Re: [j-nsp] Policy Based Routing

2015-11-30 Thread Mattias Gyllenvarg 
Not sure about Juniper but on Cisco PBR does not apply to CPU punted
packets.

So, in most PBR environments you will not be able to reach interfaces
routed in via PBR.
PBR is often counter-intuitive to trouble shoot because it (locally) breaks
most ICMP features.

This may be the expected behavior or not. I can not tell as I don't
understand the purpose of your topology.

mån 23 nov. 2015 kl 22:39 skrev Cahit Eyigünlü :

> Our network Topology as this :
>
>
>
> http://forums.juniper.net/t5/image/serverpage/image-id/12913i3A1C52D8896D0604/image-size/original?v=mpbl-1=-1
> ​
>
>
>
>
> We have an MX80 router which has connection on ae0 to our isp
>
>
>
> root@mx80-core# show interfaces ae0
> aggregated-ether-options {
>  minimum-links 1;
>  lacp {
>  active;
>  periodic fast;
>  }
> }
> unit 0 {
>  family inet {
>  filter {
>  input FWDirect;
>  }
>  address 10.32.35.14/30;
>  }
> }
>
>
> [edit]
> root@mx80-core# show firewall
> filter FWDirect {
> term UDPFW {
> from {
> destination-address {
> 185.9.159.86/32;
> }
> protocol udp;
> }
> then {
> log;
> routing-instance UDP-Routes;
> }
> }
> term TCPFW {
> from {
> destination-address {
> 185.9.159.86/32;
> }
> }
> then {
> count TCPFWTR;
> log;
> routing-instance TCP-Routes;
> }
> }
> term Default {
> then accept;
> }
> }
>
> [edit]
> root@mx80-core# show routing-instances
> Normal-Routes {
> instance-type virtual-router;
> }
> TCP-Routes {
> instance-type forwarding;
> routing-options {
> static {
> route 0.0.0.0/0 next-hop 37.123.100.122;
> }
> }
> }
> UDP-Routes {
> instance-type forwarding;
> routing-options {
> static {
> route 0.0.0.0/0 next-hop 37.123.100.98;
> }
> }
> }
>
> [edit]
> root@mx80-core# show protocols ospf
> rib-group SPD-Route;
> area 0.0.0.0 {
> interface all;
> interface ae0.0 {
> disable;
> }
> }
>
> [edit]
>
> root@mx80-core# show routing-options rib-groups
> SPD-Route {
> import-rib [ inet.0 UDP-Routes.inet.0 TCP-Routes.inet.0 ];
> }
>
> [edit]
> root@mx80-core#
>
>
>
> The router has connection to routing instance ip addresses and logging the
> connections :
>
>
> root@mx80-core# run ping 37.123.100.122
> PING 37.123.100.122 (37.123.100.122): 56 data bytes
> 64 bytes from 37.123.100.122: icmp_seq=0 ttl=64 time=1.194 ms
> 64 bytes from 37.123.100.122: icmp_seq=1 ttl=64 time=0.956 ms
> ^C
> --- 37.123.100.122 ping statistics ---
> 2 packets transmitted, 2 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 0.956/1.075/1.194/0.119 ms
>
> [edit]
> root@mx80-core# run ping 37.123.100.98
> PING 37.123.100.98 (37.123.100.98): 56 data bytes
> 64 bytes from 37.123.100.98: icmp_seq=0 ttl=64 time=0.490 ms
> 64 bytes from 37.123.100.98: icmp_seq=1 ttl=64 time=8.739 ms
> 64 bytes from 37.123.100.98: icmp_seq=2 ttl=64 time=0.422 ms
> ^C
> --- 37.123.100.98 ping statistics ---
> 3 packets transmitted, 3 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 0.422/3.217/8.739/3.905 ms
>
> [edit]
> root@mx80-core# run show firewall log
> Log :
> Time  FilterAction Interface ProtocolSrc Addr
>Dest Addr
> 08:44:20  pfe   A  ae0.0 ICMP212.174.232.182
> 185.9.159.86
> 08:44:19  pfe   A  ae0.0 ICMP212.174.232.182
> 185.9.159.86
> 08:44:18  pfe   A  ae0.0 ICMP212.174.232.182
> 185.9.159.86
> 08:44:17  pfe   A  ae0.0 ICMP212.174.232.182
> 185.9.159.86
> 08:44:16  pfe   A  ae0.0 ICMP212.174.232.182
> 185.9.159.86
> 08:44:15  pfe   A  ae0.0 ICMP212.174.232.182
> 185.9.159.86
> 08:44:14  pfe   A  ae0.0 ICMP212.174.232.182
> 185.9.159.86
> 08:44:13  pfe   A  ae0.0 ICMP212.174.232.182
> 185.9.159.86
> 08:44:12  pfe   A  ae0.0 ICMP212.174.232.182
> 185.9.159.86
> 08:44:11  pfe   A  ae0.0 ICMP212.174.232.182
> 185.9.159.86
> 08:44:10  pfe   A  ae0.0 ICMP212.174.232.182
> 185.9.159.86
> 08:44:09  pfe   A  ae0.0 ICMP212.174.232.182
> 185.9.159.86
>
>
>
> but we can not access from outside the network :
>
>
>
> Request timeout for icmp_seq 14714
> 36 bytes from 10.32.35.14: Destination Net Unreachable
> Vr HL TOS  Len   ID Flg  off TTL Pro  cks  Src  Dst
>  4  5  00 5400 938d   0   38  01 d3ad

