Routing
Routing

SRX - Using firewall filters to configure static routes for different interfaces

‎11-28-2018 02:39 AM

We have a functioning Juniper configuration with 3 WAN ports and a local LAN. The WAN ports (filtered through a parent router) host various incoming services such as RDP, SMTP & HTTPS. The router currently has a static route configured as below:

 

routing-options {
    static {
        route 0.0.0.0/0 next-hop 192.168.0.5;
    }
}

We have recently been trying to add a VPN to a new WAN port with an internet facing IP. In order for the VPN to work we need to use a different static route. We have proved it works by changing the above static route. This allows the VPN to work but causes all other services to fail (as would be expected).

To get around this we have tried creating 2 firewall rules each with their own static route - as below:

 

firewall {
    filter main-filter {
        term 0 {
            from {
                source-address {
                    0.0.0.0/0;
                }
            }
            then {
                routing-instance def-rinst;
            }
        }
    filter vpn-filter {
        term 0 {
            from {
                source-address {
                    0.0.0.0/0;
                }
            }
            then {
                routing-instance vpn-rinst;
            }
        }
    }
}
routing-instances {
    def-rinst {
        instance-type forwarding;
        routing-options {               
            static {
                route 0.0.0.0/0 next-hop 192.168.0.5;
            }
        }
    vpn-rinst {
        instance-type forwarding;
        routing-options {               
            static {
                route 0.0.0.0/0 next-hop <<external-vpn-ip>>;
            }
        }

    }
}

 We have then attached the filters to the appropriate WAN ports as below:

ge-0/0/0 {
    unit 0 {
        family inet {
        filter {
                input main-filter;
            }
            address 192.168.0.12/24;
        }
    }
}
fe-0/0/5 {
    unit 0 {
        family inet {
            filter {
                input vpn-filter;
            }
            address <<external-vpn-ip>>;
        }
    }
}

Unfortunately when this config is applied none of the services (inc. VPN) work. We have verified that the filters are working by adding a count. It seems like neither of the static routes are being applied to the routing table.

 

Info about the router: - Juniper SRX210b - version 12.1X46-D55.3; - BIOS Version 1.7

 

Any guidance would be greatly appreciated!