Oh ... I don't think you need FBF at all.
Both GW1 and GW2 instances need a route to 192.168.0.0/16 (or 192.168.50.0/24 as it were). You can make that static, or imported, however you can get it in there. When SRX looks up the reverse route back to the internet, it will look it up in the routing instance of the interface where traffic came from.
As for "talk to each other," I understand that to mean that internal devices (192.168.x.x) should be able to reach both 213.x and 94.x. To achieve that, I think it would be easiest to replace your static NAT with source + destination NAT; then apply the destination NAT rules for 213.x to match both traffic coming from outside (zone internet1) and inside (zone lan). Similarly rules for 94.x should apply to both zone internet2 and zone lan. If you mean something else by "talk to each other," please clarify.
Original Message:
Sent: 07-26-2024 11:43
From: CHRIS MELLOR
Subject: Two Gateways for different ranges, Need help configuring firewall filters to route traffic to the appropriate gateway
our main FW cluster = our srx345 cluster of two devices.
We use private address' with static destination nat
We use 192.168. for internal
and nat that to currently the 213 range,
But we are at the stage now where we will start migrating customer services to use the new 94 range ip and gateway.
We do not want these to use the 213 gw because that will eventually be turned off
But at the same time we need the two ranges to be able to "talk to each other" as we migrate services over
------------------------------
CHRIS MELLOR
Original Message:
Sent: 07-26-2024 11:36
From: Nikolay Semov
Subject: Two Gateways for different ranges, Need help configuring firewall filters to route traffic to the appropriate gateway
Is "our main FW cluster" the SRX345 you're trying to configure or separate firewalls that are staying in place? If separate firewalls, what is the functionality you need from the new SRX that you currently do not have because you cannot mess with the managed ISP router?
Are your web servers (and other devices; but let's call them all web servers for convenience) all configured with 213 and 94 addresses, or do they all use private addresses behind NAT?
------------------------------
Nikolay Semov
Original Message:
Sent: 07-26-2024 11:13
From: CHRIS MELLOR
Subject: Two Gateways for different ranges, Need help configuring firewall filters to route traffic to the appropriate gateway
Hi Nikolay
Thank you for helping.
A bit more explanation
You are correct i might be barking up the wrong tree entirely
Our network is currently running off a managed service from our ISP (we can call this the 213 range)
using a /24 range supplied by them
We have installed a non managed system with mikrotik devices(Switches and routers)
We have two /24's we are using with the new system (We can call this the 94 range)
We cannot access the router of the managed side so have resorted to using the SRX 345 cluster
Both GW's are plugged directly into our edge switches which then plug into our main FW cluster.
What we ideally want is If the device/service has a 213 IP then it uses the original connection as its gateway.
and if it has a 94 range address it uses the new gw
The IP's i used in my config example above were just examples
We have full access to use all /24 or all three ranges,
I hope this makes sense
If not please ask more questions
------------------------------
CHRIS MELLOR
Original Message:
Sent: 07-26-2024 10:56
From: Nikolay Semov
Subject: Two Gateways for different ranges, Need help configuring firewall filters to route traffic to the appropriate gateway
Maybe something was lost in Jodi's edit, but it's unclear what traffic you want to send where.
Reading the configuration provided, I gather the following:
- Traffic from 10.0.0.0/24 on ge-0/0/0 should go back out of ge-0/0/0 to 10.0.0.1.
You do not need to attach a filter to ge-0/0/0 because that interface is already in the gw1 instance. Also, it doesn't make sense go right back out of the same interface it came from. Do you need to have devices on the 10.0.0.0/24 subnet be configured with 10.0.0.230 as the gateway but have traffic actually go out of 10.0.0.1? - Traffic from 172.16.1000/24 on ge-0/0/1 should go back out of ge-0/0/1 to 172.16.100.1
Same as above. - Traffic arriving on ge-0/0/3 will have no idea where to go as you don't seem to have any routes defined in the default routing instance.
Depending on what you're trying to do, you may not need to use FBF at all.