[j-nsp] Policy Based Routing

2015-11-23 Thread Cahit Eyigünlü 
Our network Topology as this :


http://forums.juniper.net/t5/image/serverpage/image-id/12913i3A1C52D8896D0604/image-size/original?v=mpbl-1=-1​




We have an MX80 router which has connection on ae0 to our isp



root@mx80-core# show interfaces ae0
aggregated-ether-options {
 minimum-links 1;
 lacp {
 active;
 periodic fast;
 }
}
unit 0 {
 family inet {
 filter {
 input FWDirect;
 }
 address 10.32.35.14/30;
 }
}


[edit]
root@mx80-core# show firewall
filter FWDirect {
term UDPFW {
from {
destination-address {
185.9.159.86/32;
}
protocol udp;
}
then {
log;
routing-instance UDP-Routes;
}
}
term TCPFW {
from {
destination-address {
185.9.159.86/32;
}
}
then {
count TCPFWTR;
log;
routing-instance TCP-Routes;
}
}
term Default {
then accept;
}
}

[edit]
root@mx80-core# show routing-instances
Normal-Routes {
instance-type virtual-router;
}
TCP-Routes {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 37.123.100.122;
}
}
}
UDP-Routes {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 37.123.100.98;
}
}
}

[edit]
root@mx80-core# show protocols ospf
rib-group SPD-Route;
area 0.0.0.0 {
interface all;
interface ae0.0 {
disable;
}
}

[edit]

root@mx80-core# show routing-options rib-groups
SPD-Route {
import-rib [ inet.0 UDP-Routes.inet.0 TCP-Routes.inet.0 ];
}

[edit]
root@mx80-core#



The router has connection to routing instance ip addresses and logging the 
connections :


root@mx80-core# run ping 37.123.100.122
PING 37.123.100.122 (37.123.100.122): 56 data bytes
64 bytes from 37.123.100.122: icmp_seq=0 ttl=64 time=1.194 ms
64 bytes from 37.123.100.122: icmp_seq=1 ttl=64 time=0.956 ms
^C
--- 37.123.100.122 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.956/1.075/1.194/0.119 ms

[edit]
root@mx80-core# run ping 37.123.100.98
PING 37.123.100.98 (37.123.100.98): 56 data bytes
64 bytes from 37.123.100.98: icmp_seq=0 ttl=64 time=0.490 ms
64 bytes from 37.123.100.98: icmp_seq=1 ttl=64 time=8.739 ms
64 bytes from 37.123.100.98: icmp_seq=2 ttl=64 time=0.422 ms
^C
--- 37.123.100.98 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.422/3.217/8.739/3.905 ms

