Routing
Highlighted
Routing

BGP / rib-group / virtual router instance and port 80 forwarding to proxy

a week ago

Hello,

 

I have serious problems to get a configuration running on my juno-os based router setup. I tried some examples for port forwarding on junos but unfortunately, the routing did not change as I am obviously missing something .

 

I am trying to get following filter running:

 

set firewall family inet filter FBF-CACHE term t1 from source-address XXX.XXX.XXX.XXX
set firewall family inet filter FBF-CACHE term t1 from destination-address 0.0.0.0/0
set firewall family inet filter FBF-CACHE term t1 from destination-port http
set firewall family inet filter FBF-CACHE term t1 then count redirected
set firewall family inet filter FBF-CACHE term t1 then routing-instance VR-CACHE
set firewall family inet filter FBF-CACHE term default then accept

this filter is forwarding all port 80 (http) traffic to the VR-CACHE instance

set routing-instances VR-CACHE instance-type virtual-router
set routing-instances VR-CACHE routing-options static route 0.0.0.0/0 qualified-next-hop XXX.XXX.XXX.XXX	

and interface routes

set routing-options interface-routes rib-group inet VR-CACHE
set routing-options rib-groups VR-CACHE import-rib inet.0
set routing-options rib-groups VR-CACHE import-rib FBF-CACHE.inet.0

 well, here starts the problem as I can not just set up a static route as next hop because of the BGP like

set routing-options static route 0.0.0.0/0 next-hop XXX.XXX.XXX.XXX		=> internet/upstream IP

 of course, the filter must be also applied on the interface

set interfaces xe-1/0/8 description CONNECTION-FROM-CLIENTS
set interfaces xe-1/0/0 unit 0 family inet filter input-list FBF-CACHE

now, I have two router, connected via BGP, between core and internet gateway, we have

set routing-options autonomous-system 3225
set protocols bgp group INTERNAL-IPv4-GW type internal
set protocols bgp group INTERNAL-IPv4-GW import RR-GW-IPv4-IN
set protocols bgp group INTERNAL-IPv4-GW family inet unicast add-path send path-count 2
set protocols bgp group INTERNAL-IPv4-GW export RR-GW-IPv4-OUT
set protocols bgp group INTERNAL-IPv4-GW neighbor Y.Y.Y.Y description IGW       -------------- IGW IP address
set policy-options policy-statement RR-GW-IPv4-IN term TEC-DEFAULT-ROUTE from prefix-list DEFAULT-ROUTE
set policy-options policy-statement RR-GW-IPv4-IN term TEC-DEFAULT-ROUTE then next-hop Y.Y.Y.Y    -----------IGW IP address
set policy-options policy-statement RR-GW-IPv4-IN term TEC-DEFAULT-ROUTE then accept
set policy-options policy-statement RR-GW-IPv4-IN term EXPLICIT-REJECT then reject

 

set policy-options policy-statement RR-GW-IPv4-OUT term DEFAULT-ROUTE from prefix-list DEFAULT-ROUTE
set policy-options policy-statement RR-GW-IPv4-OUT term DEFAULT-ROUTE then reject
set policy-options policy-statement RR-GW-IPv4-OUT term RFC1918 from prefix-list-filter RFC1918 orlonger
set policy-options policy-statement RR-GW-IPv4-OUT term RFC1918 then reject 

 with current applied policy, the VR-Instance is not changing anything in routing and traffic is not redirected.

If someone could help to achive the filter running on this setup or has expirience with filter policys and bgp, please help me to figure out how to get the redirection running properly.


If further informations are needed, I will provide them of course.

7 REPLIES 7
Highlighted
Routing

Re: BGP / rib-group / virtual router instance and port 80 forwarding to proxy

a week ago

Hi Raphael,

 

What is the hardware you are using and the version?

Also, what are the interfaces configured under the instance VR-CACHE?

 

Can you please attach the following output as well:

>show route instance VR-CACHE

Highlighted
Routing

Re: BGP / rib-group / virtual router instance and port 80 forwarding to proxy

a week ago

Hi Raphale,

 

Good day!!

 

Using a next-hop method, you can configure HTTP redirect services and attach it to a static interface.

 

This example uses the following hardware and software components:

  • MX240, MX480, or MX960 Universal Routing Platform with a Multiservices Modular PIC Concentrator (MS-MPC) and Multiservices Modular Interfaces Card (MS-MIC) installed.

  • Junos OS Release 15.1 or later.

Please go through the below document for better understanding!!

https://www.juniper.net/documentation/en_US/junos/topics/example/http-redirect-service-next-hop-meth...

 

Please mark "Accepted Solution" if this helps.

