How to route all network traffic for vlan through a proxy server on SRX

Question

I'm trying configure an SRX router to automatically forward all traffic through a proxy server i have in the USA. I have created a separate vlan and configured the proxy but not sure how i can route all traffic through this.

The aim of this task is create a test network which makes users appear in the location of the proxy server. (with the external ip address of the proxy)

Is this possible and how should i do this. Am i approaching this the right way?

Thanks

Does the SRX need to continue to let normal traffic flow? Why not just make the IP of the proxy server the default route? — SpacemanSpiff, Oct 27 '12 at 01:01
yeah it needs to let normal traffic flow. only need the proxy server for this one vlan — user112570, Oct 29 '12 at 10:51
Then you apply the filter below to that one VLAN, using either the HTTP/S only example or the all traffic example. — SpacemanSpiff, Oct 29 '12 at 15:04

SpacemanSpiff · Answer 1 · 2012-10-27T01:16:46.777

Here is how I usually do this on JunOS. It doesn't really matter that you're on an SRX, but keep in mind NAT rules still apply.

I recommend you do not put the proxy server on the same VLAN as the clients. It can make a nice routing loop.

set routing-options interface-routes rib-group inet IMPORT-PHY
set routing-options rib-groups IMPORT-PHY import-rib inet.0
set routing-options rib-groups IMPORT-PHY import-rib to-proxy.inet.0
set firewall family inet filter to-proxy term one from destination-port 80
set firewall family inet filter to-proxy term one from destination-port 443
set firewall family inet filter to-proxy term one then count to-proxy
set firewall family inet filter to-proxy term one then log
set firewall family inet filter to-proxy term one then routing-instance to-proxy
set firewall family inet filter to-proxy term two then count to-default-route
set firewall family inet filter to-proxy term two then log
set firewall family inet filter to-proxy term two then accept
set routing-instances to-proxy instance-type forwarding
set routing-instances to-proxy routing-options static route 0.0.0.0/0 next-hop X.X.X.X

Then, you apply that filter as a family inet filter to an interface, in your case a VLAN interface.

set interfaces vlan.0 family inet filter input to-proxy

Keep in mind, my example only traps ports 80/443 over to the proxy, if you have other applications, or you want to do this for an entire subnet, in the filter you can match on source or destination IP address or just send everything.

If you want to send ALL traffic to the proxy server from that VLAN, use these lines:

set routing-options interface-routes rib-group inet IMPORT-PHY
set routing-options rib-groups IMPORT-PHY import-rib inet.0
set routing-options rib-groups IMPORT-PHY import-rib to-proxy.inet.0
set firewall family inet filter to-proxy term one then count to-proxy
set firewall family inet filter to-proxy term one then log
set firewall family inet filter to-proxy term one then routing-instance to-proxy
set routing-instances to-proxy instance-type forwarding
set routing-instances to-proxy routing-options static route 0.0.0.0/0 next-hop X.X.X.X

How to route all network traffic for vlan through a proxy server on SRX

1 Answers1