[edit]
root@mx80-core# run show firewall log
Log :
Time  FilterAction Interface ProtocolSrc Addr   
  Dest Addr
08:44:20  pfe   A  ae0.0 ICMP212.174.232.182
  185.9.159.86
08:44:19  pfe   A  ae0.0 ICMP212.174.232.182
  185.9.159.86
08:44:18  pfe   A  ae0.0 ICMP212.174.232.182
  185.9.159.86
08:44:17  pfe   A  ae0.0 ICMP212.174.232.182
  185.9.159.86
08:44:16  pfe   A  ae0.0 ICMP212.174.232.182
  185.9.159.86
08:44:15  pfe   A  ae0.0 ICMP212.174.232.182
  185.9.159.86
08:44:14  pfe   A  ae0.0 ICMP212.174.232.182
  185.9.159.86
08:44:13  pfe   A  ae0.0 ICMP212.174.232.182
  185.9.159.86
08:44:12  pfe   A  ae0.0 ICMP212.174.232.182
  185.9.159.86
08:44:11  pfe   A  ae0.0 ICMP212.174.232.182
  185.9.159.86
08:44:10  pfe   A  ae0.0 ICMP212.174.232.182
  185.9.159.86
08:44:09  pfe   A  ae0.0 ICMP212.174.232.182
  185.9.159.86



but we can not access from outside the network :



Request timeout for icmp_seq 14714
36 bytes from 10.32.35.14: Destination Net Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks  Src  Dst
 4  5  00 5400 938d   0   38  01 d3ad 192.168.2.102  185.9.159.86

Request timeout for icmp_seq 14715
36 bytes from 10.32.35.14: Destination Net Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks  Src  Dst
 4  5  00 5400 28e7   0   38  01 3e54 192.168.2.102  185.9.159.86

Request timeout for icmp_seq 14716
36 bytes from 10.32.35.14: Destination Net Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks  Src  Dst
 4  5  00 5400 ffb1   0   38  01 6789 192.168.2.102  185.9.159.86

Request timeout for icmp_seq 14717
36 bytes from 10.32.35.14: Destination Net Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks  Src  Dst
 4  5  00 5400 99ee   0   38  01 cd4c 192.168.2.102  185.9.159.86

Request timeout for icmp_seq 14718
36 bytes

Re: [j-nsp] Policy based routing on SRX 210

2010-10-01 Thread Pavel Lunin 
Hi Bikash,

I addition to everything, you also have to keep in mind that SRX is a
stateful device and performs a reverse route lookup when establishing a new
session. Unfortunately you can't enable something like use the iface and
mac address from where the packet came for traffic in backward direction.

Be aware of this, because in some case of FBF the reverse route will point
to a different interface than the first packet came through, and such an
asymmetric scheme is something to be very carefully planned when you use
stateful devices.

If this happens you first must to have both of the interfaces in the same
security zone, second if you use NAT, it's not bad to think of which IPs
will have the packets and which IPS they go to. I did not look deeply into
your config, maybe it's not your case, but just keep in mind, that if you
send packets to an ISP1 with src-ip dedicated by ISP2,  you have quite good
chance to be blocked by uRPF check of ISP1.

--
Regards,
Pavel
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Policy based routing on SRX 210

2010-09-30 Thread Bikash Bhattarai 
Dear all,

 

My PBR configuration is below. I have configured everything as suggested in
juniper's documentation. But it's not working as desired. Please help me out
to sort out the issue. 

 

 

ge-0/0/0 {

unit 0 {

description HO-LAN;

family inet {

address 10.139.1.1/24;





   

fe-0/0/5 {

unit 0 {

description SUBISU-INTERNET;

family inet {

address 10.10.10.2/29;

   

 

fe-0/0/6 {

unit 0 {

description ADSL;

family inet {

address 192.168.254.2/24;



 

  

  

routing-options {

interface-routes {

rib-group inet IMPORT-PHY;

}

static {

route 0.0.0.0/0 {

next-hop [ 10.10.10.1 1 192.168.254.1 ];

metric 5;

 

}

rib-groups {

IMPORT-PHY {

import-rib [ pbr_fe-0/0/5_static.inet.0 pbr_fe-0/0/6_adsl.inet.0
inet.0 ];

   

nat {

source {

rule-set trust-to-untrust {

from zone trust;

to zone untrust;

rule source-nat-rule {

match {

source-address 0.0.0.0/0;

}

then {

source-nat {

interface;

  

  

rule-set TRUST-TO-WIFI-NAT {

from zone trust;

to zone WIFI-ZONE;

rule wifi-nat {

match {

source-address 10.139.1.0/24;

destination-address 0.0.0.0/0;

