SRX Services Gateway
Highlighted
SRX Services Gateway

Route Traffic for Port 80 over GRE

[ Edited ]
‎08-18-2015 09:27 PM

Hi all, I need to configure multiple branch offices to send all web traffic over a GRE tunnel for web filtering. I understand the basics of a GRE tunnel, and generically putting it in a zone, etc. What I am wondering is, how the best way to select that port 80 traffic.

 

 Is it best practice to put the GRE interface into a routing-instance? similar to this example: example: KB24592

 EG:

 

after creating gre, and putting it in untrust zone,

 

{primary:node1}[edit security policies from-zone trust to-zone untrust]
policy WEB-inspection {
    match {
        source-address Entire_Office_net;
        destination-address any;
        application junos-http;
    }
    then {
        permit;
    }
}

 

create the following:

{primary:node1}[edit firewall]

 

filter WEB-inspection {
    term mgmt-allow {
        from {
            destination-address {
                10.50.1.10/24;
            }
        }
        then accept;
    }
    term INSPECT {
        from {
            destination-port 80;
        }
        then {
            routing-instance WEB-inspection;
        }
    }
    term default {
        then {
            routing-instance default;
        }
    }
}

{primary:node1}[edit routing-instances]
root@SRX2-Corp# show
WEB-inspection {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop gr-0/0/0.0;
}
}
}

 

 

Am I on the right track, am I missing something, or is there another way to skin this cat?

 

Thank you in advance.

 

-rm
6 REPLIES 6
Highlighted
SRX Services Gateway

Re: Route Traffic for Port 80 over GRE

‎08-18-2015 09:58 PM

Hi,

 

Yep you are on the right track. You are using the routing instance to do the selective forwarding FBF (Filter based forwarding)

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223

 

You will also need to do a RIB copy, I am not sure if you have that in the configuration or not. Take a look at the FBF kb and if you have trouble come back.

 

Tim

Highlighted
SRX Services Gateway

Re: Route Traffic for Port 80 over GRE

[ Edited ]
‎08-19-2015 08:28 AM

Right, so to confirm, I think I'd do something like this:

 

(thanks in advance)

 

interface gr-0/0/0
	unit 0 {
		tunnel {
			source W.A.N.IP;
			destination X.X.X.X;
	}
	family inet;
}	


reth2 {                                 
    redundant-ether-options {
        redundancy-group 1;
    }
    unit 0 {
        family inet {
            filter {
                input WEB-inspection;
            }
            address 10.50.1.10/24;
        }
    }
}

edit security policy from-zone trust to-zone untrust

policy WEB-inspection {
    match {
        source-address Entire_Office;
        destination-address any;
        application junos-http;
    }
    then {
        permit;
    }
}

rib-groups {
    tables {
        import-rib [ inet.0 ISP2.inet.0 ISP1.inet.0 WEB-inspection.inet.0 ];
    }

routing-instance

WEB-inspection {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop gr-0/0/0.0;
        }
    }
}

filter WEB-inspection {
    term mgmt-allow {
        from {
            destination-address {
                10.50.1.10/32;
            }
        }
        then accept;
    }
    term INSPECT {
        from {
            protocol 6;                           
            destination-port [ 80 443 ];
        }
        then {
            routing-instance WEB-inspection;
        }
    }
    term default {
        then {
            routing-instance default;
        }
    }
}


-rm
Highlighted
SRX Services Gateway

Re: Route Traffic for Port 80 over GRE

‎08-19-2015 01:53 PM

Remove ISP2.inet.0 and ISP1.inet.0 as you are not defining those tables, you just need the WEB-inspection one.

 

Also apply the rib group to the interface-routes

 

routing-options {
    interface-routes {
        rib-group inet tables;
    }
}

Tim

Highlighted
SRX Services Gateway

Re: Route Traffic for Port 80 over GRE

‎08-19-2015 05:59 PM

The only thing is that those two tables are already there, for a different reason. That shouldn't conflict, will it?

 

-rm
Highlighted
SRX Services Gateway
Solution
Accepted by topic author RyGuy1860
‎08-26-2015 01:27 AM

Re: Route Traffic for Port 80 over GRE

‎08-19-2015 07:37 PM

The interface routes in inet.0 will be copied to all the tables. I do not see it causing a problem but I can't confirm as I do not have visibility of the other configuration items.

 

Tim

Highlighted
SRX Services Gateway

Re: Route Traffic for Port 80 over GRE

‎08-20-2015 06:57 AM

Right. I follow. Thanks all for the verification.

-rm
Feedback