I want to have all the traffic default routed to 10.10.10.1 and when it comes from source address 10.139.1.167/32 it should be routed to 192.168.254.1. I have also applied filter to the LAN interface in inbound direction. But still all the traffic is going through 10.10.10.1 even if it is originated from 10.139.1.167/32.
Regards, Bikash From: Joe Goldberg [mailto:joe.goldb...@falconstor.com] Sent: बिहीवार, सेप्टेम्बर 30, 2010 7:55 PM To: Bikash Bhattarai Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Policy based routing on SRX 210 I'm not exactly sure what you are trying to get this config to do, but at the very least you need to apply the firewall rule for the PBR to the relevant interface, set interface x unit 0 family inet filter input trust-adsl Joe On Thu, Sep 30, 2010 at 5:32 AM, Bikash Bhattarai <bik...@dristi.com.np> wrote: Dear all, My PBR configuration is below. I have configured everything as suggested in juniper's documentation. But it's not working as desired. Please help me out to sort out the issue. ge-0/0/0 { unit 0 { description HO-LAN; family inet { address 10.139.1.1/24; fe-0/0/5 { unit 0 { description SUBISU-INTERNET; family inet { address 10.10.10.2/29; fe-0/0/6 { unit 0 { description ADSL; family inet { address 192.168.254.2/24; routing-options { interface-routes { rib-group inet IMPORT-PHY; } static { route 0.0.0.0/0 { next-hop [ 10.10.10.1 1 192.168.254.1 ]; metric 5; } rib-groups { IMPORT-PHY { import-rib [ pbr_fe-0/0/5_static.inet.0 pbr_fe-0/0/6_adsl.inet.0 inet.0 ]; nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; rule-set TRUST-TO-WIFI-NAT { from zone trust; to zone WIFI-ZONE; rule wifi-nat { match { source-address 10.139.1.0/24; destination-address 0.0.0.0/0; } then { source-nat { interface; zones { security-zone trust { address-book { address HO-LAN 10.139.1.0/24; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.0 { host-inbound-traffic { system-services { https; ping; ssh; all; } } } ge-0/0/0.0 { host-inbound-traffic { system-services { https; ping; ssh; all; } } } } } security-zone untrust { host-inbound-traffic { system-services { https; ping; ssh; telnet; } protocols { all; } } interfaces { fe-0/0/5.0 { host-inbound-traffic { system-services { ping; https; ssh; telnet; ike; security-zone WIFI-ZONE { interfaces { fe-0/0/6.0 { host-inbound-traffic { system-services { ping; policies { from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } from-zone trust to-zone WIFI-ZONE { policy TRUST-TO-WIFI { match { source-address HO-LAN; destination-address any; application any; } then { permit; } firewall { filter trust-adsl { term TERM1 { from { source-address { 10.139.1.167/32; } } then { routing-instance pbr_fe-0/0/6_adsl; } } term TERM2 { then { routing-instance pbr_fe-0/0/5_static; } } } } routing-instances { pbr_fe-0/0/5_static { instance-type forwarding; routing-options { static { route 0.0.0.0/0 { next-hop 10.10.10.2; qualified-next-hop 192.168.254.1; metric 100; } } } } pbr_fe-0/0/6_adsl { instance-type forwarding; routing-options { static { route 0.0.0.0/24 { qualified-next-hop 192.168.1.1; qualified-next-hop 10.10.10.1 { metric 100; Regards, Bikash Bhattarai Technical Manager Dristi Tech Pvt. Ltd. skype: bkbhattarai mob:+977-9851039710 _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