}

then {

source-nat {

interface;

  

   

  

   

zones {

security-zone trust {

address-book {

address HO-LAN 10.139.1.0/24;

   

}

host-inbound-traffic {

system-services {

all;

}

protocols {

   all;

}

}

interfaces {

vlan.0 {

host-inbound-traffic {

system-services {

https;

ping;

ssh;

all;

}

}

}

ge-0/0/0.0 {

host-inbound-traffic {

system-services {

https;

ping;

ssh;

all;

}

}

}

}

}

security-zone untrust {

host-inbound-traffic {

system-services {

https;

ping;

ssh;

telnet;

}

protocols {

all;

}   

}

interfaces {

fe-0/0/5.0 {

host-inbound-traffic {

system-services {

ping;

https;

ssh;

telnet;

ike;



   

   

security-zone WIFI-ZONE {

interfaces {

fe-0/0/6.0 {

host-inbound-traffic {

system-services {

ping;

 



policies {

from-zone trust to-zone untrust {

policy trust-to-untrust {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

   

  





   

 

   

 

 

 

from-zone trust to-zone WIFI-ZONE {

policy TRUST-TO-WIFI {

match {

source-address HO-LAN;

destination-address any;

application any;

}

then {

permit;



 

  

   

 

 

}

firewall {

filter trust-adsl {

term TERM1 {

from {

source-address {

10.139.1.167/32;

}

}

then {

routing-instance pbr_fe-0/0/6_adsl;

}

}

term TERM2 {

then {

routing-instance

Re: [j-nsp] Policy based routing on SRX 210

2010-09-30 Thread Brandon Ross 
This config is doing exactly what you configured it to do.  That's how 
computers work.  Did you want it to do something else?  If so, you might 
want to tell us what you think it should be doing that it isn't.


On Thu, 30 Sep 2010, Bikash Bhattarai wrote:


Dear all,



My PBR configuration is below. I have configured everything as suggested in
juniper's documentation. But it's not working as desired. Please help me out
to sort out the issue.





   ge-0/0/0 {

   unit 0 {

   description HO-LAN;

   family inet {

   address 10.139.1.1/24;







   fe-0/0/5 {

   unit 0 {

   description SUBISU-INTERNET;

   family inet {

   address 10.10.10.2/29;





   fe-0/0/6 {

   unit 0 {

   description ADSL;

   family inet {

   address 192.168.254.2/24;









routing-options {

   interface-routes {

   rib-group inet IMPORT-PHY;

   }

   static {

   route 0.0.0.0/0 {

   next-hop [ 10.10.10.1 1 192.168.254.1 ];

   metric 5;



   }

   rib-groups {

   IMPORT-PHY {

   import-rib [ pbr_fe-0/0/5_static.inet.0 pbr_fe-0/0/6_adsl.inet.0
inet.0 ];



   nat {

   source {

   rule-set trust-to-untrust {

   from zone trust;

   to zone untrust;

   rule source-nat-rule {

   match {

   source-address 0.0.0.0/0;

   }

   then {

   source-nat {

   interface;





   rule-set TRUST-TO-WIFI-NAT {

   from zone trust;

   to zone WIFI-ZONE;

   rule wifi-nat {

   match {

   source-address 10.139.1.0/24;

   destination-address 0.0.0.0/0;

   }

   then {

   source-nat {

   interface;









   zones {

   security-zone trust {

   address-book {

   address HO-LAN 10.139.1.0/24;



   }

   host-inbound-traffic {

   system-services {

   all;

   }

   protocols {

  all;

   }

   }

   interfaces {

   vlan.0 {

   host-inbound-traffic {

   system-services {

   https;

   ping;

   ssh;

   all;

   }

   }

   }

   ge-0/0/0.0 {

   host-inbound-traffic {

   system-services {

   https;

   ping;

   ssh;

   all;

   }

   }

   }

   }

   }

   security-zone untrust {

   host-inbound-traffic {

   system-services {

   https;

   ping;

   ssh;

   telnet;

   }

   protocols {

   all;

