SRX Services Gateway
Highlighted
SRX Services Gateway

do firewall filters override static routes?

‎04-25-2012 09:50 AM

Hello,

 

We have 2 ISP connections,  of which one isn't performing as well as expected.    The ISP asked me to test against their internal speedtest host.    To ensure we would use the proper ISP for this test  I added a static route to the config:

 

set routing-options static route 204.248.140.0/24 next-hop 76.10.176.12

 

where 176.12 is our gateway to the ISP in question.

 

I commit this then test inside using MTR or traceroute to confirm all is well.  but it is not,  packets continue to go down our primary ISP;   unless the traceroute is done on the SRX itself.  in this case it takes the proper route.

 

 

I make use of firewall fiters to inspect TOS tags,  destination networks and ports to determind which ISP will be used.

 

would these over ride the static routes?  Does anything? ( I also set up route fail over using routing-options.qualified-net-hop statments,  which favor the primary ISP,  not the ISP being tested..)

 

thanks,

greg

 

 

 

 

 

2 REPLIES 2
Highlighted
SRX Services Gateway
Solution
Accepted by topic author Greg_
‎08-26-2015 01:27 AM

Re: do firewall filters override static routes?

‎04-25-2012 06:37 PM

Hi,

 

It seems that you are using Filter-based Forwarding , to choose between the two ISP conenctions. For this you might have a custom routing instance created with a route (staic probably) pointing to one of the ISPs and the same route in default instance (inet.0) pointing to the other ISP. 

 

Depending on your firewall filter configuration ( match conditions), traffic coming on the interface (where you have applied this firewall filter) will be redirected to one of these two routing instances for route lookup.

 

When you add a route like this,  this will be installed in inet.0 (default) instance. 

set routing-options static route 204.248.140.0/24 next-hop 76.10.176.12

 

and when you do traceroute on the SRX, because this is a self traffic , it always take the route present in inet.0 .

 If you do traceroute from your internal network, it will be entering SRX on your interface with firewall filter applied.

 

 So depending on the filter match , it might take inet.0 route or custom routing-instance route. So please check your filter definition . That should give you an idea of why its taking a different path( firewall filter counters may help here) .

 

Regards,
Pradeep 2xJNCIE(SEC/ENT)
Highlighted
SRX Services Gateway

Re: do firewall filters override static routes?

[ Edited ]
‎04-26-2012 09:28 AM

Thanks for the reply Pradeep,

 

 

 

I added this to my firewall fiters and i am good.

 

 

set firewall filter FILTER1 term TEKTEST from destination-address 204.248.140.0/24
set firewall filter FILTER1 term TEKTEST then routing-instance routing-table-ISP2

 

 

my first reply was it didn't work,  but then I realized i didn't plug the gateway back in after my 'laptop direct to modem' test.  8)

 

more coffee!

 

-g