Ooopsie, I forgot one more configuration knob, assuming you do NOT need transparent mode:
After commit, you may need to reboot. You may also need to set the global mode (and maybe reboot) first before configuring an IRB interface.
Splitting them into separate zones won't help because in the end you're still having the return traffic sometimes come back on a different interface. In fact, if they are in separate zones you'll get another bad effect during failover -- I believe in session rerouting (picking a different outbound interface due to a routing change) only happens when the new interface is in the same zone; if it's in a different zone then the sessions will need to start anew (e.g. wait for TCP to timeout and have the client reinitiate a connection).
This is an aside for instances where you have lots of repeating configuration -- configuration groups!
Say, for example, I have zone WAN1, WAN2, and WAN3 (for whatever reason they must be separate zones) and I want the same LAN-to-WAN policies to apply for all, I can have something like this:
You can have many different groups and use this for any configuration section where you see lots of repetition. The trade-off is that it can sometimes be difficult to follow when reading a configuration though you can use | display inheritance [no-comment] to see the resulting configuration.
Original Message:
Sent: 08-14-2024 17:23
From: Lars Kristensson
Subject: Source NAT on multihomed SRX
Nice. That achieves pretty much the same as I intended with having lo0.0 as egress interface, but with better isolation.
Unfortunately, it puts me in trouble with the zone:
[edit security zones security-zone wan]
'interfaces irb.10'
Interface irb is not allowed in mix mode
Exploring a different direction; Would it work to have separate zones for both of the uplinks, with separate source NAT rules with separate address pools, and have those separate address ranges assigned to the respective interface?
That will double up the amount of security policies through, as well as inbound static NAT rules, with redundant copies. So would prefer a solution that doesn't require that.
------------------------------
Lars Kristensson
Original Message:
Sent: 08-14-2024 15:18
From: Nikolay Semov
Subject: Source NAT on multihomed SRX
NAT, unfortunately, is not the only problem.
Yes, if you have a separate IP block which you advertise to both eBGP peers, you can use that for NAT (you don't have to attach it to lo0.0, you can just define it as a nat source pool). But the return traffic would still be arriving at a different interface, and the traffic won't match the session, so you would have to actually use static NAT and turn off TCP syn and sequence checks in order for that to work. More trouble than it's worth, in my opinion.
You could prepend your AS number or use a different MED value on the backup eBGP peer to force the ISP to NOT load-balance.
OR ... we can cheat a little bit.
Say you have the primary connection on ge-0/0/0.0 with ip 11.11.11.1/30 and the backup connection on ge-0/0/1.0 with ip 22.22.22.1/30. Instead of configuring the addresses directly on the interfaces, make yourself a little switch out of the two ports:
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members isp-vlan
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members isp-vlan
set vlans isp-vlan vlan-id 100
set vlans isp-vlan l3-interface irb.100
Then add both IPs on the same IRB interface:
set interfaces irb unit 100 family inet address 11.11.11.1/30
set interfaces irb unit 100 family inet address 22.22.22.1/30
Since irb.100 now has two addresses, don't forget to specify a local-address in your BGP configuration.
The mini-switch this creates will see the MAC address of 11.11.11.2 on port ge-0/0/0 and the MAC address of 22.22.22.2 on port ge-0/0/1 so essentially you still have separation. But, importantly, all your flow sessions will have irb.100 as the outgoing interface, so whatever port the return traffic arrives on, the traffic will be seen as arriving on the irb.100 L3 interface which should solve all your problems.
------------------------------
Nikolay Semov
Original Message:
Sent: 08-14-2024 14:48
From: Lars Kristensson
Subject: Source NAT on multihomed SRX
They are not redundant Layer 2 interfaces but separate Layer 3 interfaces, peering (eBGP) with two separate ISP routers.
If there can be only one interface accepting response traffic per NAT session, is it then possible to make source NAT use lo0.0 as egress interface?
------------------------------
Lars Kristensson
Original Message:
Sent: 08-14-2024 12:33
From: Nikolay Semov
Subject: Source NAT on multihomed SRX
The "IF" is just an abbreviation for "interface" and does not signify a condition. That being said, though, the outgoing interface is recorded as an attribute of the session, and if the return traffic comes back on another interface, the firewall won't match it to the existing session, and that's where the trouble starts. During a failover, existing session can recalculate the outgoing interface (assuming both interfaces are in the same zone), but there's only 1 outgoing interface per session at a time.
What's your current IP and failover configuration? If your uplinks are redundant on Layer 2, maybe you can bundle them into an aggregated ethernet? Hard to say without more context.
------------------------------
Nikolay Semov
Original Message:
Sent: 08-14-2024 10:13
From: Lars Kristensson
Subject: Source NAT on multihomed SRX
I'm new to Juniper and the SRX and I've now encountered a problem I haven't been able to find a good answer or solution to.
The configuration is a SRX which is multihomed with two uplinks to a single ISP. Requests are being sent up on a single link (with failover) but responses are load balanced back to either uplink interface on the SRX.
I then configured source NAT on it and ran into problems. Only half of the response packages, the ones arriving back on the same interface as the request was sent from, are being accepted. The response packages arriving on the other interface are being dropped.
Looking at the flow sessions, there is indeed an "IF:" condition next to the IP and port, stating the egress interface.
How can I get this "IF:" condition to include both of the possible ingress interfaces, so that all response packages are being accepted?
------------------------------
Lars Kristensson
------------------------------