SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 14
Registered: ‎03-28-2014
0 Kudos
Accepted Solution

PBR between zones

 Hi I am trying to configure transparent proxy with SRX240 and SQUID. SRX240 is my GW and I want to forward traffic using PBR to SQUID server but it's not working.

 

. Here's my related config.

 

LAN testing station [security zone LAN]  - 192.168.1.98  

SQUID proxy          [security zone DMZ] - 192.168.200.22

 

I've configured firewall filter and placed as input on SRX LAN GW interface

 

# run show configuration firewall family inet filter SQUID
term 1 { from { source-address { 192.168.1.98/32; } destination-address { 0.0.0.0/0; } protocol tcp; destination-port [ 80 443 ]; } then { log; routing-instance SQUID-VRF; } } term 2 { then accept; }
# run show configuration interfaces reth5     
description LAN;
redundant-ether-options {
    redundancy-group 5;
    minimum-links 1;
}
unit 0 {
    family inet {
        filter {
            input SQUID;
        }
        sampling {
            input;
            output;
        }
        address 192.168.1.1/24;
    }
}

I've configure VRF and routing-options

 

# run show configuration routing-instances 
SQUID-VRF {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 192.168.200.22;
        }
    }
}
rib-groups {
    IMPORT-PHY {
        import-rib [ inet.0 SQUID-VRF.inet.0 ];
    }
}

and here's my security policy between zones

 

# run show security policies from-zone LAN to-zone DMZ policy-name allow-web   
node0:
--------------------------------------------------------------------------
From zone: LAN, To zone: DMZ
  Policy: allow-web, State: enabled, Index: 100, Scope Policy: 0, Sequence number: 15
    Source addresses: any
    Destination addresses: squid
    Applications: junos-http, junos-https
    Action: permit, log

When I initiate http or https traffic from my testing station, no traffic comes on SQUID server

 

[root@squid ~]# tcpdump -ni eno16780032 not port 22 | grep -i 192.168.1.98
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno16780032, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
[root@squid ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 95 packets, 5100 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       192.168.0.0/23       0.0.0.0/0            tcp dpt:443 to:192.168.200.22:3129
    0     0 DNAT       tcp  --  *      *       192.168.0.0/23       0.0.0.0/0            tcp dpt:80 to:192.168.200.22:3128

Firewall filter match the traffic but it looks like it's not routed properly

# run show firewall log interface reth5 
Log :
Time      Filter    Action Interface     Protocol        Src Addr                         Dest Addr
21:22:59  pfe       A      reth5.0       TCP             192.168.1.98                     2.21.74.91
21:22:59  pfe       A      reth5.0       TCP             192.168.1.98                     35.167.151.38
21:22:59  pfe       A      reth5.0       TCP             192.168.1.98                     172.217.23.206
21:22:59  pfe       A      reth5.0       TCP             192.168.1.98                     54.229.224.146
21:22:58  pfe       A      reth5.0       TCP             192.168.1.98                     35.167.184.4
21:22:58  pfe       A      reth5.0       TCP             192.168.1.98                     2.21.74.91
21:22:58  pfe       A      reth5.0       TCP             192.168.1.98                     2.21.74.105

and here's my routing table 

inet.0: 24 destinations, 25 routes (24 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 19w1d 10:40:40
                    > to x.x.x.x via reth1.0
x.x.x.x/29         *[Direct/0] 19w1d 10:40:40
                    > via reth1.0
                    [Direct/0] 19w1d 10:29:15
                    > via reth1.0
x.x.x.x/32         *[Local/0] 19w1d 11:26:02
                      Local via reth1.0
x.x.x.x/32         *[Local/0] 19w1d 10:29:15
                      Local via reth1.0
192.168.1.0/24     *[Direct/0] 19w1d 10:23:37
                    > via reth5.0
192.168.1.1/32     *[Local/0] 35w3d 23:02:46

192.168.200.0/24   *[Direct/0] 19w1d 10:24:53
                    > via reth6.0       
192.168.200.1/32   *[Local/0] 35w3d 23:02:46



SQUID-VRF.inet.0: 18 destinations, 19 routes (18 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:29:07
                    > to 192.168.200.22 via reth6.0
x.x.x.x/29         *[Direct/0] 00:29:07
                    > via reth1.0
                    [Direct/0] 00:29:07
                    > via reth1.0
x.x.x.x/32         *[Local/0] 00:29:07
                      Local via reth1.0
x.x.x.x/32         *[Local/0] 00:29:07
                      Local via reth1.0

192.168.1.0/24     *[Direct/0] 00:29:07
                    > via reth5.0
192.168.1.1/32     *[Local/0] 00:29:07
                      Local via reth5.0
192.168.200.1/32   *[Local/0] 00:29:07

I thank you for your advice. If you need more detail, please let me know.

 

Distinguished Expert
Posts: 5,028
Registered: ‎03-30-2009
0 Kudos

Re: PBR between zones

Do you have the routing options > interface routes configured.

routing-options {
    interface-routes {
        rib-group inet IMPORT-PHY;
    }
Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Highlighted
Contributor
Posts: 14
Registered: ‎03-28-2014
0 Kudos

Re: PBR between zones

yes I do

 

> show configuration routing-options 
interface-routes {
    rib-group inet IMPORT-PHY;
}
static {
    route 10.253.253.0/24 next-hop 172.31.0.6;
    route 172.22.0.0/16 next-hop 172.31.0.6;
    route 0.0.0.0/0 next-hop x.x.x.x;
    route 192.168.168.0/23 next-hop 192.168.200.11;
    route 192.168.0.0/24 next-hop st0.1;
    route 192.168.201.0/24 next-hop st0.1;
    route 192.168.170.0/24 next-hop 192.168.200.11;
}
rib-groups {
    IMPORT-PHY {
        import-rib [ inet.0 SQUID-VRF.inet.0 ];
    }
}
Distinguished Expert
Posts: 5,028
Registered: ‎03-30-2009
0 Kudos

Re: PBR between zones

This policy will not apply to your original traffic.

# run show security policies from-zone LAN to-zone DMZ policy-name allow-web   
node0:
--------------------------------------------------------------------------
From zone: LAN, To zone: DMZ
  Policy: allow-web, State: enabled, Index: 100, Scope Policy: 0, Sequence number: 15
    Source addresses: any
    Destination addresses: squid
    Applications: junos-http, junos-https
    Action: permit, log

The policy will applied will be for the destination address in the original packet to the reth1.0 interface zone.

The policy should be to this zone and for "any" destination.

0.0.0.0/0          *[Static/5] 19w1d 10:40:40
                    > to x.x.x.x via reth1.0

 

 

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home