Re: [j-nsp] SRX FBR and destination nat
If you start by setting up traceoptions as in the excellent article referred to by Ben, you will probably find the problem easily. Then, making the RI cat a virtual-router instead of a forwarding instance (with the ISP ifl in it) and setting up proper policy will probably be a good start to getting everything working. /Per On 27 Jun 2014, at 1:59, Ben Dale wrote: Hi Yuriy, This exact configuration is documented quite thoroughly in Recipe 12 in the Day One: Juniper Ambassadors' Cookbook for Enterprise found here: http://www.juniper.net/us/en/community/junos/training-certification/day-one/networking-technologies-series/cookbook-for-enterprise/ Credit for this particular one (and the 5 different solutions provided!) goes to Peter Klimai! Cheers, Ben ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX FBR and destination nat (Yuriy B. Borysov)
Hi Yuriy, Assuming you have 2 links with SAME ISP and your ISP is doing BGP for you, the only way this would work is if your ISP is also forwarding 10.121.0.101/32 through your secondary link. Best Regards Sinisa Pesa | Senior Network and Security Specialist www.bluecentral.com | an IPMG company -- Message: 2 Date: Thu, 26 Jun 2014 16:39:06 +0300 From: "Yuriy B. Borysov" To: juniper-nsp@puck.nether.net Subject: [j-nsp] SRX FBR and destination nat Message-ID: <20140626133906.ga79...@itsinternet.net> Content-Type: text/plain; charset=us-ascii Hello! I have two connections to the ISP on SRX220H (12.1X45-D15.5). ISP1 - 1.1.1.2 on my side, 1.1.1.1 - gw (int pp0.0) ISP2 - 2.2.2.2 on my side, 2.2.2.1 - gw (int pp0.1) Default gateway looks in to pp0.1 I need to do destination nat to host in lan PC (10.121.0.101) via non default ISP1 (int pp0.0). First of all, configure FBR for LAN network via pp0.0: routing-options interface-routes { rib-group inet all; } . rib-groups { all { import-rib [ inet.0 cat.inet.0 ]; } . cat { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop pp0.0; } } } .. firewall family inet filter cat term route-to-cat { from { source-address { 10.121.0.0/24; } } then { routing-instance cat; } } term default { then accept; } . interfaces ge-0/0/0.99 description cctv; vlan-id 99; family inet { mtu 1500; filter { input cat; } address 10.121.0.200/24; } . security policies from-zone cctv to-zone untrust policy proxmox-inet { match { source-address any; destination-address any; application any; } then { permit; } } security policies from-zone untrust to-zone cctv policy cctv-access { match { source-address any; destination-address any; application any; } then { permit; } } Everything looks OK, outgoing traffic goes via pp0.0 After that, configure dest nat: pool cctv-rdr { address 10.121.0.101/32; } rule-set cctv-rdr { from interface pp0.0; rule cctv-rdr { match { destination-address 1.1.1.2/32; } then { destination-nat { pool { cctv-rdr; } } } } } Traffic comes through pp0.0 but returns through pp0.1 That breaks port forward (due to uplink urpf). Where I'm wrong in my configuration? Thanks! -- WBR, Yuriy B. Borysov YOKO-UANIC | YOKO-RIPE -- Subject: Digest Footer ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- End of juniper-nsp Digest, Vol 139, Issue 21 IMPORTANT NOTICE: This email (and any attachments) is only for the personal use of the intended recipient and may contain information that is confidential to BlueCentral or the intended recipient. If you have received this message by mistake, BlueCentral does not authorize you to act on it and asks you to notify us immediately (at the email address shown above) and delete the message from your system. BlueCentral does not accept responsibility for any loss or damage caused by a computer virus, trojan horse, worm or similar program that may have attached itself to this message. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX FBR and destination nat
Hi Yuriy, This exact configuration is documented quite thoroughly in Recipe 12 in the Day One: Juniper Ambassadors' Cookbook for Enterprise found here: http://www.juniper.net/us/en/community/junos/training-certification/day-one/networking-technologies-series/cookbook-for-enterprise/ Credit for this particular one (and the 5 different solutions provided!) goes to Peter Klimai! Cheers, Ben On 26 Jun 2014, at 11:39 pm, Yuriy B. Borysov wrote: > Hello! > > I have two connections to the ISP on SRX220H (12.1X45-D15.5). > > ISP1 - 1.1.1.2 on my side, 1.1.1.1 - gw (int pp0.0) > ISP2 - 2.2.2.2 on my side, 2.2.2.1 - gw (int pp0.1) > > Default gateway looks in to pp0.1 > > I need to do destination nat to host in lan PC (10.121.0.101) via non > default ISP1 (int pp0.0). > > First of all, configure FBR for LAN network via pp0.0: > > routing-options > interface-routes { >rib-group inet all; >} > > . > > rib-groups { >all { >import-rib [ inet.0 cat.inet.0 ]; > } > > . > > cat { >instance-type forwarding; >routing-options { > static { > route 0.0.0.0/0 next-hop pp0.0; > } > } > } > > .. > > firewall family inet filter cat > term route-to-cat { >from { >source-address { >10.121.0.0/24; >} >} >then { >routing-instance cat; >} > } > term default { >then accept; > } > > . > > interfaces ge-0/0/0.99 > description cctv; > vlan-id 99; > family inet { >mtu 1500; >filter { >input cat; >} >address 10.121.0.200/24; > } > > . > > security policies from-zone cctv to-zone untrust > policy proxmox-inet { >match { >source-address any; >destination-address any; >application any; >} >then { >permit; >} > } > > security policies from-zone untrust to-zone cctv > policy cctv-access { >match { >source-address any; >destination-address any; >application any; >} >then { >permit; >} > } > > > Everything looks OK, outgoing traffic goes via pp0.0 > > After that, configure dest nat: > > pool cctv-rdr { >address 10.121.0.101/32; > } > > rule-set cctv-rdr { >from interface pp0.0; >rule cctv-rdr { >match { >destination-address 1.1.1.2/32; >} >then { >destination-nat { >pool { >cctv-rdr; >} >} >} >} > } > > > Traffic comes through pp0.0 but returns through pp0.1 > That breaks port forward (due to uplink urpf). > > Where I'm wrong in my configuration? > > Thanks! > > > -- > WBR, Yuriy B. Borysov > YOKO-UANIC | YOKO-RIPE > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX FBR and destination nat
There is (probably) a simple solution if pp0.0 is only used by inbound traffic that will be NAT-ed, and never used as backup for pp0.1 outbound. Is this the case? /Per Sent from my iPad, please ignore stupid spelling corrections! > 26 jun 2014 kl. 15:39 skrev "Yuriy B. Borysov" : > > I need to do destination nat to host in lan PC (10.121.0.101) via non > default ISP1 (int pp0.0). ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Usage of older M10 Juniper
On Thu, Jun 26, 2014 at 1:56 PM, Robert Hass wrote: > Hi > I have old M10 router. I would like to use it for one customer. > > Router has Enhanced FEB, RE600-2048 and 3 GE PE PICs. > > My questions : > 1) How much full-BGP feeds I can have on this machine ? > Personal experience puts a current full table at ~500MB. You could comfortably hold 2 tables. Possibly 3 depending on your other configurations and how far to the edge you want to go. Your CPU should be okay, but it's been a while since I've worked on anything less than RE800s. You should probably optimize your configuration to reduce CPU load as much as possible, though. > 2) Which JunOS version you can recommend for this old buddy ? > Whichever one has the fewest bugs and greatest stability for your required feature set. Sucky answer, but different releases provide different features and present different bugs. 3) How big FIB is available for IPv4 on Enhanced FEB ? > I don't think that Juniper publishes the FIB size for FEB-M10-E, but a previous employer had one in a lab with ~500k entries. --tc > > Rob > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Usage of older M10 Juniper
Hi I have old M10 router. I would like to use it for one customer. Router has Enhanced FEB, RE600-2048 and 3 GE PE PICs. My questions : 1) How much full-BGP feeds I can have on this machine ? 2) Which JunOS version you can recommend for this old buddy ? 3) How big FIB is available for IPv4 on Enhanced FEB ? Rob ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX FBR and destination nat
