Junos OS

Hi,

We've recently installed a second Internet connection so I've somewhat successfully configured policy based routing on the edge router which is a Juniper J4350 running JunOS 9.5R1.8. I followed a guide more or less exactly by example (found here:http://community.riverbed.com/rvrb/attachments/rvrb/rvrb-7/2886/1/Juniper%20PBR.pdf) and the PBR routing works outbound, routing traffic from specific ranges inside the LAN out of an ISP as required, however when enabled the filter also seems to catch other traffic - I can't SSH into the router any longer on the LAN interface (ge0/0/0.1), and the configuration also seems to break some IPSEC VPNs going through the same router.

In summary, no PBR and routing was working as expected through a single ISP with the static routing specific under routing-options.

Could anyone suggest where I'm going wrong with this filter please? 🙂 Thanks!

For reference the parts of configuration I've put in is as follows:

ge-0/0/0 {
    vlan-tagging;
    unit 0 {
        vlan-id 1;
        family inet {
            filter {
                input PBR;
            }
            address 192.168.51.13/24;
        }
    }
    unit 16 {
        description Hants-ext;
        vlan-id 16;
        family inet {
            sampling {
                input;
                output;
            }
            address 10.249.16.126/25;
        }
    }
    unit 128 {
        description DMZ;
        vlan-id 128;
        family inet {
            address 10.249.16.129/25;
        }
    }
    unit 150 {
        description NetworkFlow;
        vlan-id 150;
        family inet {
            address 217.20.18.50/29;
        }
    }
}

family inet {
    filter sample-in {
        term default {
            then {
                sample;
                accept;
            }
        }
    }
    filter PBR {
        term traffic_for_hants {
            from {
                source-address {
                    192.168.0.0/16;
                    172.16.0.0/16;
                    192.168.12.0/24 except;
                }
            }
            then {
                routing-instance viaHants;
            }
        }
        term traffic_for_networkflow {
            from {  
                source-address {
                    192.168.12.0/24;
                }
            }
            then {
                routing-instance viaNetworkFlow;
            }
        }
        term default {
            then accept;
        }
    }
}

routing-options {
    interface-routes {
        rib-group inet fbf-group;
    }
    static {
        route 192.168.0.0/16 next-hop 192.168.51.37;
        route 10.217.163.0/24 next-hop 192.168.51.37;
        route 172.19.0.0/16 next-hop 192.168.51.12;
        route 172.16.0.0/16 next-hop 10.249.16.1;
        route 0.0.0.0/0 next-hop 10.249.16.1;
    }
    rib-groups {
        fbf-group {
            import-rib [ inet.0 viaHants.inet.0 viaNetworkFlow.inet.0 ];
        }
    }
}

firewall {
    family inet {
        filter sample-in {
            term default {
                then {
                    sample;
                    accept;
                }   
            }
        }
        filter PBR {
            term traffic_for_hants {
                from {
                    source-address {
                        192.168.0.0/16;
                        172.16.0.0/16;
                        192.168.12.0/24 except;
                    }
                }
                then {
                    routing-instance viaHants;
                }
            }
            term traffic_for_networkflow {
                from {
                    source-address {
                        192.168.12.0/24;
                    }
                }
                then {
                    routing-instance viaNetworkFlow;
                }
            }
            term default {
                then accept;
            }
        }
    }
    filter all {
        term all {
            then {
                sample;
                accept;
            }
        }
    }
}

routing-instances {
    viaHants {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 10.249.16.1;
                route 192.168.0.0/16 next-hop 192.168.51.37;
                route 10.217.163.0/24 next-hop 192.168.51.37;
                route 172.19.0.0/16 next-hop 192.168.51.12;
                route 172.16.0.0/16 next-hop 10.249.16.1;
            }
        }
    }
    viaNetworkFlow {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 217.20.18.49;
                route 192.168.0.0/16 next-hop 192.168.51.37;
                route 10.217.163.0/24 next-hop 192.168.51.37;
                route 172.19.0.0/16 next-hop 192.168.51.12;
                route 172.16.0.0/16 next-hop 10.249.16.1;
            }       
        }           
    }                

Hello,

First of all, you don't have ge-0/0/0.1 configured. I assume ge-0/0/0.0 is the interface in question.

Secondly, You did not mention from what source address(es) your management traffic is sent towards your J4350 and I am no clairvoyant  

I could only make a wild guess that it may be sourced from 172.16/16 or 192.168/16 address blocks.

If that's the case, please add an explicit term on top of your PBR firewall filter to accept your management traffic, something like that:

set firewall family inet filter PBR term mgmt from source-address <specific mgmt subnet>
set firewall family inet filter PBR term mgmt then accept
insert firewall family inet filter PBR term mgmt before term traffic_for_hants

 HTH

Rgds

Alex

Thanks for the reply - quite right, meant ge0/0/0.0.

As for the filter to accept management traffic, I can see how that would work, but if I add the exception for my management traffic can I still control which gateway that traffic goes out?

Eg, management subnet is 192.168.51.0/24, currently it's being filtered and routed via the 'viaHants' routing instance, if I add a specific term to catch it with the accept statement (so the management traffic gets to the router) I can't also add a then routing-instance [whatever] to send it to a specific gateway?

Hello there,

If you are SSH-ing _to_ the router from 192.168.51/24 subnet, why do you want SSH traffic to go to viaHants routing instance? It won't give you any more security or better QoS treatment.

Or do I completely misunderstand the term "management traffic"? Is it traffic to be terminated by the router or traffic to be forwarded through the router to somewhere else? 

Rgds

Alex 

Generally SSH management traffic (ie, traffic to configure the router) will come from 192.168.51.0/24 however other SSH traffic will come from that subnet which will need to go out of the default route so terminating all SSH traffic at the router won't be approperate.

Is the correct solution to build the exception term in the filter to match based on the destination address of the router's management interface and the protocol?

---

@jamesyale wrote:

Generally SSH management traffic (ie, traffic to configure the router) will come from 192.168.51.0/24 however other SSH traffic will come from that subnet which will need to go out of the default route so terminating all SSH traffic at the router won't be approperate.

 

Is the correct solution to build the exception term in the filter to match based on the destination address of the router's management interface and the protocol?

---

Yes that would be the correct solution - to have a very tight and specific 1st term (or several tight and specific terms: 1st, 2nd, 3rd etc but they all have to precede FBF terms) in your PBR filter to explicitly accept traffic destined _to_ the router itself. Once such traffic is accepted, it is no longer processed by other PBR filter terms.

HTH

Rgds

Alex 

Excellent, thanks for the answer - will schedule the time to make the changes, think I understand how it's working properly now so should have more luck this time!