ScreenOS Firewalls (NOT SRX)
Reply
Contributor
anoop82
Posts: 21
Registered: ‎05-29-2012
0
Accepted Solution

internet browsing issue

I have ssg320m..i have 2 ISP.. ISP 1 & ISP2.. ISP1 for mailing & ISP2 for internet browsing..

For this scenario i configured one default route for my ISP2 & create PBR for mail traffic on ISP1..

So i am doing internet browsing ONLY through ISP2..

 

Now i want internet browsing through BOTH ISP's.. but mail traffice through ISP1..

 

So is it possible to do the same.. if yes then how can i do the this..

 

Pls anyone guide me..

 

 

Trusted Expert
sarab
Posts: 367
Registered: ‎05-12-2012
0

Re: internet browsing issue

This is possible by configuring ECMP.

 

In WebGUI:

 

Network > Routing > Virtual Router > Edit

 

Maximum ECMP Routes --- <Select 2>

 

Configure 2 default routes with equal pref and Metric through both the ISPs.

 

However the above solution may cause issues for "Https" websites. I would recommend adding a PBR to send HTTPs (port 443) traffic  through any one of the ISPs.

Contributor
anoop82
Posts: 21
Registered: ‎05-29-2012
0

Re: internet browsing issue

Hi Sarab..

 

Thanks for your suggestion..

 

Pls confirm one thing.. that your suggested configuration will not effect my SMTP traffice which is going through ONLY ISP1 through PBR....

 

becouse i dont want  my smtp traffice pass through my ISP2...

 

 

Anoop

Trusted Expert
sarab
Posts: 367
Registered: ‎05-12-2012
0

Re: internet browsing issue

This solution wont affect SMTP traffic as u already got PBR configured for that. And PBR is the most preferred routing option
Contributor
anoop82
Posts: 21
Registered: ‎05-29-2012
0

Re: internet browsing issue

Again thanks Sarab..

 

One more question..In this senario how do i know that which user's internet traffic passing through which ISP..

Can i do command over this through DNS of my ISP..means suppose when i put ISP1 DNS on PC1 then its internet traffic go through ISP1 and when i put ISP2 DNS on PC2 then its internet traffice go through ISP2..

 

Please advice..

 

And how can i block any website through SSG320M..

Trusted Expert
sarab
Posts: 367
Registered: ‎05-12-2012
0

Re: internet browsing issue

You cant Configure traffic rule for particular users to force them through any ISP. That will be round robin and decided by firewall. You can block website by URL filtering option. However for that u need to buy a license from juniper.
Contributor
anoop82
Posts: 21
Registered: ‎05-29-2012
0

Re: internet browsing issue

Hi Sarab,

 

I have configured ECMP as adviced by you but when i am giving ISP2 DNS IP to user then internet browsing working fine & when i am giving ISP1 DNS IP to user then internet browsing becomes very slow...OR some times users are not able to open any website..

 

PLEASE advice where is the issue..

 

 

 

Trusted Expert
sarab
Posts: 367
Registered: ‎05-12-2012
0

Re: internet browsing issue

It could be possible that ISP1's DNS server is not responding to the DNS queries when they are originated from ISP2's IP on the firewall (ECMP will send requests on round robin basis). Try configuring global DNS i.e 4.2.2.2 and I hope this should resolve the issue.
Contributor
anoop82
Posts: 21
Registered: ‎05-29-2012
0

Re: internet browsing issue

I am not able to ping ISP1 DNS form juniper firewall but able to ping ISP2 DNS..Trace route of ISP1 DNS is also not successful..... below is my DNS configuratin

 

DNS .> Host > dns1  -  202.X.50.4   src int. Eth0/2  -----(ITs my ISP1 DNS)

                           dns2  -  202.X.230.5  src int. Sth0/3 -----(its my ISp2 DNS)

 

Is there any issue..

 

You advice to configure global DNS... pls suggest how to configure the same...

 

Trusted Expert
sarab
Posts: 367
Registered: ‎05-12-2012
0

Re: internet browsing issue

To configure global DNS , just use 4.2.2.2 as DNS IP in the PC configuration instead of ISPs DNS IP.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.