Ah, your questions guided me into the right direction. In security flow session I saw a lot of UDP/53 traffic to the SRX itself with no replies:
Session ID: 41848, Policy name: self-traffic-policy/1, Timeout: 50, Valid
In: 192.168.5.15/33924 --> 192.168.5.1/53;udp, If: ge-0/0/0.0, Pkts: 1, Bytes: 73
Out: 192.168.5.1/53 --> 192.168.5.15/33924;udp, If: .local..4, Pkts: 0, Bytes: 0
I have inserted an exception for the case the SRX is serving (see term 0):
set firewall family inet filter LTE-SBR term 0 from destination-address 192.168.5.1/32
set firewall family inet filter LTE-SBR term 0 then accept
set firewall family inet filter LTE-SBR term 1 from source-address 192.168.5.15/32
set firewall family inet filter LTE-SBR term 1 then routing-instance LTE
set firewall family inet filter LTE-SBR term 2 then accept
As a result, we have a split routing as desired. 192.168.5.15 takes fe-0/0/5.0
Session ID: 38733, Policy name: http-out/7, Timeout: 1284, Valid
In: 192.168.5.15/59078 --> 63.215.202.xxx/443;tcp, If: ge-0/0/0.0, Pkts: 11, Bytes: 1223
Out: 63.215.202.xxx/443 --> 192.168.0.10/16202;tcp, If: fe-0/0/5.0, Pkts: 10, Bytes: 4429
and another IP takes pp0.0
Session ID: 31389, Policy name: http-out/7, Timeout: 1574, Valid
In: 192.168.5.10/41938 --> 44.226.39.xxx/443;tcp, If: ge-0/0/0.0, Pkts: 16, Bytes: 2413
Out: 44.226.39.xxx/443 --> 46.87.206.xxx/6534;tcp, If: pp0.0, Pkts: 16, Bytes: 4680
If I deactivate term 0, the DNS fails immediately. The FBF itself was working, but DNS to the SRX failed. I do not know why, but I can live with the "to SRX exception".
Thank you very much for the hint @spuluka !
Original Message:
Sent: 02-21-2023 20:15
From: spuluka
Subject: Filterbased Forwarding not working
When the filter is applied can you run a session check during the traffic attempt to see how the policy and nat rules are applied.
show security flow session source-prefix 192.168.5.15
And also run a trace route from the 192.168.5.15 device.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 02-20-2023 03:25
From: dennis_u
Subject: Filterbased Forwarding not working
Hello,
we have troubles to implement source based routing to a second ISP. The setup is quite easy:
ge-0/0/0.0, static v4 (192.168.5.0/24), zone trust
fe-0/0/5.0, static v4 (192.168.0.10/24), zone untrust, uplink to 5G router with pay-per-data plan
pp0.0, pppoe, underlying interface fe-0/0/6.0, zone untrust, uplink to ISP with unlimited data, but low bandwith
The goal is to send out one specific IP via fe-0/0/5.0 to give more bandwith, but to route the other clients via the normal uplink.
What I've done so far:
set routing-instances LTE instance-type forwarding
set routing-instances LTE routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
set routing-options rib-groups LTE-PBR-Group import-rib inet.0
set routing-options rib-groups LTE-PBR-Group import-rib LTE.inet.0
set routing-options interface-routes rib-group inet LTE-PBR-Group
set firewall family inet filter LTE-SBR term 1 from source-address 192.168.5.15/32
set firewall family inet filter LTE-SBR term 1 then routing-instance LTE
set firewall family inet filter LTE-SBR term 2 then accept
set interfaces ge-0/0/0 unit 0 family inet filter input LTE-SBR
Nevertheless, the host 192.168.5.15 has no internet access after commiting the config, but all other clients. The filter itself is applied, obviously. If I monitor the interface fe-0/0/5.0, I cannot see any relevant traffic, but arp requests between the SRX and the 5G router. If I inspect the route table of LTE.inet.0, it looks fine for me.
Because of the already existing communication (trust -> untrust), there are security policies to allow the traffic and nat rules for outgoing traffic.
Do I miss something?