Routing

Hi,

I'm trying to avoid having to replace gateways on some wifi hotspot networks with transparent proxies by routing via our regular routing infrastructure, filtering off the HTTP traffic and pushing it through a proxy. I figure it's more scalable (as there are lots of these hotspot networks) to do this at the router than create loads of extra transparent proxy/router boxes to maintain.

Problem is I can't get it to work, here is the (abridged) configuration I've got so far: This is the interface on which everything gets routed to from the core switch:

ge-0/0/0 {
    vlan-tagging;
    unit 0 {
        description Management;
        vlan-id 1;
        family inet {
            filter {
                input 4_incoming;
                output 4_outbound_traffic;
            }
            inactive: sampling {
                input;
                output;
            }
            address 192.168.51.13/24;
        }

This is the firewall filter to grab the HTTP:

jim@j4350# show firewall family inet filter 4_incoming 
term 4_routeViaTransparentProxy {
    from {
        source-address {
            192.168.98.0/23;
        }
        destination-address {
            0.0.0.0/0;
        }
        destination-port http;
    }
    then {
        count redirected;
        routing-instance TransparentProxyVR;
    }
}
term default {
    then accept;
}

The routing instance (added an interface on the same network as the proxy to try and troubleshoot, didn't help):

jim@j4350# show routing-instances TransparentProxyVR 
interface ge-0/0/0.545;
routing-options {
    static {
        route 0.0.0.0/0 next-hop 192.168.45.147;
    }
    instance-import Wildern_non-inet-routes;
}

I'm not seeing any traffic from my hosts on the hotspot network (192.168.98.0/23) at all - am I missing something here, or is there a better way to achieve this? Thanks!

Attachment(s)

j4350-routing-extensive.txt   28 KB 1 version

Hi,

you can use instance-type virtual-router under the routing-instance

Also you supposed to put both interfaces under to different zones. You checked the security policy between these zones.

If this not help you upload configuration file might assist also

Regards,

Mohamed Elhariry

Thanks for the reply, I actually tried a virtual router instance type before but must have removed it during my testing. I've also tried the virtual router with and without an interface on the same subnet as the target proxy server. 

Using the current configuration, no client traffic reaches the proxy server.

Current full configuration attached. 

Attachment(s)

config.txt   50 KB 1 version

Hi,

I couldn't find any security zone for interface ge-0/0/0.545.

I think you may need to put this interface under zone and ensure that there is security policy allow traffic from management zone to this zone

Regards,

Mohamed Elhariry

Nice spot @mhariry - added the security zones and traffic now makes it to the proxy. 

Is there a way I can achieve this without having to give the router an additional interface as I've done with ge0/0/0.545 ?

One of the VRs on the router has a route to 192.168.45.0/24 so is there some way to get it to use an internal routing process instead?

Hi,

I am glad it worked with u 🙂

regarding your request we could try but keep me updated with the result

I am expecting this route is (192.168.0.0/16) under WildernVR so you can try below

# set routing-options static route 192.168.0.0/16 next-table WildernVR.inet.0

so now you will find the route in the normal routing table (inet.0)

it might also need reverse route under the VR to reach back to 192.168.98.0/23

if so use similar route like

# set routing-instances WildernVR routing-options static route 192.168.98.0/23 next-table inet.0

Regards,

Mohamed Elhariry

JNCIE-M/T # 1059, CCNP & CCIP

----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!

That's right, 192.168.45.147 is accessible via the WildernVR.

Since posting that I actually modified my configuration with:

set routing-options instance-import Wildern_non-inet-routes

Which has added the 192.168.0.0/16 route to the inet.0 table and as a result, started SNMP working again which is nice. 

Assume this is equivilient to the next-table you posted?

I tried taking out that configuration and adding in everything you suggested, but unfortunately nothing reaches the proxy - does the instance-type for the TransparentProxyVR still need to be virtual-router?

I've attached the current config, currently no traffic is reaching the proxy. 

Thanks for your help so far!

Attachment(s)

config.txt   50 KB 1 version

I believe that you should use a forwarding type of instances and no need to include the interface in the routing-instance, see the below example

routing-instances {
	TransparentProxyVR {
    	        instance-type forwarding;
    	        routing-options {
        	       static {
            	       route 0.0.0.0/0 next-hop 192.168.45.147;
        	       }
    	        }
	}
}