[j-nsp] filter-based forwarding... struggling
Olivier Benghozi
olivier.benghozi at wifirst.fr
Sat Feb 15 21:30:18 EST 2014
You have to add:
set firewall filter FLEET-NAT term else-nat then accept
By the way in 12.2R2 and later you can as well drop all this rib-group+forwarding instance stuff, and just replace "then routing-instance nat-vrf" by "then next-ip 10.1.0.51" in your firewall filter, as in a PBR Cisco like config.
regards,
Olivier
Le 15 févr. 2014 à 01:41, ryanL <ryan.landry at gmail.com> a écrit :
> hi. this should be dead simple, but it isn't and my google-fu is sucking.
>
> all i want to do on my ex4500 is punt traffic to a next hop. simple
> policy-based routing in cisco-speak. apparently you need a routing-instance
> to do so. fine. we'll try it.
>
> so here we go. i'm basically saying if the destination isn't other fleet
> machines in 10/8, or the source isn't any of my public ip, throw it at my
> proxy/nat box that lives at 10.1.0.51, which is learned via bgp (exabgp).
> for now, i'm testing this only on one machine - 10.1.12.2, as referenced in
> the firewall filter.
>
> // config //
>
> routing-instances {
> nat-vrf {
> instance-type forwarding;
> routing-options {
> static {
> route 0.0.0.0/0 next-hop 10.1.0.51;
> }
> }
> }
> }
> routing-options {
> interface-routes {
> rib-group inet fbf-group;
> }
> rib-groups {
> fbf-group {
> import-rib [ inet.0 nat-vrf.inet.0 ];
> }
> }
> }
> protocols {
> bgp {
> group NAT-VIP {
> family inet {
> unicast {
> rib-group fbf-group;
> }
> }
> }
> }
> }
>
> interfaces {
> vlan {
> unit 112 {
> family inet {
> filter {
> input FLEET-NAT;
> }
> }
> }
> }
> }
>
> firewall {
> filter FLEET-NAT {
> term pass-1 {
> from {
> source-address {
> <snip>;
> }
> }
> then accept;
> }
> term pass-2 {
> from {
> destination-address {
> 10.0.0.0/8;
> }
> }
> then accept;
> }
> term else-nat {
> from {
> source-address {
> 10.1.12.2/32;
> }
> }
> then {
> log;
> routing-instance nat-vrf;
> }
> }
> }
> }
> }
> // end //
>
> the routing instance nat-vrf sees the route to 10.1.0.51:
>
> # show route table nat-vrf 10.1.0.51
>
> nat-vrf.inet.0: 61 destinations, 62 routes (61 active, 0 holddown, 0 hidden)
> + = Active Route, - = Last Active, * = Both
>
> 10.1.0.51/32 *[BGP/170] 00:36:53, localpref 500
> AS path: I, validation-state: unverified
>> to 10.1.5.11 via vlan.105
>
> and we have a recursed route to the 10.1.5.11 next hop.
>
> # show route table nat-vrf 10.1.5.11
>
> nat-vrf.inet.0: 61 destinations, 62 routes (61 active, 0 holddown, 0 hidden)
> + = Active Route, - = Last Active, * = Both
>
> 10.1.5.0/24 *[Direct/0] 00:41:46
>> via vlan.105
>
> forwarding table looks ok, i think:
>
> # show route forwarding-table table nat-vrf destination 10.1.0.51
> Routing table: nat-vrf.inet
> Internet:
> Destination Type RtRef Next hop Type Index NhRef Netif
> 10.1.0.51/32 user 0 indr 131083 5
> 10.1.5.11 ucst 1639 4 vlan.105
>
> # show route forwarding-table table nat-vrf destination 10.1.5.11
> Routing table: nat-vrf.inet
> Internet:
> Destination Type RtRef Next hop Type Index NhRef Netif
> 10.1.5.0/24 user 0 rtbl 1 29
>
> i think the thing missing here is that nat-vrf doesn't have a mac address
> next-hop for 10.1.5.11/32, much like inet.0 does:
>
> # show route forwarding-table destination 10.1.5.11
> Routing table: default.inet
> Internet:
> Destination Type RtRef Next hop Type Index NhRef Netif
> 10.1.5.11/32 dest 1 0:25:90:19:93:ca ucst 1639 4 vlan.105
>
> so, when tcpdumping on 10.1.5.11, i see no packets come in from a fleet
> machine as i'd expect.
>
> the firewall log shows my curl attempts to google, so i know i'm making it
> into the else-nat term properly.
>
> # show firewall log
> Log :
> Time Filter Action Interface Protocol Src Addr
> Dest Addr
> 23:55:55 pfe A xe-0/0/12.0 TCP 10.1.12.2
> 74.125.228.230
> 23:55:54 pfe A xe-0/0/12.0 TCP 10.1.12.2
> 74.125.228.230
>
> i'm a bit stumped from this point forward. i entirely admit that i don't
> necessarily understand some of the knobs to turn with this setup. i did at
> least try changing the routing-instance from "forwarding" to
> "virtual-router".
>
> not quite sure how to get nat-vrf to actually do the f part. do i have to
> share arp across instances somehow as well?
>
> appreciate any pointers!
>
> ryan
More information about the juniper-nsp
mailing list