SRX

I have a question about a split ISP setup on an SRX240.  I have an sync 10Mbit pipe that I host our exchange server over as well as a few dev/test web servers so I have a few static NAT's as well as two VPN tunnels for remote offices.  I've recently added a business cable internet connection to relieve office internet browsing from consuming to much server/vpn bandwidth... and I'd like to offload just office web browsing to the cable connection.

I'm running JUNOS11.2R4.3,  Internally... I have a layer 3 switch which routes the internal networks so they all connect to the srx off ge-0/0/4. Internal Desktop users I'd like to push their web traffic are on the network 10.1.20.0/24. Everything is working fine over ISP1 but I just need to push web traffic out the cable connection without messing with anything else. This is what I believe will work on my config per looking at the KB 17223. Its a remote office for me and it will be a week or two before I do... just want to get everything ready ahead of time so the change over is quick.

interfaces {
    ge-0/0/0 {
        unit 0 {
            description syncISP1;
            family inet {
                address 2.2.2.2/28;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            description asyncISP2;       
            family inet {
                address 60.60.60.60/29;
            }
        }
    }

    ge-0/0/4 {
        unit 0 {                       
            family inet {
                filter {
                    input FILTER1;
                }
                address 10.1.1.1/29;
            }
        }
    }
}


routing-options {
    interface-routes {
        rib-group inet IMPORT-PHY;
    }
    static {
        route 0.0.0.0/0 next-hop [  2.2.2.14 ];
    }
    rib-groups {
        IMPORT-PY {
            import-rib [ inet.0 routing-table-ISP1.inet.0 routing-table-ISP2.inet.0 ];
        }
    }
}

firewall {
    family inet {
        filter FILTER1 {
            term match-workstation {
                from {
                    source-address {
                        10.1.20.0/24;
                    }
                    destination-port [ http https ];
                }
                then {
                    routing-instance routing-table-ISP2;
                }
            }
            term default {
                then {                  
                    routing-instance routing-table-ISP1;
                }
            }
        }
    }
}

routing-instances {
    routing-table-ISP1 {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 {
                    next-hop 2.2.2.14;
                }
        }
    }
    routing-table-ISP2 {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 {
                    next-hop 60.60.60.62;
                    qualified-next-hop 2.2.2.14 {
                          preference 100;
                    }
                }
            }
        }
    }
}


security {
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        static {
            rule-set outbound {
                from interface ge-0/0/0.0;
                rule 2_2_2_3 {
                    match {
                        destination-address 2.2.2.3/32;
                    }
                    then {
                        static-nat prefix 172.16.2.3/32;
                    }
                }
                rule 2_2_2_4 {
                    match {
                        destination-address 2.2.2.4/32;
                    }
                    then {
                        static-nat prefix 172.16.2.4/32;
                    }
                }
            }
        }
        proxy-arp {
            interface ge-0/0/0.0 {
                address {
                    2.2.2.3/32 to 2.2.2.13/32;
                }
            }
        }
    }

Yeah, Filter Based Forwarding (aka FBF) is what I'd do here. I'm not sure that you need two new routing instances though. You could have a forwarding type instance for just the new cable connection and then accept the default traffic into the global default table. FYI, you also have a typo in your rib-groups.. "IMPORT-PY".

firewall {
    family inet {
        filter FILTER1 {
            term match-workstation {
                from {
                    source-address {
                        10.1.20.0/24;
                    }
                    destination-port [ http https ];
                }
                then {
                    routing-instance routing-table-ISP2;
                }
            }
            term default {
                then {                  
                    accept;
                }
            }
        }
    }
}

so scrap the ISP1 routing instance and just have ISP2 routing instance?   As type forward? 

Agree to only use the one forwarding instance, delete the other instance, and use a bare then accept term instead in your firewall filter, otherwise all nonmatching traffic would be dropped.

GL

Yes, you dont need the instance. Just use an accept at the last term.