I have a question about a split ISP setup on an SRX240. I have an sync 10Mbit pipe that I host our exchange server over as well as a few dev/test web servers so I have a few static NAT's as well as two VPN tunnels for remote offices. I've recently added a business cable internet connection to relieve office internet browsing from consuming to much server/vpn bandwidth... and I'd like to offload just office web browsing to the cable connection.
I'm running JUNOS11.2R4.3, Internally... I have a layer 3 switch which routes the internal networks so they all connect to the srx off ge-0/0/4. Internal Desktop users I'd like to push their web traffic are on the network 10.1.20.0/24. Everything is working fine over ISP1 but I just need to push web traffic out the cable connection without messing with anything else. This is what I believe will work on my config per looking at the KB 17223. Its a remote office for me and it will be a week or two before I do... just want to get everything ready ahead of time so the change over is quick.
interfaces {
ge-0/0/0 {
unit 0 {
description syncISP1;
family inet {
address 2.2.2.2/28;
}
}
}
ge-0/0/1 {
unit 0 {
description asyncISP2;
family inet {
address 60.60.60.60/29;
}
}
}
ge-0/0/4 {
unit 0 {
family inet {
filter {
input FILTER1;
}
address 10.1.1.1/29;
}
}
}
}
routing-options {
interface-routes {
rib-group inet IMPORT-PHY;
}
static {
route 0.0.0.0/0 next-hop [ 2.2.2.14 ];
}
rib-groups {
IMPORT-PY {
import-rib [ inet.0 routing-table-ISP1.inet.0 routing-table-ISP2.inet.0 ];
}
}
}
firewall {
family inet {
filter FILTER1 {
term match-workstation {
from {
source-address {
10.1.20.0/24;
}
destination-port [ http https ];
}
then {
routing-instance routing-table-ISP2;
}
}
term default {
then {
routing-instance routing-table-ISP1;
}
}
}
}
}
routing-instances {
routing-table-ISP1 {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 2.2.2.14;
}
}
}
routing-table-ISP2 {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 60.60.60.62;
qualified-next-hop 2.2.2.14 {
preference 100;
}
}
}
}
}
}
security {
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
static {
rule-set outbound {
from interface ge-0/0/0.0;
rule 2_2_2_3 {
match {
destination-address 2.2.2.3/32;
}
then {
static-nat prefix 172.16.2.3/32;
}
}
rule 2_2_2_4 {
match {
destination-address 2.2.2.4/32;
}
then {
static-nat prefix 172.16.2.4/32;
}
}
}
}
proxy-arp {
interface ge-0/0/0.0 {
address {
2.2.2.3/32 to 2.2.2.13/32;
}
}
}
}