   }

   }

   interfaces {

   fe-0/0/5.0 {

   host-inbound-traffic {

   system-services {

   ping;

   https;

   ssh;

   telnet;

   ike;







   security-zone WIFI-ZONE {

   interfaces {

   fe-0/0/6.0 {

   host-inbound-traffic {

   system-services {

   ping;





   policies {

   from-zone trust to-zone untrust {

   policy trust-to-untrust {

   match {

   source-address any;

   destination-address any;

   application any;

   }

   then {

   permit;

   }





















   from-zone trust to-zone WIFI-ZONE {

   policy TRUST-TO-WIFI {

   match {

   source-address HO-LAN;

   destination-address any;

   application any;

   }

   then {

   permit;













}

firewall {

   filter trust-adsl {

   term TERM1 {

   from {

   source-address {

   10.139.1.167/32;

   }

   }

   then {

   routing-instance pbr_fe-0/0/6_adsl;

   }

   }

   term TERM2 {

   then {

   routing-instance pbr_fe-0/0/5_static;

   }

   }

   }

}

routing-instances {

   pbr_fe-0/0/5_static {

   instance-type forwarding;

   routing-options {

Re: [j-nsp] Policy based routing on SRX 210

2010-09-30 Thread Joe Goldberg 
I'm not exactly sure what you are trying to get this config to do, but at
the very least you need to apply the firewall rule for the PBR to the
relevant interface,

set interface x unit 0 family inet filter input trust-adsl

Joe



On Thu, Sep 30, 2010 at 5:32 AM, Bikash Bhattarai bik...@dristi.com.npwrote:

 Dear all,



 My PBR configuration is below. I have configured everything as suggested in
 juniper's documentation. But it's not working as desired. Please help me
 out
 to sort out the issue.





ge-0/0/0 {

unit 0 {

description HO-LAN;

family inet {

address 10.139.1.1/24;







fe-0/0/5 {

unit 0 {

description SUBISU-INTERNET;

family inet {

address 10.10.10.2/29;





fe-0/0/6 {

unit 0 {

description ADSL;

family inet {

address 192.168.254.2/24;









 routing-options {

interface-routes {

rib-group inet IMPORT-PHY;

}

static {

route 0.0.0.0/0 {

next-hop [ 10.10.10.1 1 192.168.254.1 ];

metric 5;



}

rib-groups {

IMPORT-PHY {

import-rib [ pbr_fe-0/0/5_static.inet.0 pbr_fe-0/0/6_adsl.inet.0
 inet.0 ];



nat {

source {

rule-set trust-to-untrust {

from zone trust;

to zone untrust;

rule source-nat-rule {

match {

source-address 0.0.0.0/0;

}

then {

source-nat {

interface;





rule-set TRUST-TO-WIFI-NAT {

from zone trust;

to zone WIFI-ZONE;

rule wifi-nat {

match {

source-address 10.139.1.0/24;

destination-address 0.0.0.0/0;

}

then {

source-nat {

interface;









zones {

security-zone trust {

address-book {

address HO-LAN 10.139.1.0/24;



}

host-inbound-traffic {

system-services {

all;

}

protocols {

   all;

}

}

interfaces {

vlan.0 {

host-inbound-traffic {

system-services {

https;

ping;

ssh;

all;

}

}

}

ge-0/0/0.0 {

host-inbound-traffic {

system-services {

https;

ping;

ssh;

all;

}

}

}

}

}

security-zone untrust {

host-inbound-traffic {

system-services {

https;

ping;

ssh;

telnet;

}

protocols {

all;

}

}

interfaces {

fe-0/0/5.0 {

host-inbound-traffic {

system-services {

ping;

https;

ssh;

telnet;

ike;







security-zone WIFI-ZONE {

interfaces {

fe-0/0/6.0 {

host-inbound-traffic {

system-services {

ping;





policies {

from-zone trust to-zone untrust {

policy trust-to-untrust {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}





















from-zone trust to-zone WIFI-ZONE {

policy TRUST-TO-WIFI {

match {

source-address HO-LAN;

destination-address any;

application any;

}

then {

permit;













 }

 firewall {

filter trust-adsl {

term TERM1 {

from {

source-address {

10.139.1.167/32;

}

}

then {

routing-instance pbr_fe-0/0/6_adsl;

}

}

term TERM2 {

Re: [j-nsp] Policy based routing on SRX 210

2010-09-30 Thread Bikash Bhattarai 
I want to have all the traffic default routed to 10.10.10.1 and when it comes 
from source address 10.139.1.167/32 it should be routed to 192.168.254.1.  I 
have also applied filter  to the LAN interface in inbound  direction. But still 
all the traffic is going through 10.10.10.1 even if it is originated from 
10.139.1.167/32. 

