SRX Services Gateway
Highlighted
SRX Services Gateway

SRX FBF single ISP

[ Edited ]
‎08-04-2015 10:27 AM

Screen Shot 2015-08-05 at 1.17.48 AM.png

 

 

Hi All, im having difficulties to config PBR or FBF on my srx, Firstly I need to do some kind of HTTP redirection to ads server on the internet before they start browsing and so based on sample FBF that i read, most of them show DUAL ISP sample config, but what i want to do is on single ISP. First once user open browsing srx will redirect to ads server and when user close browsing page for the advertising, they can go to internet as usual thru ISP normal traffic and if redirection to ads server is fail then trafiic will go to default route. If anyone knew sample configuration similar like this or anyone can help me on teh FBF config. please help. 

 

 

myconfig which is not working:-

 

admin# show | display set
set version 12.1R1.9
set system name-server 8.8.8.8
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services dhcp router 192.168.2.1
set system services dhcp pool 192.168.2.0/24 address-range low 192.168.2.2
set system services dhcp pool 192.168.2.0/24 address-range high 192.168.2.254
set system services dhcp propagate-settings fe-0/0/0.0
set interfaces fe-0/0/0 unit 0 family inet filter input filt-in-fbf
set interfaces fe-0/0/0 unit 0 family inet address 192.168.1.90/24
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces vlan unit 0 family inet address 192.168.2.1/24
set routing-options interface-routes rib-group inet fbf-group
set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1
set routing-options rib-groups fbf-group import-rib inet.0
set routing-options rib-groups fbf-group import-rib sp1-route-table.inet.0
set routing-options rib-groups fbf-group import-rib sp2-route-table.inet.0
set routing-options rib-groups fbf-group import-rib fbf.inet.0
set protocols stp
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp
set firewall family inet filter filt-in-fbf term 10 from source-address 192.168.2.0/24
set firewall family inet filter filt-in-fbf term 10 from destination-address 103.8.27.221/32
set firewall family inet filter filt-in-fbf term 10 then routing-instance fbf
set firewall family inet filter filt-in-fbf term 20 then accept
set routing-instances fbf instance-type forwarding
set routing-instances fbf routing-options static route 0.0.0.0/0 next-hop 192.168.1.1
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

7 REPLIES 7
Highlighted
SRX Services Gateway

Re: SRX FBF single ISP

‎08-04-2015 07:20 PM

Hello ,

 

First of all the policy based routing is used for directing the traffic  to individual  ISP or next hopes based on the source/destination/protocol  .

 

But as per my understanding , you needed to redirect all your web traffic to a HTTP ad server which resides on the internet . And for normal traffic also we need to go to the internet .

 

So to be precise , for both condition we have next hope as same ( Corerct me if I am wrong  ) . So its not our Job or SRX Job to do this redirect ,  it should be the Job of the device which have normal internet and Ad server in different zone/interface .

 

Normall how the design will be is  ,  we will have the HTTP redirect server in some DMZ zone in SRX and normal ISP in untrust , so that we can do HTTP redirect to the Ad server in DMZ and then normal traffic VIA ISP . Our situation is  Both internet traffic and the Ad server traffic have to be routed to same next hope or ISP . Even though we get an opertunity to distinguish the traffic in SRX , how can we route the traffic to Ad server  with same next hope .

Its the Job of the next-hope device or the device connecting the Adserver to do this .

 

This is kind of a network design issue to be frank .

 

So in general , we are just a passthrough and FBF is not a option here .

 

If any information that I understood is incorrect , please correct me  .


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: SRX FBF single ISP

‎08-04-2015 09:30 PM

Hi Joses,

 

thank you for your reply, actually we are going to deploy wireless solutions using WLC100 & WLA532. once user connected to wifi and authenticated perhaps WLC will do this job to redirect the http instead of SRX, but im trying to do for both, wired & wireless users. based on your explainantion srx cannot redirect http traffic to the ads server.

Highlighted
SRX Services Gateway

Re: SRX FBF single ISP

[ Edited ]
‎08-04-2015 09:52 PM

Hello ,

 

Your understanding is correct , we cannot acive this since the Ad server and the normal internet traffic have the same next hope , so we cannot redirect then or send then specifically to a host ( Ad server )  .

 

The only work around that I see here is that , if the destination is internet with port 80 , then we can do destination NAT to that Ad server IP , but here we are changing the destination  so it should be the Ad server taking care of the routing part to the internet and the return traffic have to be through the Ad server . Else return packet will fail .


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: SRX FBF single ISP

‎08-04-2015 11:28 PM

GlobalAd General Architecture n Flow.jpg

Hi,

 

basically this is the actual diagram, I hope you can understand. Right now im using proxy settings at chrome web browser and point to that Server 103.8.27.221 port 31289. when i open any http website only and it will show advertising box on top of the page. the thing is I want to configure on the srx instead of web browser also I want to configure fail over capabilities and to monitor it. Is there any solution on configuration that I can apply.

Highlighted
SRX Services Gateway

Re: SRX FBF single ISP

‎08-04-2015 11:34 PM

Hello ,

 

I hope you are looking for something like :

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21046

 

Please check this and let us know if this is the one you are looking for .


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: SRX FBF single ISP

‎08-05-2015 04:48 AM

Hi Sam,

 

sort of but the server is on public internet not on local network/dmz. is it possible to use this as a sample? the icap server is used to extend transparent proxy servers.

 

rgds,

Hisyam

Highlighted
SRX Services Gateway

Re: SRX FBF single ISP

‎08-05-2015 10:29 PM

Hello ,

 

We can try that , but again as I said since the server is on public internet , redirection will not be possible . Instead , we can change the destination IP of the 80 port traffic to the server IP and direct it towards the Server . But now it will be servers Job to redirect the traffic back to us. If that part can be taken care then I guess we have some hope .


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Feedback