SRX

Hi,

I have a scenoria where there are 2 links connected on Juniepr SRX. Where 1 link is of ISP having ip 1.1.1.1 and 2nd link is connected to other firewall having ip 2.2.2.2. For specific source IP 10.10.10.0/24 which is connected on lan wants to go to internet should pass through ISP and if with source 10.10.10.0/24 wants to reach the subnet which is connected on firewall should pass through 2nd link i.e. 2.2.2.2 However i had configured the routing-instance for ISP and seems its working. All traffic is passed to ISP via link 1 but with same source 10.10.10.0/24 couldnot reach to other firewall.

Is there any solution where with same source subnet if the destination is ISP should pass via ISP and if the destination is behind other firewall it should pass via 2nd link.

Below is the template where all traffic is passing to ISP:

bhavinv@FWI001# show firewall filter Traffic-Vodafone
term 1 {
from {
source-address {
192.168.102.220/32;
}
}
then {
routing-instance Vodafone;
}
}
term 2 {
then accept;
}

{primary:node0}[edit]
bhavinv@FWI001#

bhavinv@FWI001# show routing-options
interface-routes {
rib-group inet Import-Vodafone;
}
static {

 route 0.0.0.0/0 next-hop 172.21.1.131

}
rib-groups {
Import-Vodafone {
import-rib [ Vodafone.inet.0 inet.0 ];
}
}

bhavinv@FWI001# show routing-instances
Vodafone {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 122.15.117.225;
}
}
}

Thanks in Advance.

Hello ,

Here you can create 2 terms in the firewall filter , Since the Source is same in both case , We can add destination prifix match condition for the second condition where you need to route  the traffic using 2nd Link if the destination is specific subnet .

Eg :

bhavinv@FWI001# show firewall filter Traffic-Vodafone
term 1 {
from {
source-address {
192.168.102.220/32;
}

destination-address {
XXXXXXXXXXX;
}
}
then {
routing-instance Vodafone;
}
}
term 2 {
then accept;
}

Thanks Jose

However in this case there is only one instance name vodafone and for the inetrnet the destination will be any 0/0 for inet.0 there is no instance.

Hello ,

So let me get this straight :

Source: 10.10.10.0/24 --> Internet  ---> Should Take  ISP1 in inet  (1.1.1.1 ) ( Vodafone) .

Source : 10.10.10.0/24 --> Specific Subnet behind Firewall --> Have to take ISP2 in Virtual router ISP2 ( 2.2.2.2) 

If my understanding is correct , the above filter will work .

If you have configured the ISP Vodafone in VR , you can move them to INET and make the firewall connection ( ie 2nd link ) to VR and this filter will work .

Hi,

Source: 10.10.10.0/24 --> Internet  ---> Should Take  ISP1 ( Vodafone.inet.0)  (1.1.1.1 )

Source : 10.10.10.0/24 --> Specific Subnet behind Firewall --> Have to take ISP2 in Virtual router ISP2 ( 2.2.2.2)  (inet.0)

So We need to create a new instance for ISP2 ? Name (ISP2.inet.0)

Thanks 

Bhavin V

Hello ,

So in that case use this  :

bhavinv@FWI001# show firewall filter Traffic-Vodafone
term 1 {
from {
source-address {
192.168.102.220/32;
}

destination-address {
XXXXXXXXXXX;
}
}
then {
accept;
}
}
term 2 {

from {
source-address {
192.168.102.220/32;
}
}
then {
routing-instance Vodafone;
}

term 3

{

then

{

accept;

}
}

If you could have added the Vodaphone ISP link to Inet instead of VR , then this would have worked with simple filter that I have shared above .

Thanks Sam,

Will test it tomoorow morning and will check.

Thanks

Bhavin V

Thanks Sam,

Its working fine Now.

Hello ,

Thanks for the update .  If the solution that was porvided worked , Please mark that post as accepted solution for future reference .