SRX

last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  filter-based routing.

    Posted 10-24-2016 00:33

    Hello. I ma trying to set up filter based routing and cant get it working. Everything seems fine to me.

    1. Applied firewall filter to interface:

    show interfaces vlan unit 20 
family inet {
    filter {
        input FILTER1;
    }
    address 172.17.20.1/24;
}

    2. Created firewall filter:

    how firewall filter FILTER1 
term pod-allow {
    from {
        destination-address {
            192.168.0.0/16;
        }
    }
    then accept;
}
term mgmt-allow {
    from {
        destination-address {
            172.16.0.0/12;
        }
    }
    then accept;
}
term TERM-test {
    from {
        source-address {
            172.17.20.28/32;
        }
    }
    then {                              
        routing-instance rt-cifra1-test;
    }                                   
}                                       
term default {                          
    then {                              
        routing-instance rt-cifra1-all; 
    }                                   
}

    3. Set up routing-instances:

    rt-cifra1-all {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 {
                next-hop 213.167.56.133;
                qualified-next-hop 213.167.60.117 {
                    preference 100;
                }
            }
        }
    }
}
rt-cifra1-test {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 {
                next-hop 213.167.60.117;
                qualified-next-hop 213.167.56.133 {
                    preference 100;
                }
            }                           
        }                               
    }                                   
}                                       
rt-rcs {                                
    instance-type forwarding;           
    routing-options {                   
        static {                        
            route 0.0.0.0/0 next-hop 217.12.253.225;
        }                               
    }                                   
}

    4. set up routing-options:

    interface-routes {
    rib-group inet IMPORT-CIFRA1;
}
static {
    route 0.0.0.0/0 {
        next-hop [ 217.12.253.225 213.167.56.133 213.167.60.117 ];
        preference 20;
    }
}                                       
rib-groups {                            
    IMPORT-CIFRA1 {                     
        import-rib [ inet.0 rt-cifra1-test.inet.0 rt-cifra1-all.inet.0 rt-rcs.inet.0 ];
    }                                   
}

    5. and source nat:

    pool cifra1-test { 
   address { 
       213.167.60.118/32; 
   } 
} 
pool cifra1-all { 
   address { 
       213.167.56.134/32; 
   } 
} 
rule-set rs1 { 
   from zone trust; 
   to zone untrust;                                                        
   rule test-cifra1 {              
       match {                          
           source-address 172.17.20.28/32; 
           destination-address 0.0.0.0/0; 
       }                                
       then {                           
           source-nat {                 
               pool {                   
                   cifra1-test;    
               }                        
           }                            
       }                                
   }                                    
   rule r1 {                            
       match {                          
           source-address 0.0.0.0/0;    
           destination-address 0.0.0.0/0; 
       }                                
       then {                           
           source-nat {                 
               pool {                   
                   cifra1-all ;            
               }                        
           }                            
       }                                
   }                                    
}

            But traceroute shows that traffic goes trought  213.167.56.133  gateway, insted of  213.167.60.117

    Can anyone explain to me why?


    #SRX
    #filter-basedrouting


  • 2.  RE: filter-based routing.

    Posted 10-24-2016 08:26
    From which 'source address' you're generating the traceroute traffic ?


  • 3.  RE: filter-based routing.

    Posted 10-24-2016 22:10

    Just running command from 172.17.20.28

    traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  gateway (172.17.20.1)  1.429 ms  1.395 ms  1.407 ms
 2  213.167.56.133 (213.167.56.133)  7.342 ms  7.353 ms  7.362 ms


  • 4.  RE: filter-based routing.

    Posted 10-24-2016 22:29
    Please re-order the terms; command:

    insert firewall filter FILTER1 term TERM-test before term mgmt-allow


  • 5.  RE: filter-based routing.

    Posted 10-24-2016 22:40

    It didn't help.



  • 6.  RE: filter-based routing.

    Posted 10-26-2016 05:38

    Can you enable count on filter FILTER1 TERM-test , and check if there is any accepted hits ?

    Here you can see how to configure it:
    http://www.juniper.net/documentation/en_US/junos16.1/topics/example/firewall-filter-stateless-example-count-accepted-and-rejected-packets.html

    I have another question for you:
    Is all the [217.12.253.225 213.167.56.133 213.167.60.117] resides under the same zone which is "untrust" ?

     

    And sorry for missleading you in the previous post , there was no nead to re-order it , I just the 172.16.0.0/12 another LAN .. My bad 😐

     



  • 7.  RE: filter-based routing.

    Posted 10-26-2016 05:56

    I cheked it with "log" rule before and there is accepted hits.

    Oct 25 12:24:30  tco tco PFE_FW_SYSLOG_IP: FW: vlan.20      A  udp 172.17.20.28 93.158.134.3 40423 33434 (1 packets) 
Oct 25 12:24:30  tco tco PFE_FW_SYSLOG_IP: FW: vlan.20      A  udp 172.17.20.28 93.158.134.3 36985 33435 (1 packets)
    @Abed AL-R wrote:

    I have another question for you:
    Is all the [217.12.253.225 213.167.56.133 213.167.60.117] resides under the same zone which is "untrust" ?

     

    They should be, as it ISP's IP adresses

    Is it possible that problem is address 213.167.60.118  and 213.167.59.134 are configured on the same interface?

     



  • 8.  RE: filter-based routing.

    Posted 10-26-2016 07:48
    How 213.167.60.118 and 213.167.59.134 are configured under the same interface ? are we talking here in subnet /21 ? could you attach configuration under [edit interfaces] hierarchy ?
    Also attach the show route output


  • 9.  RE: filter-based routing.

    Posted 10-26-2016 08:24
    Also and if its possible , explain further more the topology and how those three ISPs is connected to get all the picture clear for us .


  • 10.  RE: filter-based routing.

    Posted 10-26-2016 23:12

    interfaces: 

    show interfaces fe-0/0/1  
unit 0 {
    family inet {
        address 213.167.60.118/30;
        address 213.167.59.134/30;
    }
}

    I'll attach show route is here http://pastebin.com/PdB4rgST it's pretty long

    Now about topology:

    There is two isp, so 2 ports in juniper is used.

    "cifra1" isp gives us 2 IPs on the same cable

    all LANs directly attached to juniper.

     

     

     



  • 11.  RE: filter-based routing.
    Best Answer

    Posted 10-27-2016 09:45
      |   view attached

    Hi,

     

    I was trying to replicate your issue in my lab whithin Proxy-ARP (see attached configuration)

    And it's working fine after I configured your NATed addresses

     

    Screenshot_3.png

     

    Attachment(s)

    txt
    test_routing_instances_jnet.txt   6 KB 1 version