SRX

Hi,

i am a newbie to Junos OS. I am trying to setup my SRX100H2 for the following setup :

-  I have 4 VLANs and 4 ADSL WAN connections

- the 4 WAN connections have their own Box

- i would like each VLAN to access the Internet from a spcific WAN:

VLAN1 ---> WAN1

VLAN2 ---> WAN2

VLAN3 ---> WAN3

etc...

The difficulty is that all my WAN are actualy behind a NAT managed by the box provided from the ISP and all of them have the same private IP 192.168.1.254.

Is there a way to do this with the SRX100H2?

Regards,

Rony 

Hello ,

You can try creating 3 Virtual router and make each VLAN with WAN in seperate Virtual router so that the routing will not be interfeared and you can create different NAT rules for them .

VR-1

VLAn1----> WAN1

VR-2

VLAN-2---> WAN2

VR-3

VLAN3--> WAN3

Hello ,

Reference Virtual router : http://kb.juniper.net/InfoCenter/index?page=content&id=KB16453

Hi joses,

thank you for your solution which seems to fit exactly what i need to do. Do i need to create any specific routing rules ? do you know if any of this is actually configurable using the web interface ?

Thx.

Hello ,

So in this case the routing will be different for all the 3 Virtual router . They should not be interfeared since that will cause issue , due to same private network .

So routing have to be different .

Its better to do Via CLi since configuration using J-Web KBs are very rare

Joses,

what do you mean by routing has to be different ? My VLANs have each different IP subnet, what i still can't figure out is how to tell each vlan to route through the specific WAN interface since all 4 interfaces are on the same subnet. I have already setup my VR and created a security zone for each.

Thx

Hello ,

even I am a bit confused here . So just to clear out , let me explain and correct me if I am wrong . You have 3 VLAN Say "A,B,C "  and 3  WAN  " ISP1 , ISP2, ISP3 "  .

You have connected 2 VLANS to trust interface  "T1 , T2 ,T3 "  and connect 3 WAN interface to W1, W2, W3 .

My setup will be  

VR-1  ( T1  and W1  ) interfaces , default gateway will be ISP1

VR-2  ( T2  and W2 ) Interfaces  ,  default gateway will be ISP2

VR-3  ( T3  and W3 ) Interfaces  ,  default gateway will be ISP3 .

Now I see from your update that WAN IPs are behind a NAT box with private IP . I did not get that part , is it that all the 3 WAN IPs point to same private IP or something different .

Dear Joses,

that is exactly my setup. Concerning the last part of your post:

SRX WAN1 (IP 192.168.1.2) ------------------BOX1 (192.168.1.254)--------------INTERNET (IP DYNAMIC)

SRX WAN2 (IP 192.168.1.2) ------------------BOX2 (192.168.1.254)--------------INTERNET (IP DYNAMIC)

SRX WAN3 (IP 192.168.1.2) ------------------BOX3 (192.168.1.254)--------------INTERNET (IP DYNAMIC)

Each WAN has a different ADSL BOX but these are configured by the ISP with identical configuration for Internal Network.

If i add each vlan and corresponding wan interface in their respective VR and keep the default route 0.0.0.0 gateway 192.168.1.2 will it work for all the VR ?

Best Regards,

Hello ,

It cannot get anymore confusing than this .... Just joking . If you give the default gateway as 192.168.1.2 in each routing instance , it may take care of only routing part , but NAT and policies are global and it can get conflicts . Also I just wanted to know on what basis are we spliting the VLANs to take those 3 WAN links ?  Are the VLAN segregated by Subnets or any other distinguishing factor ?

The VLANs are each on a different subnet.

Regarding the NAT part:

if my VLANs are in zone called TRUST and my WANs are in zone UNTRUST, a simple source NAT will do the job ? I am goiing to try this config and will let you know.

This setup is used to give users access to WIFI but the requirement was to have 4 SSID and each SSID will use it is own box.

THX

Hello ,

Simple source NAT will do the job , provided we need to use 3 different NAT pools for the 3 VLANs for a clean configuration plus to avoid NAT pool exhausion . 

Please test the same and let us know .

Dear Joses,

i tried to setup each routing instance ...but it is not working. I attached my conf below if you can take a look at it and tell me what am i missing.

Only the first one WAN - VLAN association is working. The 3 other vlan's they can't route to the 192.168.1.254 address (which is their respective ADSL BOX address).

THX

Rony

Attachment(s)

GATEWAY1.txt   13 KB 1 version

Hello ,

Can you share the output of  :

>show route 4.2.2.2 .

>show route  <individual vlan host IPs >

Hi,

i am not in front of the device ritght now but yesterday i managed to print "show route" . Please find the result attached.

Regards.

Attachment(s)

show route.txt   2 KB 1 version

Hello ,

As per the routing table also the routes from each VLAN are routed to their corresponding WAN :

collatpro-vr.inet.0

0.0.0.0/0          *[Static/5] 00:28:10
                    > to 192.168.1.254 via fe-0/0/0.0

phals-vr.inet.0

0.0.0.0/0          *[Static/5] 00:19:29
                    > to 192.168.1.254 via fe-0/0/2.0

vibrant-vr.inet.0

0.0.0.0/0          *[Static/5] 00:14:55
                    > to 192.168.1.254 via fe-0/0/3.0

So now we need to check the flow related where its not working . So kindly run the non working traffic and collect the flow information :

> show security flow session source-prifix <source-ip> destination-prifix <dest-ip > .

If you cannot find the flow , then we need to enable flow traceoption and check the exact flow and where its getting dropped .

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16233

Joses,

please find attached the result .

Thx

Attachment(s)

show security flow.txt   12 KB 1 version

hello ,

So as per the session details I see the packet leaving the SRX with correct interface , but nothing is coming back from 192.168.1.254 .

192.168.1.254/53 --> 192.168.5.2/63316;udp, If: fe-0/0/3.0, Pkts: 0, Bytes: 0  <<<<<.

Dear Joses,

just to let you know that everything is working now. It was the NAT and FW policy that were not correctly setup.

Thanks again.

Rony