 

 

Regards,

Bikash 

 

From: Joe Goldberg [mailto:joe.goldb...@falconstor.com] 
Sent: बिहीवार, सेप्टेम्बर 30, 2010 7:55 PM
To: Bikash Bhattarai
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] Policy based routing on SRX 210

 

I'm not exactly sure what you are trying to get this config to do, but at the 
very least you need to apply the firewall rule for the PBR to the relevant 
interface, 

 

set interface x unit 0 family inet filter input trust-adsl 

 

Joe



 

On Thu, Sep 30, 2010 at 5:32 AM, Bikash Bhattarai bik...@dristi.com.np wrote:

Dear all,



My PBR configuration is below. I have configured everything as suggested in
juniper's documentation. But it's not working as desired. Please help me out
to sort out the issue.





   ge-0/0/0 {

   unit 0 {

   description HO-LAN;

   family inet {

   address 10.139.1.1/24;







   fe-0/0/5 {

   unit 0 {

   description SUBISU-INTERNET;

   family inet {

   address 10.10.10.2/29;





   fe-0/0/6 {

   unit 0 {

   description ADSL;

   family inet {

   address 192.168.254.2/24;









routing-options {

   interface-routes {

   rib-group inet IMPORT-PHY;

   }

   static {

   route 0.0.0.0/0 {

   next-hop [ 10.10.10.1 1 192.168.254.1 ];

   metric 5;



   }

   rib-groups {

   IMPORT-PHY {

   import-rib [ pbr_fe-0/0/5_static.inet.0 pbr_fe-0/0/6_adsl.inet.0
inet.0 ];



   nat {

   source {

   rule-set trust-to-untrust {

   from zone trust;

   to zone untrust;

   rule source-nat-rule {

   match {

   source-address 0.0.0.0/0;

   }

   then {

   source-nat {

   interface;





   rule-set TRUST-TO-WIFI-NAT {

   from zone trust;

   to zone WIFI-ZONE;

   rule wifi-nat {

   match {

   source-address 10.139.1.0/24;

   destination-address 0.0.0.0/0;

   }

   then {

   source-nat {

   interface;









   zones {

   security-zone trust {

   address-book {

   address HO-LAN 10.139.1.0/24;



   }

   host-inbound-traffic {

   system-services {

   all;

   }

   protocols {

  all;

   }

   }

   interfaces {

   vlan.0 {

   host-inbound-traffic {

   system-services {

   https;

   ping;

   ssh;

   all;

   }

   }

   }

   ge-0/0/0.0 {

   host-inbound-traffic {

   system-services {

   https;

   ping;

   ssh;

   all;

   }

   }

   }

   }

   }

   security-zone untrust {

   host-inbound-traffic {

   system-services {

   https;

   ping;

   ssh;

   telnet;

   }

   protocols {

   all;

   }

   }

   interfaces {

   fe-0/0/5.0 {

   host-inbound-traffic {

   system-services {

   ping;

   https;

   ssh;

   telnet;

   ike;







   security-zone WIFI-ZONE {

   interfaces {

   fe-0/0/6.0 {

   host-inbound-traffic {

   system-services {

   ping;





   policies {

   from-zone trust to-zone untrust {

   policy trust-to-untrust {

   match {

   source-address any;

   destination-address any;

   application any;

   }

   then {

   permit;

   }





















   from-zone trust to-zone WIFI-ZONE {

   policy TRUST-TO-WIFI {

   match {

   source-address HO-LAN;

   destination-address

Re: [j-nsp] Policy based routing on SRX 210

2010-09-30 Thread Heath Jones 
I'm not sure that this is the only issue, but something I just spotted
under pbr_fe-0/0/6_adsl:
route 0.0.0.0/24

I would have thought that if it didnt match a route that instance, it
would have been dropped. If that is the case, then something else is
going wrong beforehand and the traffic isn't hitting that instance.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp