Routing
Highlighted
Routing

BGP / rib-group / virtual router instance and port 80 forwarding to proxy

‎05-22-2020 06:49 AM

Hello,

 

I have serious problems to get a configuration running on my juno-os based router setup. I tried some examples for port forwarding on junos but unfortunately, the routing did not change as I am obviously missing something .

 

I am trying to get following filter running:

 

set firewall family inet filter FBF-CACHE term t1 from source-address XXX.XXX.XXX.XXX
set firewall family inet filter FBF-CACHE term t1 from destination-address 0.0.0.0/0
set firewall family inet filter FBF-CACHE term t1 from destination-port http
set firewall family inet filter FBF-CACHE term t1 then count redirected
set firewall family inet filter FBF-CACHE term t1 then routing-instance VR-CACHE
set firewall family inet filter FBF-CACHE term default then accept

this filter is forwarding all port 80 (http) traffic to the VR-CACHE instance

set routing-instances VR-CACHE instance-type virtual-router
set routing-instances VR-CACHE routing-options static route 0.0.0.0/0 qualified-next-hop XXX.XXX.XXX.XXX	

and interface routes

set routing-options interface-routes rib-group inet VR-CACHE
set routing-options rib-groups VR-CACHE import-rib inet.0
set routing-options rib-groups VR-CACHE import-rib FBF-CACHE.inet.0

 well, here starts the problem as I can not just set up a static route as next hop because of the BGP like

set routing-options static route 0.0.0.0/0 next-hop XXX.XXX.XXX.XXX		=> internet/upstream IP

 of course, the filter must be also applied on the interface

set interfaces xe-1/0/8 description CONNECTION-FROM-CLIENTS
set interfaces xe-1/0/0 unit 0 family inet filter input-list FBF-CACHE

now, I have two router, connected via BGP, between core and internet gateway, we have

set routing-options autonomous-system 3225
set protocols bgp group INTERNAL-IPv4-GW type internal
set protocols bgp group INTERNAL-IPv4-GW import RR-GW-IPv4-IN
set protocols bgp group INTERNAL-IPv4-GW family inet unicast add-path send path-count 2
set protocols bgp group INTERNAL-IPv4-GW export RR-GW-IPv4-OUT
set protocols bgp group INTERNAL-IPv4-GW neighbor Y.Y.Y.Y description IGW       -------------- IGW IP address
set policy-options policy-statement RR-GW-IPv4-IN term TEC-DEFAULT-ROUTE from prefix-list DEFAULT-ROUTE
set policy-options policy-statement RR-GW-IPv4-IN term TEC-DEFAULT-ROUTE then next-hop Y.Y.Y.Y    -----------IGW IP address
set policy-options policy-statement RR-GW-IPv4-IN term TEC-DEFAULT-ROUTE then accept
set policy-options policy-statement RR-GW-IPv4-IN term EXPLICIT-REJECT then reject

 

set policy-options policy-statement RR-GW-IPv4-OUT term DEFAULT-ROUTE from prefix-list DEFAULT-ROUTE
set policy-options policy-statement RR-GW-IPv4-OUT term DEFAULT-ROUTE then reject
set policy-options policy-statement RR-GW-IPv4-OUT term RFC1918 from prefix-list-filter RFC1918 orlonger
set policy-options policy-statement RR-GW-IPv4-OUT term RFC1918 then reject 

 with current applied policy, the VR-Instance is not changing anything in routing and traffic is not redirected.

If someone could help to achive the filter running on this setup or has expirience with filter policys and bgp, please help me to figure out how to get the redirection running properly.


If further informations are needed, I will provide them of course.

12 REPLIES 12
Highlighted
Routing

Re: BGP / rib-group / virtual router instance and port 80 forwarding to proxy

‎05-22-2020 11:28 AM

Hi Raphael,

 

What is the hardware you are using and the version?

Also, what are the interfaces configured under the instance VR-CACHE?

 

Can you please attach the following output as well:

>show route instance VR-CACHE

Highlighted
Routing

Re: BGP / rib-group / virtual router instance and port 80 forwarding to proxy

‎05-22-2020 06:33 PM

Hi Raphale,

 

Good day!!

 

Using a next-hop method, you can configure HTTP redirect services and attach it to a static interface.

 

This example uses the following hardware and software components:

  • MX240, MX480, or MX960 Universal Routing Platform with a Multiservices Modular PIC Concentrator (MS-MPC) and Multiservices Modular Interfaces Card (MS-MIC) installed.

  • Junos OS Release 15.1 or later.

Please go through the below document for better understanding!!

https://www.juniper.net/documentation/en_US/junos/topics/example/http-redirect-service-next-hop-meth...

 

Please mark "Accepted Solution" if this helps.

Kudos are always appreciated

 

Thanks 

Suraj Rao

Highlighted
Routing

Re: BGP / rib-group / virtual router instance and port 80 forwarding to proxy

‎05-23-2020 10:22 PM

Hello,

 

Your VR instance name and "import-rib" instance names are different:

 


@raphael.bienias wrote:

I am trying to get following filter running:

 

set firewall family inet filter FBF-CACHE term t1 from source-address XXX.XXX.XXX.XXX
set firewall family inet filter FBF-CACHE term t1 from destination-address 0.0.0.0/0
set firewall family inet filter FBF-CACHE term t1 from destination-port http
set firewall family inet filter FBF-CACHE term t1 then count redirected
set firewall family inet filter FBF-CACHE term t1 then routing-instance VR-CACHE
set firewall family inet filter FBF-CACHE term default then accept

this filter is forwarding all port 80 (http) traffic to the VR-CACHE instance

set routing-instances VR-CACHE instance-type virtual-router
set routing-instances VR-CACHE routing-options static route 0.0.0.0/0 qualified-next-hop XXX.XXX.XXX.XXX	

and interface routes

set routing-options interface-routes rib-group inet VR-CACHE
set routing-options rib-groups VR-CACHE import-rib inet.0
set routing-options rib-groups VR-CACHE import-rib FBF-CACHE.inet.0

 


 

Please make them identical, re-test and report back

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Routing

Re: BGP / rib-group / virtual router instance and port 80 forwarding to proxy

‎05-25-2020 02:48 AM

Hello and thank you for the opinions,

Regarding VR-CACHE instance settings

 

VR-CACHE {
instance-type virtual-router;
routing-options {
static {
route 0.0.0.0/0 {
qualified-next-hop XXX.XXX.XXX.XXX {			=> next-hop proxy IP 
metric 5;
}
}
}
}
}

that should be it or am I missing something.

 

For all other suggested approaches, I am currently testing these and will report back to you

 

Highlighted
Routing

Re: BGP / rib-group / virtual router instance and port 80 forwarding to proxy

‎05-25-2020 06:27 AM

Hello,

 


@raphael.bienias wrote:

 

Regarding VR-CACHE instance settings

 

VR-CACHE {
instance-type virtual-router;
routing-options {
static {
route 0.0.0.0/0 {
qualified-next-hop XXX.XXX.XXX.XXX {			=> next-hop proxy IP 
metric 5;
}
}
}
}
}

that should be it or am I missing something.

 

 


 

This is enough for the instance itself. 

You have to add route leaking for direct routes (via rib-group or instance-import) and FW filter but please PLEASE reference the above instance name VR-CACHE consistently throughout.

HTH

Thx

Alex

 

 

 

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Routing

Re: BGP / rib-group / virtual router instance and port 80 forwarding to proxy

‎05-26-2020 06:43 AM

"You have to add route leaking for direct routes (via rib-group or instance-import) and FW filter but please PLEASE reference the above instance name VR-CACHE consistently throughout."



