ScreenOS Firewalls (NOT SRX)
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
anoop82
Contributor
anoop82
Posts: 21
Registered: ‎05-29-2012
0
Accepted Solution

internet browsing issue

Options

‎06-07-2012 11:31 AM

I have ssg320m..i have 2 ISP.. ISP 1 & ISP2.. ISP1 for mailing & ISP2 for internet browsing..

For this scenario i configured one default route for my ISP2 & create PBR for mail traffic on ISP1..

So i am doing internet browsing ONLY through ISP2..

 

Now i want internet browsing through BOTH ISP's.. but mail traffice through ISP1..

 

So is it possible to do the same.. if yes then how can i do the this..

 

Pls anyone guide me..

 

 

Message 1 of 20 (787 Views)
 
Reply
Recognized Expert Recognized Expert
Recognized Expert
sarab
Posts: 266
Registered: ‎05-12-2012
0

Re: internet browsing issue

Options

‎06-07-2012 10:32 PM

This is possible by configuring ECMP.

 

In WebGUI:

 

Network > Routing > Virtual Router > Edit

 

Maximum ECMP Routes --- <Select 2>

 

Configure 2 default routes with equal pref and Metric through both the ISPs.

 

However the above solution may cause issues for "Https" websites. I would recommend adding a PBR to send HTTPs (port 443) traffic  through any one of the ISPs.

Message 2 of 20 (768 Views)
 
Reply
anoop82
Contributor
anoop82
Posts: 21
Registered: ‎05-29-2012
0

Re: internet browsing issue

Options

‎06-08-2012 10:38 AM

Hi Sarab..

 

Thanks for your suggestion..

 

Pls confirm one thing.. that your suggested configuration will not effect my SMTP traffice which is going through ONLY ISP1 through PBR....

 

becouse i dont want  my smtp traffice pass through my ISP2...

 

 

Anoop

Message 3 of 20 (757 Views)
 
Reply
Recognized Expert Recognized Expert
Recognized Expert
sarab
Posts: 266
Registered: ‎05-12-2012
0

Re: internet browsing issue

Options

‎06-08-2012 08:38 PM

This solution wont affect SMTP traffic as u already got PBR configured for that. And PBR is the most preferred routing option
Message 4 of 20 (750 Views)
 
Reply
anoop82
Contributor
anoop82
Posts: 21
Registered: ‎05-29-2012
0

Re: internet browsing issue

Options

‎06-09-2012 02:42 AM

Again thanks Sarab..

 

One more question..In this senario how do i know that which user's internet traffic passing through which ISP..

Can i do command over this through DNS of my ISP..means suppose when i put ISP1 DNS on PC1 then its internet traffic go through ISP1 and when i put ISP2 DNS on PC2 then its internet traffice go through ISP2..

 

Please advice..

 

And how can i block any website through SSG320M..

Message 5 of 20 (743 Views)
 
Reply
Recognized Expert Recognized Expert
Recognized Expert
sarab
Posts: 266
Registered: ‎05-12-2012
0

Re: internet browsing issue

Options

‎06-09-2012 09:06 AM

You cant Configure traffic rule for particular users to force them through any ISP. That will be round robin and decided by firewall. You can block website by URL filtering option. However for that u need to buy a license from juniper.
Message 6 of 20 (738 Views)
 
Reply
anoop82
Contributor
anoop82
Posts: 21
Registered: ‎05-29-2012
0

Re: internet browsing issue

Options

‎06-14-2012 11:17 AM

Hi Sarab,

 

I have configured ECMP as adviced by you but when i am giving ISP2 DNS IP to user then internet browsing working fine & when i am giving ISP1 DNS IP to user then internet browsing becomes very slow...OR some times users are not able to open any website..

 

PLEASE advice where is the issue..

 

 

 

Message 7 of 20 (709 Views)
 
Reply
Recognized Expert Recognized Expert
Recognized Expert
sarab
Posts: 266
Registered: ‎05-12-2012
0

Re: internet browsing issue

Options

‎06-14-2012 10:01 PM

It could be possible that ISP1's DNS server is not responding to the DNS queries when they are originated from ISP2's IP on the firewall (ECMP will send requests on round robin basis). Try configuring global DNS i.e 4.2.2.2 and I hope this should resolve the issue.
Message 8 of 20 (704 Views)
 
Reply
anoop82
Contributor
anoop82
Posts: 21
Registered: ‎05-29-2012
0

Re: internet browsing issue

Options

‎06-14-2012 10:31 PM

I am not able to ping ISP1 DNS form juniper firewall but able to ping ISP2 DNS..Trace route of ISP1 DNS is also not successful..... below is my DNS configuratin

 

DNS .> Host > dns1  -  202.X.50.4   src int. Eth0/2  -----(ITs my ISP1 DNS)

                           dns2  -  202.X.230.5  src int. Sth0/3 -----(its my ISp2 DNS)

 

Is there any issue..

 

You advice to configure global DNS... pls suggest how to configure the same...

 

Message 9 of 20 (703 Views)
 
Reply
Recognized Expert Recognized Expert
Recognized Expert
sarab
Posts: 266
Registered: ‎05-12-2012
0

Re: internet browsing issue

Options

‎06-14-2012 10:40 PM

To configure global DNS , just use 4.2.2.2 as DNS IP in the PC configuration instead of ISPs DNS IP.
Message 10 of 20 (702 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.