with DHCP relay
Hello,
We are looking to run multiple public IPs from two ISPs into our building with an MX204. These will be 100G connections. Each IP will go to its own gateway. We will also need to setup a DHCP relay to our current router running our 10G office network. We have some networking experience, but are new to this level of networking. I am hoping for some assistance or direction.
Thanks
------------------------------
SETH STANFILL
------------------------------