0

We've recently installed a second Internet connection so I've somewhat successfully configured policy based routing on the edge router which is a Juniper J4350 running JunOS 9.5R1.8.

I followed a guide more or less exactly by example (found here: http://community.riverbed.com/rvrb/attachments/rvrb/rvrb-7/2886/1/Juniper%20PBR.pdf) and the PBR routing works outbound, routing traffic from specific ranges inside the LAN out of an ISP as required, however when enabled the filter also seems to catch other traffic - I can't SSH into the router any longer on the LAN interface, and the configuration also seems to break some IPSEC VPNs going through the same router.

In summary, no PBR and routing was working as expected through a single ISP with the static routing specific under routing-options.

For reference the parts of configuration I've put in is as follows:

ge-0/0/0 {
    vlan-tagging;
    unit 0 {
        vlan-id 1;
        family inet {
            filter {
                input PBR;
            }
            address 192.168.51.13/24;
        }
    }
    unit 16 {
        description Hants-ext;
        vlan-id 16;
        family inet {
            sampling {
                input;
                output;
            }
            address 10.249.16.126/25;
        }
    }
    unit 128 {
        description DMZ;
        vlan-id 128;
        family inet {
            address 10.249.16.129/25;
        }
    }
    unit 150 {
        description NetworkFlow;
        vlan-id 150;
        family inet {
            address 217.20.18.50/29;
        }
    }
}

family inet {
    filter sample-in {
        term default {
            then {
                sample;
                accept;
            }
        }
    }
    filter PBR {
        term traffic_for_hants {
            from {
                source-address {
                    192.168.0.0/16;
                    172.16.0.0/16;
                    192.168.12.0/24 except;
                }
            }
            then {
                routing-instance viaHants;
            }
        }
        term traffic_for_networkflow {
            from {  
                source-address {
                    192.168.12.0/24;
                }
            }
            then {
                routing-instance viaNetworkFlow;
            }
        }
        term default {
            then accept;
        }
    }
}

routing-options {
    interface-routes {
        rib-group inet fbf-group;
    }
    static {
        route 192.168.0.0/16 next-hop 192.168.51.37;
        route 10.217.163.0/24 next-hop 192.168.51.37;
        route 172.19.0.0/16 next-hop 192.168.51.12;
        route 172.16.0.0/16 next-hop 10.249.16.1;
        route 0.0.0.0/0 next-hop 10.249.16.1;
    }
    rib-groups {
        fbf-group {
            import-rib [ inet.0 viaHants.inet.0 viaNetworkFlow.inet.0 ];
        }
    }
}

firewall {
    family inet {
        filter sample-in {
            term default {
                then {
                    sample;
                    accept;
                }   
            }
        }
        filter PBR {
            term traffic_for_hants {
                from {
                    source-address {
                        192.168.0.0/16;
                        172.16.0.0/16;
                        192.168.12.0/24 except;
                    }
                }
                then {
                    routing-instance viaHants;
                }
            }
            term traffic_for_networkflow {
                from {
                    source-address {
                        192.168.12.0/24;
                    }
                }
                then {
                    routing-instance viaNetworkFlow;
                }
            }
            term default {
                then accept;
            }
        }
    }
    filter all {
        term all {
            then {
                sample;
                accept;
            }
        }
    }
}

routing-instances {
    viaHants {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 10.249.16.1;
                route 192.168.0.0/16 next-hop 192.168.51.37;
                route 10.217.163.0/24 next-hop 192.168.51.37;
                route 172.19.0.0/16 next-hop 192.168.51.12;
                route 172.16.0.0/16 next-hop 10.249.16.1;
            }
        }
    }
    viaNetworkFlow {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 217.20.18.49;
                route 192.168.0.0/16 next-hop 192.168.51.37;
                route 10.217.163.0/24 next-hop 192.168.51.37;
                route 172.19.0.0/16 next-hop 192.168.51.12;
                route 172.16.0.0/16 next-hop 10.249.16.1;
            }       
        }           
    }               
}

Routing tables:

inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 5d 02:52:09
                    > to 10.249.16.1 via ge-0/0/0.16
10.217.163.0/24    *[Static/5] 5d 02:52:09
                    > to 192.168.51.37 via ge-0/0/0.0
10.249.16.0/25     *[Direct/0] 38w2d 11:16:31
                    > via ge-0/0/0.16
10.249.16.126/32   *[Local/0] 38w2d 11:17:33
                      Local via ge-0/0/0.16
10.249.16.128/25   *[Direct/0] 38w2d 11:16:31
                    > via ge-0/0/0.128
10.249.16.129/32   *[Local/0] 38w2d 11:17:33
                      Local via ge-0/0/0.128
172.16.0.0/16      *[Static/5] 5d 02:52:09
                    > to 10.249.16.1 via ge-0/0/0.16
172.19.0.0/16      *[Static/5] 5d 02:52:09
                    > to 192.168.51.12 via ge-0/0/0.0
192.168.0.0/16     *[Static/5] 5d 02:52:09
                    > to 192.168.51.37 via ge-0/0/0.0
192.168.51.0/24    *[Direct/0] 38w2d 11:16:31
                    > via ge-0/0/0.0
192.168.51.13/32   *[Local/0] 38w2d 11:17:33
                      Local via ge-0/0/0.0
217.20.18.48/29    *[Direct/0] 1w5d 23:06:44
                    > via ge-0/0/0.150
217.20.18.50/32    *[Local/0] 1w5d 23:06:44
                      Local via ge-0/0/0.150

