SRX Services Gateway
Highlighted
SRX Services Gateway

filter-based routing.

‎10-24-2016 12:33 AM

Hello. I ma trying to set up filter based routing and cant get it working. Everything seems fine to me.

1. Applied firewall filter to interface:

show interfaces vlan unit 20 
family inet {
    filter {
        input FILTER1;
    }
    address 172.17.20.1/24;
}

2. Created firewall filter:

how firewall filter FILTER1 
term pod-allow {
    from {
        destination-address {
            192.168.0.0/16;
        }
    }
    then accept;
}
term mgmt-allow {
    from {
        destination-address {
            172.16.0.0/12;
        }
    }
    then accept;
}
term TERM-test {
    from {
        source-address {
            172.17.20.28/32;
        }
    }
    then {                              
        routing-instance rt-cifra1-test;
    }                                   
}                                       
term default {                          
    then {                              
        routing-instance rt-cifra1-all; 
    }                                   
}                

3. Set up routing-instances:

rt-cifra1-all {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 {
                next-hop 213.167.56.133;
                qualified-next-hop 213.167.60.117 {
                    preference 100;
                }
            }
        }
    }
}
rt-cifra1-test {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 {
                next-hop 213.167.60.117;
                qualified-next-hop 213.167.56.133 {
                    preference 100;
                }
            }                           
        }                               
    }                                   
}                                       
rt-rcs {                                
    instance-type forwarding;           
    routing-options {                   
        static {                        
            route 0.0.0.0/0 next-hop 217.12.253.225;
        }                               
    }                                   
}        

4. set up routing-options:

interface-routes {
    rib-group inet IMPORT-CIFRA1;
}
static {
    route 0.0.0.0/0 {
        next-hop [ 217.12.253.225 213.167.56.133 213.167.60.117 ];
        preference 20;
    }
}                                       
rib-groups {                            
    IMPORT-CIFRA1 {                     
        import-rib [ inet.0 rt-cifra1-test.inet.0 rt-cifra1-all.inet.0 rt-rcs.inet.0 ];
    }                                   
}           

5. and source nat:

pool cifra1-test { 
   address { 
       213.167.60.118/32; 
   } 
} 
pool cifra1-all { 
   address { 
       213.167.56.134/32; 
   } 
} 
rule-set rs1 { 
   from zone trust; 
   to zone untrust;                                                        
   rule test-cifra1 {              
       match {                          
           source-address 172.17.20.28/32; 
           destination-address 0.0.0.0/0; 
       }                                
       then {                           
           source-nat {                 
               pool {                   
                   cifra1-test;    
               }                        
           }                            
       }                                
   }                                    
   rule r1 {                            
       match {                          
           source-address 0.0.0.0/0;    
           destination-address 0.0.0.0/0; 
       }                                
       then {                           
           source-nat {                 
               pool {                   
                   cifra1-all ;            
               }                        
           }                            
       }                                
   }                                    
}

        But traceroute shows that traffic goes trought  213.167.56.133  gateway, insted of  213.167.60.117

Can anyone explain to me why?

10 REPLIES 10
Highlighted
SRX Services Gateway

Re: filter-based routing.

‎10-24-2016 08:26 AM
From which 'source address' you're generating the traceroute traffic ?
Regards,
A'bed AL-R.
[JNCSP-SEC JNCDA JNCIS-ENT Ingenious Champion|Sec]
https://srxtech.wordpress.com
Highlighted
SRX Services Gateway

Re: filter-based routing.

‎10-24-2016 10:10 PM

Just running command from 172.17.20.28

traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  gateway (172.17.20.1)  1.429 ms  1.395 ms  1.407 ms
 2  213.167.56.133 (213.167.56.133)  7.342 ms  7.353 ms  7.362 ms
Highlighted
SRX Services Gateway

Re: filter-based routing.

‎10-24-2016 10:29 PM
Please re-order the terms; command:

insert firewall filter FILTER1 term TERM-test before term mgmt-allow
Regards,
A'bed AL-R.
[JNCSP-SEC JNCDA JNCIS-ENT Ingenious Champion|Sec]
https://srxtech.wordpress.com
Highlighted
SRX Services Gateway

Re: filter-based routing.

‎10-24-2016 10:40 PM

It didn't help.

Highlighted
SRX Services Gateway

Re: filter-based routing.

[ Edited ]
‎10-26-2016 05:37 AM

Can you enable count on filter FILTER1 TERM-test , and check if there is any accepted hits ?

Here you can see how to configure it:
http://www.juniper.net/documentation/en_US/junos16.1/topics/example/firewall-filter-stateless-exampl...

I have another question for you:
Is all the [217.12.253.225 213.167.56.133 213.167.60.117] resides under the same zone which is "untrust" ?

 

And sorry for missleading you in the previous post , there was no nead to re-order it , I just the 172.16.0.0/12 another LAN .. My bad 😐

 

Regards,
A'bed AL-R.
[JNCSP-SEC JNCDA JNCIS-ENT Ingenious Champion|Sec]
https://srxtech.wordpress.com
Highlighted
SRX Services Gateway

Re: filter-based routing.

‎10-26-2016 05:55 AM

I cheked it with "log" rule before and there is accepted hits.

Oct 25 12:24:30  tco tco PFE_FW_SYSLOG_IP: FW: vlan.20      A  udp 172.17.20.28 93.158.134.3 40423 33434 (1 packets) 
Oct 25 12:24:30  tco tco PFE_FW_SYSLOG_IP: FW: vlan.20      A  udp 172.17.20.28 93.158.134.3 36985 33435 (1 packets) 

@Abed AL-R wrote:

I have another question for you:
Is all the [217.12.253.225 213.167.56.133 213.167.60.117] resides under the same zone which is "untrust" ?

 


They should be, as it ISP's IP adresses

Is it possible that problem is address 213.167.60.118  and 213.167.59.134 are configured on the same interface?

 

Highlighted
SRX Services Gateway

Re: filter-based routing.

‎10-26-2016 07:47 AM
How 213.167.60.118 and 213.167.59.134 are configured under the same interface ? are we talking here in subnet /21 ? could you attach configuration under [edit interfaces] hierarchy ?
Also attach the show route output
Regards,
A'bed AL-R.
[JNCSP-SEC JNCDA JNCIS-ENT Ingenious Champion|Sec]
https://srxtech.wordpress.com
Highlighted
SRX Services Gateway

Re: filter-based routing.

‎10-26-2016 08:24 AM
Also and if its possible , explain further more the topology and how those three ISPs is connected to get all the picture clear for us .
Regards,
A'bed AL-R.
[JNCSP-SEC JNCDA JNCIS-ENT Ingenious Champion|Sec]
https://srxtech.wordpress.com
Highlighted
SRX Services Gateway

Re: filter-based routing.

‎10-26-2016 11:12 PM

interfaces: 

show interfaces fe-0/0/1  
unit 0 {
    family inet {
        address 213.167.60.118/30;
        address 213.167.59.134/30;
    }
}

I'll attach show route is here http://pastebin.com/PdB4rgST it's pretty long

Now about topology:

There is two isp, so 2 ports in juniper is used.

"cifra1" isp gives us 2 IPs on the same cable

all LANs directly attached to juniper.

 

 

 

Highlighted
SRX Services Gateway
Solution
Accepted by topic author Nomad-71
‎10-31-2016 11:33 PM

Re: filter-based routing.

‎10-27-2016 09:45 AM

Hi,

 

I was trying to replicate your issue in my lab whithin Proxy-ARP (see attached configuration)

And it's working fine after I configured your NATed addresses

 

Screenshot_3.png

 

Regards,
A'bed AL-R.
[JNCSP-SEC JNCDA JNCIS-ENT Ingenious Champion|Sec]
https://srxtech.wordpress.com

Attachments

Feedback