SRX Services Gateway
Highlighted
SRX Services Gateway

FBF does not work when reply to the remote request

[ Edited ]
‎05-13-2011 08:26 PM

hi

      i got a hot potato below, plz help me.

 

senario description(Just to be on the safe side, i hide the real wan addresses):

SRX3400 exit of the Campus Network with JUNOS  10.4R3.4

lan:  ge-0/0/3.0 - 1.1.1.1/24

isp-1: ge-0/0/6.0 - 2.2.2.2/28

isp-2: ge-0/0/10.0 - 3.3.3.3/30

client PC: 4.4.4.4

server: 1.1.1.2/24 (1.1.1.2/24 is the WAN address, which can routed on the internet, so it no need to do something configuration about nat)

 

I set the default route to 3.3.3.1(isp-2 gateway) , and set some detail route(include 4.4.4.0/24) to 2.2.2.1 

set routing-options static route 0.0.0.0/0 next-hop 3.3.3.1

set routing-options static route 4.4.4.0/24 next-hop 2.2.2.1

The server 's ip address is belong to isp-2 and there's a FBF for server to access internet with next-hop 3.3.3.1.

 

config:

interfaces {
ge-0/0/3 {                             
    unit 0 {
        family inet {
            filter {
                input filter_from_DMZ;
            }
            address 1.1.1.1/24;
        }
    }
}
ge-0/0/6 {
    unit 0 {
        family inet {
            address 2.2.2.2/28;
        }
    }
}
ge-0/0/10 {
    speed 1g;
    link-mode full-duplex;
    unit 0 {
        family inet {
            address 3.3.3.3/30;
        }
    }
}
routing-options {
interface-routes {
    rib-group inet src_rib;
}
static {
        route 0.0.0.0/0 next-hop 3.3.3.1;
        route 4.4.4.0/24 next-hop 2.2.2.1;
}
 rib-groups {
src_rib {
    import-rib [ inet.0 NextHop_1.inet.0];
}

NextHop_1 {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 3.3.3.1;
        }
    }
}
firewall {
filter filter_from_DMZ {
    term 1 {
        from {
            source-address {
                1.1.1.2/28;
            }
            destination-address {
                0.0.0.0/0;
            }
        }
        then {
            routing-instance NextHop_1;
        }
    }
    term 2 {
        then accept;
    }
  }
}

 

Issue descriprion:

client ping to server:

1,when client's ip belong to isp-2, defualt route matched. then ping successful.

2,when client's ip belong to isp-1, detail route matched. ping failed. with the debug info :

May 13 15:29:27 18:25:30.843417:CID-00:FPC-06:PIC-00:THREAD_ID-30:RT:  route lookup: dest-ip 4.4.4.4 orig ifp ge-0/0/10.0 output_ifp ge-0/0/6.0 orig-zone 8 out-zone 10 vsd 0
May 13 15:29:27 18:25:30.843456:CID-00:FPC-06:PIC-00:THREAD_ID-30:RT:Reject route in make_nsp_ready_no_resolve. zone mismatch

 

analysis:

it seems that the FBF didn't work when the session initialized from the remote client, and it check the inet.0 routing table to forwording, so if the remote client's ip is belong to isp-2, match the default route, access succeed, if not, it will match the detail route, and go outbound via ge-0/0/6, rejected by SRX due to  zone mismatch, so access failed.

 but FBF works when the session is initialized from the local server , i can find the route in the NextHop_1.inet.0 as below: 

zhd# run show route table NextHop_1.inet.0

NextHop_1.inet.0: 33 destinations, 33 routes (33 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 03:47:18
                    > to 2.2.2.1 via ge-0/0/10.0
1.1.1.0/24       *[Direct/0] 2d 02:59:13
                    > via ge-0/0/3.0
... ...

 

 

much appreciate!

 

 

Thanks

darkyboy

2 REPLIES 2
Highlighted
SRX Services Gateway

Re: FBF does not work when reply to the remote request

‎05-15-2011 05:32 AM

Man Sad

Highlighted
SRX Services Gateway

Re: FBF does not work when reply to the remote request

‎05-15-2011 01:05 PM

 

Whay not include 4.4.4.0/24 into FBF? It'll solve your problem...
config:
interfaces {
ge-0/0/3 {                             
    unit 0 {
        family inet {
            filter {
                input filter_from_DMZ;
            }
            address 1.1.1.1/24;
        }
    }
}
ge-0/0/6 {
    unit 0 {
        family inet {
            address 2.2.2.2/28;
        }
    }
}
ge-0/0/10 {
    speed 1g;
    link-mode full-duplex;
    unit 0 {
        family inet {
            address 3.3.3.3/30;
        }
    }
}
routing-options {
interface-routes {
    rib-group inet src_rib;
}
static {
        route 0.0.0.0/0 next-hop 3.3.3.1;
        route 4.4.4.0/24 next-hop 2.2.2.1;
}
 rib-groups {
src_rib {
    import-rib [ inet.0 NextHop_1.inet.0 NextHop_2.inet.0];
}
NextHop_1 {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 3.3.3.1;
        }
    }
}
NextHop_2 {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 2.2.2.1;
        }
    }
}
firewall {
filter filter_from_DMZ {
term 1 {
        from {
            source-address {
                1.1.1.2/28;
            }
            destination-address {
                4.4.4.0/24;
            }
        }
        then {
            routing-instance NextHop_2;
        }
    }    
term 2 {
        from {
            source-address {
                1.1.1.2/28;
            }
            destination-address {
                0.0.0.0/0;
            }
        }
        then {
            routing-instance NextHop_1;
        }
    }
    term 3 {
        then accept;
    }
  }
}

 

Regards,
Dumitru Papana
Feedback