SRX Services Gateway
SRX Services Gateway

Self Routing with routing instance

‎11-14-2019 12:48 PM

Hello,

 

I have an SRX with two routing instance each with a default static route to different upstream provider, all is working well for traffic coming through LAN interface. With an input filter I choose to which routing instance allocate traffic.

 

I'm trying to accomplish the same for traffic originating from junos, e.g. license autoupdate, config. backup and other.

To do this I assigned lo0.0 a /32 ip address and this filter to lo0.0 output direction:

 

term 1 {
from {
source-address {
10.20.6.6/32;
}
destination-address {
10.0.0.0/8 except;
192.168.0.0/16 except;
172.20.0.0/20 except;
0.0.0.0/0;
}
}
then {
routing-instance Upstream-WAN1;
}
}
term 2 {
then accept;
}

 

Also security policy and source nat rule are in place for this kind of traffic.

 

If I try a ping from cli:

 

run ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted

 

I guess routing information are fine but I miss some security policy.

 

Does packets originated by SRX go through "junos-host" zone or I have to define a zone with interface lo0.0 ?

 

Any help is appreciated.

 

Thanks.

 

 

3 REPLIES 3
SRX Services Gateway

Re: Self Routing with routing instance

‎11-14-2019 11:24 PM
You need to put lo0 in security zone
Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
SRX Services Gateway

Re: Self Routing with routing instance

‎11-16-2019 06:41 AM

Hello,

 

do you mean junos-host zone or a new zone ?

Currently I put lo0.0 in a dedicated zone:

 

> show security zone

Security zone: junos-host
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 0
Interfaces: ---> no interface

 

Security zone: LOOPBACK
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces: lo0.0

 

Best.

 

SRX Services Gateway

Re: Self Routing with routing instance

‎11-17-2019 05:31 AM

There is a kb on all the steps needed to have license updates occur from a routining instance here.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB34725

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home