viaHants.inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 6d 08:47:33
                    > to 10.249.16.1 via ge-0/0/0.16
10.217.163.0/24    *[Static/5] 5d 20:07:57
                    > to 192.168.51.37 via ge-0/0/0.0
10.249.16.0/25     *[Direct/0] 5d 03:17:39
                    > via ge-0/0/0.16
10.249.16.126/32   *[Local/0] 20:39:33
                      Local via ge-0/0/0.16
10.249.16.128/25   *[Direct/0] 5d 03:17:39
                    > via ge-0/0/0.128
10.249.16.129/32   *[Local/0] 20:39:33
                      Local via ge-0/0/0.128
172.16.0.0/16      *[Static/5] 5d 20:07:57
                    > to 10.249.16.1 via ge-0/0/0.16
172.19.0.0/16      *[Static/5] 5d 20:07:57
                    > to 192.168.51.12 via ge-0/0/0.0
192.168.0.0/16     *[Static/5] 5d 20:07:57
                    > to 192.168.51.37 via ge-0/0/0.0
192.168.51.0/24    *[Direct/0] 5d 03:17:39
                    > via ge-0/0/0.0
192.168.51.13/32   *[Local/0] 20:39:33
                      Local via ge-0/0/0.0
217.20.18.48/29    *[Direct/0] 5d 03:17:39
                    > via ge-0/0/0.150
217.20.18.50/32    *[Local/0] 20:39:33
                      Local via ge-0/0/0.150

viaNetworkFlow.inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 6d 08:47:33
                    > to 217.20.18.49 via ge-0/0/0.150
10.217.163.0/24    *[Static/5] 5d 20:07:57
                    > to 192.168.51.37 via ge-0/0/0.0
10.249.16.0/25     *[Direct/0] 5d 03:17:39
                    > via ge-0/0/0.16
10.249.16.126/32   *[Local/0] 20:39:33
                      Local via ge-0/0/0.16
10.249.16.128/25   *[Direct/0] 5d 03:17:39
                    > via ge-0/0/0.128
10.249.16.129/32   *[Local/0] 20:39:33
                      Local via ge-0/0/0.128
172.16.0.0/16      *[Static/5] 5d 20:07:57
                    > to 10.249.16.1 via ge-0/0/0.16
172.19.0.0/16      *[Static/5] 5d 20:07:57
                    > to 192.168.51.12 via ge-0/0/0.0
192.168.0.0/16     *[Static/5] 5d 20:07:57
                    > to 192.168.51.37 via ge-0/0/0.0
192.168.51.0/24    *[Direct/0] 5d 03:17:39
                    > via ge-0/0/0.0
192.168.51.13/32   *[Local/0] 20:39:33
                      Local via ge-0/0/0.0
217.20.18.48/29    *[Direct/0] 5d 03:17:39
                    > via ge-0/0/0.150
217.20.18.50/32    *[Local/0] 20:39:33
                      Local via ge-0/0/0.150
James Yale
  • 5,042
  • 1
  • 16
  • 20

1 Answers1

0

That's damn nice work! Since you're only really needing to use a different default gateway, I would change things up a little with your firewall filters by adding the destination address 0.0.0.0/0 under the from stanza for each term. That way it only gets applied when the destination is to the outbound ISP. Still, that shouldn't affect accessing the management interface. I also typically add a section that imports all connected routes but I think what you have here is doing that. Can you post the routing tables?

here are some examples I did, where I setup a policy route to redirect traffic to an internal web filtering box.

policy-options {
    prefix-list web-redirect-src-exclusions;
    prefix-list web-redirect-dst-exclusions {
        10.254.0.0/16;
        10.254.1.10/32;
        10.254.1.11/32;
        10.254.1.12/32;
        10.254.128.10/32;
        10.254.128.11/32;
        10.254.128.12/32;
    }
}
firewall {
        family inet {
            filter web-redirect {
                term srx-exclusions {
                    from {
                        source-prefix-list {
                            web-redirect-src-exclusions;
                        }                   
                    }
                    then accept;
                }
                term dst-exclusions {
                    from {
                        destination-prefix-list {
                            web-redirect-dst-exclusions;
                        }
                    }
                    then accept;
                }
                term web-redirect {
                    from {
                        destination-address {
                            0.0.0.0/0;
                        }
                        destination-port [ http https ];
                    }
                    then {
                        routing-instance web-redirect;
                    }
                }
                term default {
                    then accept;
                }
            }
        }
    }
    routing-instances {
        web-redirect {
            instance-type forwarding;
            routing-options {
                static {
                    route 0.0.0.0/0 next-hop 10.1.1.5;
                }
            }
        }
    }
SpacemanSpiff
  • 8,733
  • 1
  • 23
  • 35
  • you might also consider only matching the ports you want, using the destination-port matching on the from side as well. – SpacemanSpiff Oct 11 '11 at 13:02
  • Edited the question to include the routing tables which look right to me. I'm guessing if the routes in the routing instances are merged into the inet0 routing table I don't need to duplicate routes there which are also in the global routing table (routing-options static xx)? – James Yale Oct 12 '11 at 09:21
  • I think the technique you used for the routing tables is similar to mine, the connected routes are available in each, so that's not it. I think the problem lies in your firewall filters and the order you're matching things. – SpacemanSpiff Oct 12 '11 at 13:07
  • There were a few other problems with my config but this answer got to the bottom of why the management traffic wasn't making it to the router, thanks! – James Yale Dec 08 '11 at 12:32
  • Remember management traffic, routing protocols, ICMP, all go to the control plane. – SpacemanSpiff Dec 08 '11 at 14:28