I do, however, use instance-import and instance-export rather than RIB groups to make sure the fiber routing instance has a route to the internal server address. The rib-group syntax always trips me up so I can't evaluate it by just reading the configuration provided in this thread.
From what I can see, in this case I strongly suspect the fiber routing instance is missing a route to the server address.
Original Message:
Sent: 03-01-2024 06:54
From: Koos147
Subject: NAT on multiwan not working
Hi Nikolay,
Just noticed that the ipsec tunnel was outbound.
Temporary enabled ssh on the interface and was able to login remotely
show security flow session source-prefix [remoteip]/32 destination-port 22Session ID: 980, Policy name: self-traffic-policy/1, Timeout: 18, Valid In: [remoteip]/26871 --> [local-fiber-ip]/22;tcp, If: ge-0/0/15..9, Pkts: 2, Bytes: 104 Out: [local-fiber-ip]/22 --> [remoteip]/26871;tcp, If: .local..4, Pkts: 0, Bytes: 0Total sessions: 1
the 0 bytes was due to (the only) firewall filter for allowing ssh from a prefix list. after adding my ip the ssh actually worked ;)
when checking port 443 there is no result.
"Does show monitor security flow
give you any output?"
Depends on what you call output.
show monitor security flowMonitor security flow session status: InactiveMonitor security flow trace file: NoneMonitor security flow filters: 0
"unless the firewall is in packet mode for some reason"
No
show security flow status Flow forwarding mode: Inet forwarding mode: flow based Inet6 forwarding mode: drop MPLS forwarding mode: drop ISO forwarding mode: drop Flow trace status Flow tracing status: off Flow session distribution Distribution mode: RR-based Flow ipsec performance acceleration: off Flow packet ordering Ordering mode: Hardware
Original Message:
Sent: 02-29-2024 17:29
From: Nikolay Semov
Subject: NAT on multiwan not working
@Koos147 Check the fiber routing table to make sure it has the correct route to your server. Out of curiosity, what JunOS version are you running. Does show monitor security flow
give you any output?
@spuluka Reverse route should be looked up in the routing table of the incoming interface, and the response from the server should match an existing session (unless the firewall is in packet mode for some reason), so I'm thinking source NAT shouldn't really be necessary.
------------------------------
Nikolay Semov
Original Message:
Sent: 02-29-2024 10:14
From: Koos147
Subject: NAT on multiwan not working
When i do:
show security flow session destination-port 443 source-prefix [client-pub-ip]/32
I can see results for the pp0.0 ip,
When waiting some time. the list is empty again,
When trying to use the fiber ip, there is no result.
My nat looks like this.
[edit security nat source]mark@xxxx-srx240# show rule-set trust-to-untrust { from zone [ dmz guest iot trust ]; to zone untrust; rule source-nat-rule { match { source-address 172.16.0.0/12; destination-address 0.0.0.0/0; } then { source-nat { interface; } } }}rule-set trust-to-untrust-fiber { from zone [ dmz guest iot trust ]; to zone untrust-fiber; rule source-nat-rule-fiber { match { source-address 172.16.0.0/12; destination-address 0.0.0.0/0; } then { source-nat { interface; } } }}
Original Message:
Sent: 02-29-2024 09:40
From: spuluka
Subject: NAT on multiwan not working
Can you check the connection status during a test. This will show the security policy and nat hit and packet counts
show security flow session destination-port 443
I'm wondering if the return path is not working because of the virtual router. The response packet would go out the main ISP instead of back to the VR.
You might need to add source nat to the VR interface so the response from the server goes back to the VR instead of out the main ISP.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 02-28-2024 15:47
From: Koos147
Subject: NAT on multiwan not working
Good day SPuluka,
Thanks (again 😏) for your reply.
Yes, it is an exact copy of the "untrust" policy. And a very simple one.
Just to be sure, i checked it, output is bellow.
show security policies from-zone untrust-fiberFrom zone: untrust-fiber, To zone: trust Policy: myserver, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 1 Source addresses: any Destination addresses: myserver Applications: junos-https Action: permit
Kind regards,
Mark
Original Message:
Sent: 02-28-2024 14:02
From: STEVE PULUKA
Subject: NAT on multiwan not working
Is there also a inbound security policy for the new untrust-fiber zone to permit the traffic matching the original untrust zone policy?
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 02-28-2024 04:51
From: Koos147
Subject: NAT on multiwan not working
Good day,
I have a SRX240 with 2 isp's
the primary use a PPoE pp0.0 and work as expected
The secondary use ethernet with vlan tagging.
I switched some of the ipsec tunnels to this new connection, and works fine.
i also want to use destination nat. but this isn't working.
ge-0/0/15 { vlan-tagging; unit 9 { vlan-id 9; family inet { address 1.2.3.4/28; } }}
The Routing instance
fiber { instance-type virtual-router; interface ge-0/0/15.9; routing-options { interface-routes { rib-group inet inet-group; } static { route 0.0.0.0/0 next-hop 1.2.3.5 } }}
Routing options
interface-routes { rib-group inet inet-group;}static { route 0.0.0.0/0 next-hop pp0.0;}rib-groups { inet-group { import-rib [ inet.0 fiber.inet.0 ]; }}
Destenation nat
rule-set untrust { from zone untrust; rule myserver { match { destination-address 0.0.0.0/0; destination-port 443; } then { destination-nat { pool { myserver; } } } }}rule-set untrust-fiber { from zone untrust-fiber; rule myserver-fiber { match { destination-address 0.0.0.0/0; destination-port 443; } then { destination-nat { pool { myserver; } } } }}
The security policies are identical for untrust and untrust-fiber
If i connect to the public ip of pp0.0 the webpage shows.
if i connect to the public ip of ge-0/0/15.9 there is no response.
I know the connection is working, since the ipsec is working fine.
what am i missing?