Kudos are always appreciated

 

Thanks 

Suraj Rao

Highlighted
Routing

Re: BGP / rib-group / virtual router instance and port 80 forwarding to proxy

a week ago

Hello,

 

Your VR instance name and "import-rib" instance names are different:

 


@raphael.bienias wrote:

I am trying to get following filter running:

 

set firewall family inet filter FBF-CACHE term t1 from source-address XXX.XXX.XXX.XXX
set firewall family inet filter FBF-CACHE term t1 from destination-address 0.0.0.0/0
set firewall family inet filter FBF-CACHE term t1 from destination-port http
set firewall family inet filter FBF-CACHE term t1 then count redirected
set firewall family inet filter FBF-CACHE term t1 then routing-instance VR-CACHE
set firewall family inet filter FBF-CACHE term default then accept

this filter is forwarding all port 80 (http) traffic to the VR-CACHE instance

set routing-instances VR-CACHE instance-type virtual-router
set routing-instances VR-CACHE routing-options static route 0.0.0.0/0 qualified-next-hop XXX.XXX.XXX.XXX	

and interface routes

set routing-options interface-routes rib-group inet VR-CACHE
set routing-options rib-groups VR-CACHE import-rib inet.0
set routing-options rib-groups VR-CACHE import-rib FBF-CACHE.inet.0

 


 

Please make them identical, re-test and report back

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Routing

Re: BGP / rib-group / virtual router instance and port 80 forwarding to proxy

Monday

Hello and thank you for the opinions,

Regarding VR-CACHE instance settings

 

VR-CACHE {
instance-type virtual-router;
routing-options {
static {
route 0.0.0.0/0 {
qualified-next-hop XXX.XXX.XXX.XXX {			=> next-hop proxy IP 
metric 5;
}
}
}
}
}

that should be it or am I missing something.

 

For all other suggested approaches, I am currently testing these and will report back to you

 

Highlighted
Routing

Re: BGP / rib-group / virtual router instance and port 80 forwarding to proxy

Monday

Hello,

 


@raphael.bienias wrote:

 

Regarding VR-CACHE instance settings

 

VR-CACHE {
instance-type virtual-router;
routing-options {
static {
route 0.0.0.0/0 {
qualified-next-hop XXX.XXX.XXX.XXX {			=> next-hop proxy IP 
metric 5;
}
}
}
}
}

that should be it or am I missing something.

 

 


 

This is enough for the instance itself. 

You have to add route leaking for direct routes (via rib-group or instance-import) and FW filter but please PLEASE reference the above instance name VR-CACHE consistently throughout.

HTH

Thx

Alex

 

 

 

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Routing

Re: BGP / rib-group / virtual router instance and port 80 forwarding to proxy

Tuesday

"You have to add route leaking for direct routes (via rib-group or instance-import) and FW filter but please PLEASE reference the above instance name VR-CACHE consistently throughout."



I tought I have done that already and routing instance names are also correctly. Here more output from my configuration (if needed for check). Here for the whole configuration.


set firewall filter FBF-CACHE term 1 from source-address XXX.XXX.XXX.0/24

set firewall filter FBF-CACHE term 1 from destination-address 0.0.0.0/0
set firewall filter FBF-CACHE term 1 from protocol tcp
set firewall filter FBF-CACHE term 1 from destination-port http
set firewall filter FBF-CACHE term 1 then count redirected
set firewall filter FBF-CACHE term 1 then routing-instance VR-CACHE
set firewall filter FBF-CACHE term 2 then accept
set firewall filter FBF-CACHE-REPLY term 1 from source-address 0.0.0.0/0

 

set firewall filter FBF-CACHE-REPLY term 1 from destination-address XXX.XXX.XXX.0/24

set firewall filter FBF-CACHE-REPLY term 1 from protocol tcp
set firewall filter FBF-CACHE-REPLY term 1 from source-port http
set firewall filter FBF-CACHE-REPLY term 1 then count redirected
set firewall filter FBF-CACHE-REPLY term 1 then routing-instance VR-CACHE
set firewall filter FBF-CACHE-REPLY term 2 then accept

 

set routing-options rib-groups upload-group import-rib FBF-CACHE.inet.0
set routing-options rib-groups upload-group import-rib FBF-CACHE-REPLY.inet.0
set routing-options rib-groups VR-CACHE import-rib FBF-CACHE.inet.0
set routing-options rib-groups VR-CACHE import-rib FBF-CACHE-REPLY.inet.0

 

set routing-instances VR-CACHE instance-type forwarding
set routing-instances VR-CACHE routing-options static route 0.0.0.0/0 next-hop "PROXY IP"

 

We have one connection towards our IGW router for internet capacity, on which we have applied the filter FBF-CACHE-REPLY.
As for the customer side, we have applied FBF-CACHE filter.

 

For me, all these settings are consistent and I do not understand why

 

set routing-options rib-groups VR-CACHE import-rib FBF-CACHE.inet.0

Please make them identical, re-test and report back.

 

What should I make identical here?

Highlighted
Routing

Re: BGP / rib-group / virtual router instance and port 80 forwarding to proxy

[ Edited ]
Tuesday

Hello,

 


@raphael.bienias wrote:

 

What should I make identical here?


 

 

This

 

 

set routing-options interface-routes rib-group inet VR-CACHE-RG
set routing-options rib-groups VR-CACHE-RG import-rib inet.0
set routing-options rib-groups VR-CACHE-RG import-rib VR-CACHE.inet.0
set routing-instances VR-CACHE instance-type forwarding
set routing-instances VR-CACHE routing-options static route 0.0.0.0/0 next-hop "PROXY IP"

 

 

HTH

Thx

Alex

 

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !