Re: [j-nsp] Policy Based Routing
Not sure about Juniper but on Cisco PBR does not apply to CPU punted packets. So, in most PBR environments you will not be able to reach interfaces routed in via PBR. PBR is often counter-intuitive to trouble shoot because it (locally) breaks most ICMP features. This may be the expected behavior or not. I can not tell as I don't understand the purpose of your topology. mån 23 nov. 2015 kl 22:39 skrev Cahit Eyigünlü: > Our network Topology as this : > > > > http://forums.juniper.net/t5/image/serverpage/image-id/12913i3A1C52D8896D0604/image-size/original?v=mpbl-1=-1 > > > > > > We have an MX80 router which has connection on ae0 to our isp > > > > root@mx80-core# show interfaces ae0 > aggregated-ether-options { > minimum-links 1; > lacp { > active; > periodic fast; > } > } > unit 0 { > family inet { > filter { > input FWDirect; > } > address 10.32.35.14/30; > } > } > > > [edit] > root@mx80-core# show firewall > filter FWDirect { > term UDPFW { > from { > destination-address { > 185.9.159.86/32; > } > protocol udp; > } > then { > log; > routing-instance UDP-Routes; > } > } > term TCPFW { > from { > destination-address { > 185.9.159.86/32; > } > } > then { > count TCPFWTR; > log; > routing-instance TCP-Routes; > } > } > term Default { > then accept; > } > } > > [edit] > root@mx80-core# show routing-instances > Normal-Routes { > instance-type virtual-router; > } > TCP-Routes { > instance-type forwarding; > routing-options { > static { > route 0.0.0.0/0 next-hop 37.123.100.122; > } > } > } > UDP-Routes { > instance-type forwarding; > routing-options { > static { > route 0.0.0.0/0 next-hop 37.123.100.98; > } > } > } > > [edit] > root@mx80-core# show protocols ospf > rib-group SPD-Route; > area 0.0.0.0 { > interface all; > interface ae0.0 { > disable; > } > } > > [edit] > > root@mx80-core# show routing-options rib-groups > SPD-Route { > import-rib [ inet.0 UDP-Routes.inet.0 TCP-Routes.inet.0 ]; > } > > [edit] > root@mx80-core# > > > > The router has connection to routing instance ip addresses and logging the > connections : > > > root@mx80-core# run ping 37.123.100.122 > PING 37.123.100.122 (37.123.100.122): 56 data bytes > 64 bytes from 37.123.100.122: icmp_seq=0 ttl=64 time=1.194 ms > 64 bytes from 37.123.100.122: icmp_seq=1 ttl=64 time=0.956 ms > ^C > --- 37.123.100.122 ping statistics --- > 2 packets transmitted, 2 packets received, 0% packet loss > round-trip min/avg/max/stddev = 0.956/1.075/1.194/0.119 ms > > [edit] > root@mx80-core# run ping 37.123.100.98 > PING 37.123.100.98 (37.123.100.98): 56 data bytes > 64 bytes from 37.123.100.98: icmp_seq=0 ttl=64 time=0.490 ms > 64 bytes from 37.123.100.98: icmp_seq=1 ttl=64 time=8.739 ms > 64 bytes from 37.123.100.98: icmp_seq=2 ttl=64 time=0.422 ms > ^C > --- 37.123.100.98 ping statistics --- > 3 packets transmitted, 3 packets received, 0% packet loss > round-trip min/avg/max/stddev = 0.422/3.217/8.739/3.905 ms > > [edit] > root@mx80-core# run show firewall log > Log : > Time FilterAction Interface ProtocolSrc Addr >Dest Addr > 08:44:20 pfe A ae0.0 ICMP212.174.232.182 > 185.9.159.86 > 08:44:19 pfe A ae0.0 ICMP212.174.232.182 > 185.9.159.86 > 08:44:18 pfe A ae0.0 ICMP212.174.232.182 > 185.9.159.86 > 08:44:17 pfe A ae0.0 ICMP212.174.232.182 > 185.9.159.86 > 08:44:16 pfe A ae0.0 ICMP212.174.232.182 > 185.9.159.86 > 08:44:15 pfe A ae0.0 ICMP212.174.232.182 > 185.9.159.86 > 08:44:14 pfe A ae0.0 ICMP212.174.232.182 > 185.9.159.86 > 08:44:13 pfe A ae0.0 ICMP212.174.232.182 > 185.9.159.86 > 08:44:12 pfe A ae0.0 ICMP212.174.232.182 > 185.9.159.86 > 08:44:11 pfe A ae0.0 ICMP212.174.232.182 > 185.9.159.86 > 08:44:10 pfe A ae0.0 ICMP212.174.232.182 > 185.9.159.86 > 08:44:09 pfe A ae0.0 ICMP212.174.232.182 > 185.9.159.86 > > > > but we can not access from outside the network : > > > > Request timeout for icmp_seq 14714 > 36 bytes from 10.32.35.14: Destination Net Unreachable > Vr HL TOS Len ID Flg off TTL Pro cks Src Dst > 4 5 00 5400 938d 0 38 01 d3ad
[j-nsp] Policy Based Routing
Our network Topology as this : http://forums.juniper.net/t5/image/serverpage/image-id/12913i3A1C52D8896D0604/image-size/original?v=mpbl-1=-1 We have an MX80 router which has connection on ae0 to our isp root@mx80-core# show interfaces ae0 aggregated-ether-options { minimum-links 1; lacp { active; periodic fast; } } unit 0 { family inet { filter { input FWDirect; } address 10.32.35.14/30; } } [edit] root@mx80-core# show firewall filter FWDirect { term UDPFW { from { destination-address { 185.9.159.86/32; } protocol udp; } then { log; routing-instance UDP-Routes; } } term TCPFW { from { destination-address { 185.9.159.86/32; } } then { count TCPFWTR; log; routing-instance TCP-Routes; } } term Default { then accept; } } [edit] root@mx80-core# show routing-instances Normal-Routes { instance-type virtual-router; } TCP-Routes { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 37.123.100.122; } } } UDP-Routes { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 37.123.100.98; } } } [edit] root@mx80-core# show protocols ospf rib-group SPD-Route; area 0.0.0.0 { interface all; interface ae0.0 { disable; } } [edit] root@mx80-core# show routing-options rib-groups SPD-Route { import-rib [ inet.0 UDP-Routes.inet.0 TCP-Routes.inet.0 ]; } [edit] root@mx80-core# The router has connection to routing instance ip addresses and logging the connections : root@mx80-core# run ping 37.123.100.122 PING 37.123.100.122 (37.123.100.122): 56 data bytes 64 bytes from 37.123.100.122: icmp_seq=0 ttl=64 time=1.194 ms 64 bytes from 37.123.100.122: icmp_seq=1 ttl=64 time=0.956 ms ^C --- 37.123.100.122 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.956/1.075/1.194/0.119 ms [edit] root@mx80-core# run ping 37.123.100.98 PING 37.123.100.98 (37.123.100.98): 56 data bytes 64 bytes from 37.123.100.98: icmp_seq=0 ttl=64 time=0.490 ms 64 bytes from 37.123.100.98: icmp_seq=1 ttl=64 time=8.739 ms 64 bytes from 37.123.100.98: icmp_seq=2 ttl=64 time=0.422 ms ^C --- 37.123.100.98 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.422/3.217/8.739/3.905 ms [edit] root@mx80-core# run show firewall log Log : Time FilterAction Interface ProtocolSrc Addr Dest Addr 08:44:20 pfe A ae0.0 ICMP212.174.232.182 185.9.159.86 08:44:19 pfe A ae0.0 ICMP212.174.232.182 185.9.159.86 08:44:18 pfe A ae0.0 ICMP212.174.232.182 185.9.159.86 08:44:17 pfe A ae0.0 ICMP212.174.232.182 185.9.159.86 08:44:16 pfe A ae0.0 ICMP212.174.232.182 185.9.159.86 08:44:15 pfe A ae0.0 ICMP212.174.232.182 185.9.159.86 08:44:14 pfe A ae0.0 ICMP212.174.232.182 185.9.159.86 08:44:13 pfe A ae0.0 ICMP212.174.232.182 185.9.159.86 08:44:12 pfe A ae0.0 ICMP212.174.232.182 185.9.159.86 08:44:11 pfe A ae0.0 ICMP212.174.232.182 185.9.159.86 08:44:10 pfe A ae0.0 ICMP212.174.232.182 185.9.159.86 08:44:09 pfe A ae0.0 ICMP212.174.232.182 185.9.159.86 but we can not access from outside the network : Request timeout for icmp_seq 14714 36 bytes from 10.32.35.14: Destination Net Unreachable Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 938d 0 38 01 d3ad 192.168.2.102 185.9.159.86 Request timeout for icmp_seq 14715 36 bytes from 10.32.35.14: Destination Net Unreachable Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 28e7 0 38 01 3e54 192.168.2.102 185.9.159.86 Request timeout for icmp_seq 14716 36 bytes from 10.32.35.14: Destination Net Unreachable Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 ffb1 0 38 01 6789 192.168.2.102 185.9.159.86 Request timeout for icmp_seq 14717 36 bytes from 10.32.35.14: Destination Net Unreachable Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 99ee 0 38 01 cd4c 192.168.2.102 185.9.159.86 Request timeout for icmp_seq 14718 36 bytes
Re: [j-nsp] Policy based routing on SRX 210
Hi Bikash, I addition to everything, you also have to keep in mind that SRX is a stateful device and performs a reverse route lookup when establishing a new session. Unfortunately you can't enable something like use the iface and mac address from where the packet came for traffic in backward direction. Be aware of this, because in some case of FBF the reverse route will point to a different interface than the first packet came through, and such an asymmetric scheme is something to be very carefully planned when you use stateful devices. If this happens you first must to have both of the interfaces in the same security zone, second if you use NAT, it's not bad to think of which IPs will have the packets and which IPS they go to. I did not look deeply into your config, maybe it's not your case, but just keep in mind, that if you send packets to an ISP1 with src-ip dedicated by ISP2, you have quite good chance to be blocked by uRPF check of ISP1. -- Regards, Pavel ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Policy based routing on SRX 210
Dear all, My PBR configuration is below. I have configured everything as suggested in juniper's documentation. But it's not working as desired. Please help me out to sort out the issue. ge-0/0/0 { unit 0 { description HO-LAN; family inet { address 10.139.1.1/24; fe-0/0/5 { unit 0 { description SUBISU-INTERNET; family inet { address 10.10.10.2/29; fe-0/0/6 { unit 0 { description ADSL; family inet { address 192.168.254.2/24; routing-options { interface-routes { rib-group inet IMPORT-PHY; } static { route 0.0.0.0/0 { next-hop [ 10.10.10.1 1 192.168.254.1 ]; metric 5; } rib-groups { IMPORT-PHY { import-rib [ pbr_fe-0/0/5_static.inet.0 pbr_fe-0/0/6_adsl.inet.0 inet.0 ]; nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; rule-set TRUST-TO-WIFI-NAT { from zone trust; to zone WIFI-ZONE; rule wifi-nat { match { source-address 10.139.1.0/24; destination-address 0.0.0.0/0; } then { source-nat { interface; zones { security-zone trust { address-book { address HO-LAN 10.139.1.0/24; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.0 { host-inbound-traffic { system-services { https; ping; ssh; all; } } } ge-0/0/0.0 { host-inbound-traffic { system-services { https; ping; ssh; all; } } } } } security-zone untrust { host-inbound-traffic { system-services { https; ping; ssh; telnet; } protocols { all; } } interfaces { fe-0/0/5.0 { host-inbound-traffic { system-services { ping; https; ssh; telnet; ike; security-zone WIFI-ZONE { interfaces { fe-0/0/6.0 { host-inbound-traffic { system-services { ping; policies { from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } from-zone trust to-zone WIFI-ZONE { policy TRUST-TO-WIFI { match { source-address HO-LAN; destination-address any; application any; } then { permit; } firewall { filter trust-adsl { term TERM1 { from { source-address { 10.139.1.167/32; } } then { routing-instance pbr_fe-0/0/6_adsl; } } term TERM2 { then { routing-instance
Re: [j-nsp] Policy based routing on SRX 210
This config is doing exactly what you configured it to do. That's how computers work. Did you want it to do something else? If so, you might want to tell us what you think it should be doing that it isn't. On Thu, 30 Sep 2010, Bikash Bhattarai wrote: Dear all, My PBR configuration is below. I have configured everything as suggested in juniper's documentation. But it's not working as desired. Please help me out to sort out the issue. ge-0/0/0 { unit 0 { description HO-LAN; family inet { address 10.139.1.1/24; fe-0/0/5 { unit 0 { description SUBISU-INTERNET; family inet { address 10.10.10.2/29; fe-0/0/6 { unit 0 { description ADSL; family inet { address 192.168.254.2/24; routing-options { interface-routes { rib-group inet IMPORT-PHY; } static { route 0.0.0.0/0 { next-hop [ 10.10.10.1 1 192.168.254.1 ]; metric 5; } rib-groups { IMPORT-PHY { import-rib [ pbr_fe-0/0/5_static.inet.0 pbr_fe-0/0/6_adsl.inet.0 inet.0 ]; nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; rule-set TRUST-TO-WIFI-NAT { from zone trust; to zone WIFI-ZONE; rule wifi-nat { match { source-address 10.139.1.0/24; destination-address 0.0.0.0/0; } then { source-nat { interface; zones { security-zone trust { address-book { address HO-LAN 10.139.1.0/24; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.0 { host-inbound-traffic { system-services { https; ping; ssh; all; } } } ge-0/0/0.0 { host-inbound-traffic { system-services { https; ping; ssh; all; } } } } } security-zone untrust { host-inbound-traffic { system-services { https; ping; ssh; telnet; } protocols { all; } } interfaces { fe-0/0/5.0 { host-inbound-traffic { system-services { ping; https; ssh; telnet; ike; security-zone WIFI-ZONE { interfaces { fe-0/0/6.0 { host-inbound-traffic { system-services { ping; policies { from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } from-zone trust to-zone WIFI-ZONE { policy TRUST-TO-WIFI { match { source-address HO-LAN; destination-address any; application any; } then { permit; } firewall { filter trust-adsl { term TERM1 { from { source-address { 10.139.1.167/32; } } then { routing-instance pbr_fe-0/0/6_adsl; } } term TERM2 { then { routing-instance pbr_fe-0/0/5_static; } } } } routing-instances { pbr_fe-0/0/5_static { instance-type forwarding; routing-options {
Re: [j-nsp] Policy based routing on SRX 210
I'm not exactly sure what you are trying to get this config to do, but at the very least you need to apply the firewall rule for the PBR to the relevant interface, set interface x unit 0 family inet filter input trust-adsl Joe On Thu, Sep 30, 2010 at 5:32 AM, Bikash Bhattarai bik...@dristi.com.npwrote: Dear all, My PBR configuration is below. I have configured everything as suggested in juniper's documentation. But it's not working as desired. Please help me out to sort out the issue. ge-0/0/0 { unit 0 { description HO-LAN; family inet { address 10.139.1.1/24; fe-0/0/5 { unit 0 { description SUBISU-INTERNET; family inet { address 10.10.10.2/29; fe-0/0/6 { unit 0 { description ADSL; family inet { address 192.168.254.2/24; routing-options { interface-routes { rib-group inet IMPORT-PHY; } static { route 0.0.0.0/0 { next-hop [ 10.10.10.1 1 192.168.254.1 ]; metric 5; } rib-groups { IMPORT-PHY { import-rib [ pbr_fe-0/0/5_static.inet.0 pbr_fe-0/0/6_adsl.inet.0 inet.0 ]; nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; rule-set TRUST-TO-WIFI-NAT { from zone trust; to zone WIFI-ZONE; rule wifi-nat { match { source-address 10.139.1.0/24; destination-address 0.0.0.0/0; } then { source-nat { interface; zones { security-zone trust { address-book { address HO-LAN 10.139.1.0/24; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.0 { host-inbound-traffic { system-services { https; ping; ssh; all; } } } ge-0/0/0.0 { host-inbound-traffic { system-services { https; ping; ssh; all; } } } } } security-zone untrust { host-inbound-traffic { system-services { https; ping; ssh; telnet; } protocols { all; } } interfaces { fe-0/0/5.0 { host-inbound-traffic { system-services { ping; https; ssh; telnet; ike; security-zone WIFI-ZONE { interfaces { fe-0/0/6.0 { host-inbound-traffic { system-services { ping; policies { from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } from-zone trust to-zone WIFI-ZONE { policy TRUST-TO-WIFI { match { source-address HO-LAN; destination-address any; application any; } then { permit; } firewall { filter trust-adsl { term TERM1 { from { source-address { 10.139.1.167/32; } } then { routing-instance pbr_fe-0/0/6_adsl; } } term TERM2 {
Re: [j-nsp] Policy based routing on SRX 210
I want to have all the traffic default routed to 10.10.10.1 and when it comes from source address 10.139.1.167/32 it should be routed to 192.168.254.1. I have also applied filter to the LAN interface in inbound direction. But still all the traffic is going through 10.10.10.1 even if it is originated from 10.139.1.167/32. Regards, Bikash From: Joe Goldberg [mailto:joe.goldb...@falconstor.com] Sent: बिहीवार, सेप्टेम्बर 30, 2010 7:55 PM To: Bikash Bhattarai Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Policy based routing on SRX 210 I'm not exactly sure what you are trying to get this config to do, but at the very least you need to apply the firewall rule for the PBR to the relevant interface, set interface x unit 0 family inet filter input trust-adsl Joe On Thu, Sep 30, 2010 at 5:32 AM, Bikash Bhattarai bik...@dristi.com.np wrote: Dear all, My PBR configuration is below. I have configured everything as suggested in juniper's documentation. But it's not working as desired. Please help me out to sort out the issue. ge-0/0/0 { unit 0 { description HO-LAN; family inet { address 10.139.1.1/24; fe-0/0/5 { unit 0 { description SUBISU-INTERNET; family inet { address 10.10.10.2/29; fe-0/0/6 { unit 0 { description ADSL; family inet { address 192.168.254.2/24; routing-options { interface-routes { rib-group inet IMPORT-PHY; } static { route 0.0.0.0/0 { next-hop [ 10.10.10.1 1 192.168.254.1 ]; metric 5; } rib-groups { IMPORT-PHY { import-rib [ pbr_fe-0/0/5_static.inet.0 pbr_fe-0/0/6_adsl.inet.0 inet.0 ]; nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; rule-set TRUST-TO-WIFI-NAT { from zone trust; to zone WIFI-ZONE; rule wifi-nat { match { source-address 10.139.1.0/24; destination-address 0.0.0.0/0; } then { source-nat { interface; zones { security-zone trust { address-book { address HO-LAN 10.139.1.0/24; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.0 { host-inbound-traffic { system-services { https; ping; ssh; all; } } } ge-0/0/0.0 { host-inbound-traffic { system-services { https; ping; ssh; all; } } } } } security-zone untrust { host-inbound-traffic { system-services { https; ping; ssh; telnet; } protocols { all; } } interfaces { fe-0/0/5.0 { host-inbound-traffic { system-services { ping; https; ssh; telnet; ike; security-zone WIFI-ZONE { interfaces { fe-0/0/6.0 { host-inbound-traffic { system-services { ping; policies { from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } from-zone trust to-zone WIFI-ZONE { policy TRUST-TO-WIFI { match { source-address HO-LAN; destination-address
Re: [j-nsp] Policy based routing on SRX 210
I'm not sure that this is the only issue, but something I just spotted under pbr_fe-0/0/6_adsl: route 0.0.0.0/24 I would have thought that if it didnt match a route that instance, it would have been dropped. If that is the case, then something else is going wrong beforehand and the traffic isn't hitting that instance. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp