ScreenOS Firewalls (NOT SRX)
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
clintmiller
Contributor
clintmiller
Posts: 12
Registered: ‎05-19-2009
0

Choosing a default (unknown) route based on a packet's source-ip

Options

‎09-17-2009 07:57 AM

Hi,

 

Let's say I have 2 networks connected to my SSG140:

 

 

  • 192.168.11.0/24 
  • 192.168.12.0/24
 
I want to send traffic from the .11.0/24 subnet with an unknown destination out interface eth0/2 via gateway 1.1.1.1. As you can imagine, I currently do this by setting the default gateway in the route table. The configuration change I want to make should result in sending traffic from the .12.0/24 subnet with an unknown destination out another interface, say eth0/3 via gateway 2.2.2.2.
 
Can this be accomplished by source-based routing? I originally thought that I could do so, but from my reading about SBR in the docs and the ScreenOS cookbook, SBR will take precedence over destination based routing (good), but if it only chooses a route based on a packet's source IP, how will the SSG route traffic in .12.0/24 to .11.0/24 (i.e., the packet source IP prefix will match the route in the SBR table and flow out eth0/3 via gateway 2.2.2.2 before if ever has a chance to actually get routed to the right place.).
 
Can anyone provide some insight on how to set this up?
 
Thanks!
 
Clint 

 

Message 1 of 5 (8,416 Views)
 
Reply
Super Contributor
Super Contributor
Cesar
Posts: 141
Registered: ‎11-18-2008
0

Re: Choosing a default (unknown) route based on a packet's source-ip

Options

‎09-17-2009 09:44 AM

My suggestion is to use another SBR from .12.0/24 to .11.0/24
Message 2 of 5 (8,377 Views)
 
Reply
clintmiller
Contributor
clintmiller
Posts: 12
Registered: ‎05-19-2009
0

Re: Choosing a default (unknown) route based on a packet's source-ip

Options

‎09-17-2009 10:40 AM

I don't understand: if SBR only uses the packet's source-IP to select a route, how do I express that only packets with a source-IP of .12.0/24 AND an unknown destination flow out a certain interface with a next-hop gateway.
Message 3 of 5 (8,371 Views)
 
Reply
AndyT
Contributor
AndyT
Posts: 52
Registered: ‎11-21-2008
0

Re: Choosing a default (unknown) route based on a packet's source-ip

Options

‎09-22-2009 11:25 AM

would be worth investigating whether you can achieve this using different virtual routers?
Message 4 of 5 (8,292 Views)
 
Reply
Distinguished Expert
Distinguished Expert
muttbarker
Posts: 1,946
Registered: ‎01-29-2008
0

Re: Choosing a default (unknown) route based on a packet's source-ip

Options

‎09-22-2009 05:25 PM

While it is true that source based is normally higher in preference that can be changed. So what about specifying a destination based route for the 11.0 to 12.0 traffic (and vice versa) and giving the destination route table a higher preference. Then that table will be checked first for the "local routes" and then the source based route table will be checked for the egress routes?

 

 

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Message 5 of 5 (8,280 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.