Hi,
We've recently installed a second Internet connection so I've somewhat successfully configured policy based routing on the edge router which is a Juniper J4350 running JunOS 9.5R1.8. I followed a guide more or less exactly by example (found here:http://community.riverbed.com/rvrb/attachments/rvrb/rvrb-7/2886/1/Juniper%20PBR.pdf) and the PBR routing works outbound, routing traffic from specific ranges inside the LAN out of an ISP as required, however when enabled the filter also seems to catch other traffic - I can't SSH into the router any longer on the LAN interface (ge0/0/0.1), and the configuration also seems to break some IPSEC VPNs going through the same router.
In summary, no PBR and routing was working as expected through a single ISP with the static routing specific under routing-options.
Could anyone suggest where I'm going wrong with this filter please? 🙂 Thanks!
For reference the parts of configuration I've put in is as follows:
ge-0/0/0 {
vlan-tagging;
unit 0 {
vlan-id 1;
family inet {
filter {
input PBR;
}
address 192.168.51.13/24;
}
}
unit 16 {
description Hants-ext;
vlan-id 16;
family inet {
sampling {
input;
output;
}
address 10.249.16.126/25;
}
}
unit 128 {
description DMZ;
vlan-id 128;
family inet {
address 10.249.16.129/25;
}
}
unit 150 {
description NetworkFlow;
vlan-id 150;
family inet {
address 217.20.18.50/29;
}
}
}
family inet {
filter sample-in {
term default {
then {
sample;
accept;
}
}
}
filter PBR {
term traffic_for_hants {
from {
source-address {
192.168.0.0/16;
172.16.0.0/16;
192.168.12.0/24 except;
}
}
then {
routing-instance viaHants;
}
}
term traffic_for_networkflow {
from {
source-address {
192.168.12.0/24;
}
}
then {
routing-instance viaNetworkFlow;
}
}
term default {
then accept;
}
}
}
routing-options {
interface-routes {
rib-group inet fbf-group;
}
static {
route 192.168.0.0/16 next-hop 192.168.51.37;
route 10.217.163.0/24 next-hop 192.168.51.37;
route 172.19.0.0/16 next-hop 192.168.51.12;
route 172.16.0.0/16 next-hop 10.249.16.1;
route 0.0.0.0/0 next-hop 10.249.16.1;
}
rib-groups {
fbf-group {
import-rib [ inet.0 viaHants.inet.0 viaNetworkFlow.inet.0 ];
}
}
}
firewall {
family inet {
filter sample-in {
term default {
then {
sample;
accept;
}
}
}
filter PBR {
term traffic_for_hants {
from {
source-address {
192.168.0.0/16;
172.16.0.0/16;
192.168.12.0/24 except;
}
}
then {
routing-instance viaHants;
}
}
term traffic_for_networkflow {
from {
source-address {
192.168.12.0/24;
}
}
then {
routing-instance viaNetworkFlow;
}
}
term default {
then accept;
}
}
}
filter all {
term all {
then {
sample;
accept;
}
}
}
}
routing-instances {
viaHants {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 10.249.16.1;
route 192.168.0.0/16 next-hop 192.168.51.37;
route 10.217.163.0/24 next-hop 192.168.51.37;
route 172.19.0.0/16 next-hop 192.168.51.12;
route 172.16.0.0/16 next-hop 10.249.16.1;
}
}
}
viaNetworkFlow {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 217.20.18.49;
route 192.168.0.0/16 next-hop 192.168.51.37;
route 10.217.163.0/24 next-hop 192.168.51.37;
route 172.19.0.0/16 next-hop 192.168.51.12;
route 172.16.0.0/16 next-hop 10.249.16.1;
}
}
}