I tought I have done that already and routing instance names are also correctly. Here more output from my configuration (if needed for check). Here for the whole configuration.


set firewall filter FBF-CACHE term 1 from source-address XXX.XXX.XXX.0/24

set firewall filter FBF-CACHE term 1 from destination-address 0.0.0.0/0
set firewall filter FBF-CACHE term 1 from protocol tcp
set firewall filter FBF-CACHE term 1 from destination-port http
set firewall filter FBF-CACHE term 1 then count redirected
set firewall filter FBF-CACHE term 1 then routing-instance VR-CACHE
set firewall filter FBF-CACHE term 2 then accept
set firewall filter FBF-CACHE-REPLY term 1 from source-address 0.0.0.0/0

 

set firewall filter FBF-CACHE-REPLY term 1 from destination-address XXX.XXX.XXX.0/24

set firewall filter FBF-CACHE-REPLY term 1 from protocol tcp
set firewall filter FBF-CACHE-REPLY term 1 from source-port http
set firewall filter FBF-CACHE-REPLY term 1 then count redirected
set firewall filter FBF-CACHE-REPLY term 1 then routing-instance VR-CACHE
set firewall filter FBF-CACHE-REPLY term 2 then accept

 

set routing-options rib-groups upload-group import-rib FBF-CACHE.inet.0
set routing-options rib-groups upload-group import-rib FBF-CACHE-REPLY.inet.0
set routing-options rib-groups VR-CACHE import-rib FBF-CACHE.inet.0
set routing-options rib-groups VR-CACHE import-rib FBF-CACHE-REPLY.inet.0

 

set routing-instances VR-CACHE instance-type forwarding
set routing-instances VR-CACHE routing-options static route 0.0.0.0/0 next-hop "PROXY IP"

 

We have one connection towards our IGW router for internet capacity, on which we have applied the filter FBF-CACHE-REPLY.
As for the customer side, we have applied FBF-CACHE filter.

 

For me, all these settings are consistent and I do not understand why

 

set routing-options rib-groups VR-CACHE import-rib FBF-CACHE.inet.0

Please make them identical, re-test and report back.

 

What should I make identical here?

Highlighted
Routing

Re: BGP / rib-group / virtual router instance and port 80 forwarding to proxy

[ Edited ]
‎05-26-2020 08:12 AM

Hello,

 


@raphael.bienias wrote:

 

What should I make identical here?


 

 

This

 

 

set routing-options interface-routes rib-group inet VR-CACHE-RG
set routing-options rib-groups VR-CACHE-RG import-rib inet.0
set routing-options rib-groups VR-CACHE-RG import-rib VR-CACHE.inet.0
set routing-instances VR-CACHE instance-type forwarding
set routing-instances VR-CACHE routing-options static route 0.0.0.0/0 next-hop "PROXY IP"

 

 

HTH

Thx

Alex

 

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Routing

Re: BGP / rib-group / virtual router instance and port 80 forwarding to proxy

‎06-02-2020 03:21 AM

Actually, this resolved the issue that I have not received any traffic already. Unfortunately, I am still not able to get a full transparent redirection over the proxy running.

 

Requests done with proxy IP in direction internet are responded fine but when I configure the proxy to send requests to the internet with client IP, I am not getting a correct response back.

 

I tought that the settings for FBF-CACHE-REPLY will be sufficient, applied on the WAN traffic interface but it does not work.

The filter rule is quiete similar to the FBF-CACHE rule, but in other direction of course.

 

set firewall family inet filter FBF-CACHE-REPLY term t1 from destination-address XXX.XXX.XXX.XXX/24
set firewall family inet filter FBF-CACHE-REPLY term t1 from source-address 0.0.0.0/0
set firewall family inet filter FBF-CACHE-REPLY term t1 from source-port http
set firewall family inet filter FBF-CACHE-REPLY term t1 then count redirected
set firewall family inet filter FBF-CACHE-REPLY term t1 then routing-instance VR-CACHE
set firewall family inet filter FBF-CACHE-REPLY term default then accept

I tought of adding a different cache instance for this, currently I am trying to testing it.