I think you are hit by the flow mechanism, this would probably work in pure routing scenario. Please verify my possible explanation with "set security flow traceoptions flag basic-datapath". When the first packet is accepted, a flow is set up. It contains both the forward path and the reverse path, all forwarding/routing decisions are made at that point. At this time, nothing is known about the FBR setup. When the return packet enters the FW, the filter action of setting RI to cat is probably noted in the packet meta-data, but when the flow engine then evaluates the packet, an existing flow is found, the fast-path is taken (no routing/forwarding lookup), and the exit path as determined earlier is used. This is the reason why your setup does not work (I think). (This is the place where I would normally suggest a fix, but I'm short on time and would like to try some Junos Cup challenges while I can. If the problem persists, please poke me.) /Per On 26 Jun 2014, at 15:39, Yuriy B. Borysov wrote: Hello! I have two connections to the ISP on SRX220H (12.1X45-D15.5). ISP1 - 1.1.1.2 on my side, 1.1.1.1 - gw (int pp0.0) ISP2 - 2.2.2.2 on my side, 2.2.2.1 - gw (int pp0.1) Default gateway looks in to pp0.1 I need to do destination nat to host in lan PC (10.121.0.101) via non default ISP1 (int pp0.0). First of all, configure FBR for LAN network via pp0.0: routing-options interface-routes { rib-group inet all; } . rib-groups { all { import-rib [ inet.0 cat.inet.0 ]; } . cat { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop pp0.0; } } } .. firewall family inet filter cat term route-to-cat { from { source-address { 10.121.0.0/24; } } then { routing-instance cat; } } term default { then accept; } . interfaces ge-0/0/0.99 description cctv; vlan-id 99; family inet { mtu 1500; filter { input cat; } address 10.121.0.200/24; } . security policies from-zone cctv to-zone untrust policy proxmox-inet { match { source-address any; destination-address any; application any; } then { permit; } } security policies from-zone untrust to-zone cctv policy cctv-access { match { source-address any; destination-address any; application any; } then { permit; } } Everything looks OK, outgoing traffic goes via pp0.0 After that, configure dest nat: pool cctv-rdr { address 10.121.0.101/32; } rule-set cctv-rdr { from interface pp0.0; rule cctv-rdr { match { destination-address 1.1.1.2/32; } then { destination-nat { pool { cctv-rdr; } } } } } Traffic comes through pp0.0 but returns through pp0.1 That breaks port forward (due to uplink urpf). Where I'm wrong in my configuration? Thanks! -- WBR, Yuriy B. Borysov YOKO-UANIC | YOKO-RIPE ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX FBR and destination nat
Hello! I have two connections to the ISP on SRX220H (12.1X45-D15.5). ISP1 - 1.1.1.2 on my side, 1.1.1.1 - gw (int pp0.0) ISP2 - 2.2.2.2 on my side, 2.2.2.1 - gw (int pp0.1) Default gateway looks in to pp0.1 I need to do destination nat to host in lan PC (10.121.0.101) via non default ISP1 (int pp0.0). First of all, configure FBR for LAN network via pp0.0: routing-options interface-routes { rib-group inet all; } . rib-groups { all { import-rib [ inet.0 cat.inet.0 ]; } . cat { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop pp0.0; } } } .. firewall family inet filter cat term route-to-cat { from { source-address { 10.121.0.0/24; } } then { routing-instance cat; } } term default { then accept; } . interfaces ge-0/0/0.99 description cctv; vlan-id 99; family inet { mtu 1500; filter { input cat; } address 10.121.0.200/24; } . security policies from-zone cctv to-zone untrust policy proxmox-inet { match { source-address any; destination-address any; application any; } then { permit; } } security policies from-zone untrust to-zone cctv policy cctv-access { match { source-address any; destination-address any; application any; } then { permit; } } Everything looks OK, outgoing traffic goes via pp0.0 After that, configure dest nat: pool cctv-rdr { address 10.121.0.101/32; } rule-set cctv-rdr { from interface pp0.0; rule cctv-rdr { match { destination-address 1.1.1.2/32; } then { destination-nat { pool { cctv-rdr; } } } } } Traffic comes through pp0.0 but returns through pp0.1 That breaks port forward (due to uplink urpf). Where I'm wrong in my configuration? Thanks! -- WBR, Yuriy B. Borysov YOKO-UANIC | YOKO-RIPE ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp