SRX

I was hoping someone could help me with a filter based forwarding issue I've been having.
 
I have a site that has an ADSL connection which is used for incoming smtp traffic. They have just put in a fibre connection which they want to use for Internet traffic. We want to keep the ADSL for incoming mail because the fibre plan they are on doesn't allow for a static IP address.
 
I have created a source based routing filter by following the following article http://kb.juniper.net/InfoCenter/index?page=content&id=KB23300 which uses a firewall filter to route all traffic from the mail server out the ADSL interface and everything else out the fibre. This seems to work but the problem is with inbound connections.
 
If I externally telnet to port 25 when routing is set to use ADSL only, I get the email banner of the mail server. If I enable the routing filter (and make only traffic from the mail server go out the ADSL interface) and telnet to port 25 I don't get the banner (just a blinking cursor). This causes external email to stop working. It seems like the port is open but the data is not returning correctly (almost like it's going in on the ADSL and out on the fibre).

A traceroute from the email server confirms that traffic is going out the ADSL interface. Any ideas?

    vlan {
        unit 0 {
            family inet {
                filter {
                    input ADSL-Filter;
                }
                address 192.168.254.254/24;
            }
        }
    }
firewall {
    family inet {
        filter ADSL-Filter {
            term 0 {
                from {
                    source-address {
                        192.168.254.1/32;
                    }
                }
                then {
                    routing-instance ADSL-Router;
                }
            }
            term 1 {
                then accept;
            }
        }
    }
    filter accept {
        term 0 {
            then accept;
        }
    }
}
routing-instances {
    ADSL-Router {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop at-1/0/0.0;
            }
        }
    }
}
routing-options {
    interface-routes {
        rib-group inet ADSL-Router;
    }
    static {
        route 0.0.0.0/0 next-hop 192.168.32.254;
    }
    rib-groups {
        ADSL-Router {
            import-rib [ inet.0 ADSL-Router.inet.0 ];
        }
    }
}

Can you post the output of "show security flow session destination-prefix 192.168.254.1/32" after you attempt to connect?

Hi dfex

The command "show security flow session destination-prefix 192.168.254.1/32" didn't display any sessions so I ran the command to show destination-port 25 which showed some information.

I fired a telnet to port 25 with routing set to use the at-1/0/0.0 interface and then changed the routing to go out the fibre on fe-0/0/1.0 and issued a telnet again. The results are displayed below:

root@srx-110> show security flow session destination-port 25
Session ID: 11544, Policy name: SMTP-OWA/6, Timeout: 1586, Valid
In: 114.134.165.186/2195 --> 219.88.101.197/25;tcp, If: at-1/0/0.0, Pkts: 3, Bytes: 128
Out: 192.168.254.1/25 --> 114.134.165.186/2195;tcp, If: vlan.0, Pkts: 2, Bytes: 204

Session ID: 12428, Policy name: SMTP-OWA/6, Timeout: 1798, Valid
In: 114.134.165.186/2018 --> 219.88.101.197/25;tcp, If: fe-0/0/1.0, Pkts: 2, Bytes: 88
Out: 192.168.254.1/25 --> 114.134.165.186/2018;tcp, If: vlan.0, Pkts: 2, Bytes: 204
Total sessions: 2

Hi drenz,

My bad - destination-prefix should have been the NAT address 219.88.101.197

Looking at your output raisies a few more questions though:

From the second session, it looks like your fibre interface is plugged in to fe-0/0/1.0?

What I don't quite follow though is how traffic destined for 114.134.165.186 is coming IN on this interface, especially if it has a dynamic address.  Are you using a routing protocol or something else to steer it this way from the internet side?

Yes the fibre is coming in via fe-0/0/1.0. The ISP provided a router with a LAN interface that I plugged into the SRX. Thinking about it now I could have probably bypassed the router and plugged straight into the SRX. 

What address is on the interface facing the fibre provider?

192.168.32.254

So you are using destination NAT and proxy-arp?

I'm using destination NAT but not proxy-arp.

Do you think configuring proxy-arp will help?

What if instead of filtering traffic by IP address, I filter it by application service i.e. all smtp goes out the ADSL interface?

So anyway for those that are interested, I got it working in the end. I think it's a much more elegant solution as well. Instead of making all traffic from one server go out the ADSL interface I made all traffic go out the fibre interface except traffic destined to go out on port 25.

firewall {
    family inet {
        filter ADSL-Filter {
            term 0 {
                from {
                    destination-port-except 25;
                }
                then {
                    routing-instance ADSL-Router;
                }
            }
            term 1 {
                then accept;
            }
        }
    }
|
routing-instances {
    ADSL-Router {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 192.168.32.254;
            }
        }
    }
}