Highlighted
Routing

Re: BGP / rib-group / virtual router instance and port 80 forwarding to proxy

‎06-17-2020 04:52 AM

I tried most likely everything but I still am not able to get the source port 80 traffic from WAN redirected to the proxy, while the destination port 80 traffic on the client side is working fine.

 

Current configuration even splitted it on different interfaces and cache instances (forwarding or virtual router made no difference here)

 

set firewall family inet filter FBF-CACHE term t1 from source-address XXX.XXX.XXX.0/24

set firewall family inet filter FBF-CACHE term t1 from destination-address 0.0.0.0/0

set firewall family inet filter FBF-CACHE term t1 from destination-port http

set firewall family inet filter FBF-CACHE term t1 then count redirected

set firewall family inet filter FBF-CACHE term t1 then routing-instance VR-CACHE

set firewall family inet filter FBF-CACHE term default then accept



set firewall family inet filter FBF-CACHE-REPLY term t1 from source-address 0.0.0.0/0

set firewall family inet filter FBF-CACHE-REPLY term t1 from destination-address XXX.XXX.XXX.0/24

set firewall family inet filter FBF-CACHE-REPLY term t1 from source-port http

set firewall family inet filter FBF-CACHE-REPLY term t1 then count redirected

set firewall family inet filter FBF-CACHE-REPLY term t1 then routing-instance VR-CACHE-REPLY

set firewall family inet filter FBF-CACHE-REPLY term default then accept



set routing-instances VR-CACHE instance-type forwarding

set routing-instances VR-CACHE routing-options static route 0.0.0.0/0 next-hop XXX.XXX.XXX.66



set routing-instances VR-CACHE-REPLY instance-type forwarding

set routing-instances VR-CACHE-REPLY routing-options static route 0.0.0.0/0 next-hop XXX.XXX.XXX.98

 

set routing-options interface-routes rib-group VR-CACHE-RG

set routing-options rib-groups VR-CACHE-RG import-rib inet.0

set routing-options rib-groups VR-CACHE-RG import-rib FBF-CACHE.inet.0

set routing-options rib-groups VR-CACHE-RG import-rib VR-CACHE.inet.0

set routing-options rib-groups VR-CACHE-RG import-rib FBF-CACHE-REPLY.inet.0

set routing-options rib-groups VR-CACHE-RG import-rib VR-CACHE-REPLY.inet.0

 

If no one has a solution here, I will probably have to give up. I can also share more data if needed...

Highlighted
Routing

Re: BGP / rib-group / virtual router instance and port 80 forwarding to proxy

‎08-17-2020 06:15 AM

Unfortunately, I could still not figure out why the responses are not redirected to the proxy. I have tried a lot of things by now.

 

I can only assume that something is missing in the rib-group or the responses from the internet might have different IPs, so the filter does not match any traffic.

 

Any further opinion or hint, which might lead to a solution would be highly appreciate.

Highlighted
Routing

Re: BGP / rib-group / virtual router instance and port 80 forwarding to proxy

‎08-17-2020 07:33 AM

Hello,

I think You have more specific routes to the clients in VR-CACHE-REPLY and this may be the root cause of Your woes.

Please make sure You don't leak client routes into these VRs, only direct routes for the interfaces connected to cache, this is enough for Your static 0/0 routes to be active.

HTH

Thx
Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Routing

Re: BGP / rib-group / virtual router instance and port 80 forwarding to proxy

‎08-18-2020 03:13 AM

That is a good point and might be very likely the issue.

 

Unfortuantely, I am not able to use vLab Sandbox at the moment to check for the bgp / ospf option to prevent client route leaking for this specific vr routing instance. Is it possible to give me an example for this from your side.


Thank you already for pointing this out.

Feedback