------------------------------
Nikolay Semov
Original Message:
Sent: 07-25-2024 07:47
From: CHRIS MELLOR
Subject: Two Gateways for different ranges, Need help configuring firewall filters to route traffic to the appropriate gateway
Hi all like the above says
We recently installed a new unmanaged GW along with its own mikrotiks routers and switches.
we also have a managed gateway we will be moving away from eventually
but in the interim i have been trying to setup firewall filters to route traffic destined for a range to its own relevant gw
lets call the gateways 192.168.100.1 and 172.168.100.1
I cannot get the routing to work i am setting this all up on a wiped test fw (if i put a static route internet works)
More info
Currently i am testing on a SRX300
But our main firewall is a clustered srx345
We are migrating away from a managed internet connection ont an unmanaged setup
We have amny live websites and other servies running
I am attempting to seperate traffic using the firewall
so that when we start moving services to new address it will use the new gw rather than continuing to use the existing old gateway.
set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.230/24set interfaces ge-0/0/1 unit 0 family inet address 172.16.100.250/24set interfaces ge-0/0/3 unit 0 family inet address 192.168.50.222/24set routing-instances gw1 instance-type virtual-routerset routing-instances gw1 interface ge-0/0/0.0set routing-instances gw1 routing-options static route 0.0.0.0/0 next-hop 10.0.0.1set routing-instances gw2 instance-type virtual-routerset routing-instances gw2 interface ge-0/0/1.0set routing-instances gw2 routing-options static route 0.0.0.0/0 next-hop 172.16.100.1set security zones security-zone internet1 interfaces ge-0/0/0.0set security zones security-zone internet2 interfaces ge-0/0/1.0set security zones security-zone lan interfaces ge-0/0/3.0set firewall family inet filter GW1_FILTER term 1 from source-address 10.0.0.0/24set firewall family inet filter GW1_FILTER term 1 then routing-instance gw1set firewall family inet filter GW1_FILTER term 1 then acceptset firewall family inet filter GW2_FILTER term 1 from source-address 172.16.100.0/24set firewall family inet filter GW2_FILTER term 1 then routing-instance gw2set firewall family inet filter GW2_FILTER term 1 then acceptset interfaces ge-0/0/0 unit 0 family inet filter input GW1_FILTERset interfaces ge-0/0/1 unit 0 family inet filter input GW2_FILTERset security policies from-zone lan to-zone internet1 policy allow-lan-to-internet1 match source-address anyset security policies from-zone lan to-zone internet1 policy allow-lan-to-internet1 match destination-address anyset security policies from-zone lan to-zone internet1 policy allow-lan-to-internet1 match application anyset security policies from-zone lan to-zone internet1 policy allow-lan-to-internet1 then permitset security policies from-zone lan to-zone internet2 policy allow-lan-to-internet2 match source-address anyset security policies from-zone lan to-zone internet2 policy allow-lan-to-internet2 match destination-address anyset security policies from-zone lan to-zone internet2 policy allow-lan-to-internet2 match application anyset security policies from-zone lan to-zone internet2 policy allow-lan-to-internet2 then permitset security policies from-zone internet1 to-zone lan policy allow-internet1-to-lan match source-address anyset security policies from-zone internet1 to-zone lan policy allow-internet1-to-lan match destination-address anyset security policies from-zone internet1 to-zone lan policy allow-internet1-to-lan match application anyset security policies from-zone internet1 to-zone lan policy allow-internet1-to-lan then permitset security policies from-zone internet2 to-zone lan policy allow-internet2-to-lan match source-address anyset security policies from-zone internet2 to-zone lan policy allow-internet2-to-lan match destination-address anyset security policies from-zone internet2 to-zone lan policy allow-internet2-to-lan match application anyset security policies from-zone internet2 to-zone lan policy allow-internet2-to-lan then permitset security policies from-zone internet1 to-zone internet2 policy allow-internet1-to-internet2 match source-address anyset security policies from-zone internet1 to-zone internet2 policy allow-internet1-to-internet2 match destination-address anyset security policies from-zone internet1 to-zone internet2 policy allow-internet1-to-internet2 match application anyset security policies from-zone internet1 to-zone internet2 policy allow-internet1-to-internet2 then permitset security policies from-zone internet2 to-zone internet1 policy allow-internet2-to-internet1 match source-address anyset security policies from-zone internet2 to-zone internet1 policy allow-internet2-to-internet1 match destination-address anyset security policies from-zone internet2 to-zone internet1 policy allow-internet2-to-internet1 match application anyset security policies from-zone internet2 to-zone internet1 policy allow-internet2-to-internet1 then permitset security nat source rule-set NAT_RULESET_INTERNET1 from zone lanset security nat source rule-set NAT_RULESET_INTERNET1 to zone internet1set security nat source rule-set NAT_RULESET_INTERNET1 rule 1 match source-address 192.168.50.0/24set security nat source rule-set NAT_RULESET_INTERNET1 rule 1 then source-nat interfaceset security nat source rule-set NAT_RULESET_INTERNET2 from zone lanset security nat source rule-set NAT_RULESET_INTERNET2 to zone internet2set security nat source rule-set NAT_RULESET_INTERNET2 rule 1 match source-address 192.168.50.0/24set security nat source rule-set NAT_RULESET_INTERNET2 rule 1 then source-nat interface
------------------------------
CHRIS MELLOR
------------------------------