SRX

Hello,

 

I'm trying to setup my new ISP(2.2.2.2) connection on a different interface then my actual ISP(1.1.1.1).

 

I put my new ISP(2.2.2.2) on interface ge0/0/3, assigne to zone untrust2 , added a route for my PC only, to point to that new ISP and I created a new policy for all this.

 

When I try to ping my new gateway or any other IP on internet, I do not get any successful respond but I do see in my log that it goes to the correct policy and route..

 

Do you have a idea what i am m,issing here ? 

 

Thank you !

Hello ,

 

What you are trying to achive is to have machine in your LAN to take the secondary ISP , but rest of them have to take the primary ISP . If this is your requirment then we need to have a filter based forwarding .

 

More details , please check the following KB : http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223&smlogin=true

I like your solution, i read the article, this what I want to do.

 

I have a srx240, I'm using vlan for my internal. My lan is connected on mutliple interface and my two ISP on two differents interface.

 

Not sure how to implement this in my network.

 

can you guide me in the right direction? 

 

Thank you !

Hello

 

Its very simple , so you have a VLAN in your LAN Segment with multiple interfaces in SRX as part of it and 2 ISP connecting SRX on 2 diff interface .

So you can filter based on firewall filter and then forward traffic based on your requirment . Please let us know how you need  to split the traffic between the 2 ISPs , based on subnet or protocol ?

Hi Joses,

 

How about in a case where you have 3 WAN interfaces; 2 for internet and one for VPN tunneling to branch offices.

 

For the internet links, users are split between going through both links and would also want to failover in case of failure in any one of the internet links

 

Sam

Are your 3 WAN interfaces all on separate ISP? 

 

Basically, I would create a virtual router routing instance for each ISP with their own default route.

routing-instance NAME type virtual router

 

These will each have their own routing table so they can have independent default routes.  You place the matching ISP interface here.  By adding the interface to this virtual router instance.  If you have a LAN segment then dedicated to this ISP you simply add their interface to this same virtual router.  Now all is self contained and this LAN uses the ISP that it shares.

 

For the VPN you can have the tunnel interface where the decrypted traffic egresses in a different virtual router from the WAN gateway interface.  So this gives you flexibility to have the IPSEC come up on one virtual router while the back end traffic is in another if needed.

 

Failover can be had by layering on ip monitoring to change routes when criteria fail.  

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB25052&smlogin=true&actp=search

 

In this situation then you will also need to have the alternate route to the other virtual router in order to use the other ISP.  For this you can use rib groups to leak routes between the two virtual routers or setup a tunnel interface internal to the SRX between the two routers.  Or physically connect two ports on the SRX where one is in each virtual router.

If the intention is to have one LAN use ISP1 and a second LAN to use ISP2 then the simplest solution is to create a virtual router using routing instances.

 

With a new routing instance you can put the second LAN and ISP in their own router that will be isolated from the root system and have their own nat and security policy rules.

 

the filter based forwarding process is required if you need to split a LAN traffic between two ISP where some traffic goes to ISP1 and others to ISP2 via the criteria you setup in FBF.

Hi Steve,

 

Could you elaborate more with maybe a simple example.

 

Would really appreciate

 

Sam

Unfortunately, internal network is flat. Certain IPs go through ISP 2 while the rest go through ISP 1.

Seeing it's a Flat LAN, can I associate IPs to the VRs instead of interface?

And since there's only one LAN interface, how I do separate traffic going to internet links and VPN links without creating a black hole

Sam

No, you associate interfaces or sub-interfaces with the VR.  So if the ips were in ranges that could be associated with a subnet on an interface, then yes.

 

Otherwise you need to use the filter based forwarding method.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB17223

Hi Steve,

 

See diagram and config of what im working on.

 

Its still not working

 

Kindly help review

 

Sam

Hi, 

 

You may need to add the tunnel interfaces under the RT-VPNTUNNELS instance and change the instance-type to virtual-router assuming the tunnel interfaces are up.

 

Cheers,

Ashvin