[j-nsp] SRX FBR and destination nat

Thu Jun 26 15:51:31 EDT 2014

I think you are hit by the flow mechanism, this would probably work in 
pure routing scenario.

Please verify my possible explanation with "set security flow 
traceoptions flag basic-datapath".

When the first packet is accepted, a flow is set up. It contains both 
the forward path and the reverse path, all forwarding/routing decisions 
are made at that point. At this time, nothing is known about the FBR 
setup.

When the return packet enters the FW, the filter action of setting RI to 
cat is probably noted in the packet meta-data, but when the flow engine 
then evaluates the packet, an existing flow is found, the fast-path is 
taken (no routing/forwarding lookup), and the exit path as determined 
earlier is used.

This is the reason why your setup does not work (I think).

(This is the place where I would normally suggest a fix, but I'm short 
on time and would like to try some Junos Cup challenges while I can. If 
the problem persists, please poke me.)

/Per

On 26 Jun 2014, at 15:39, Yuriy B. Borysov wrote:

> Hello!
>
> I have two connections to the ISP on SRX220H (12.1X45-D15.5).
>
> ISP1 - 1.1.1.2 on my side, 1.1.1.1 - gw (int pp0.0)
> ISP2 - 2.2.2.2 on my side, 2.2.2.1 - gw (int pp0.1)
>
> Default gateway looks in to pp0.1
>
> I need to do destination nat to host in lan PC (10.121.0.101) via non
> default ISP1 (int pp0.0).
>
> First of all, configure FBR for LAN network via pp0.0:
>
> routing-options
> interface-routes {
>   rib-group inet all;
>   }
>
> .....
>
> rib-groups {
>   all {
>           import-rib [ inet.0 cat.inet.0 ];
>      }
>
> .....
>
> cat {
>   instance-type forwarding;
>       routing-options {
> 	        static {
> 		  route 0.0.0.0/0 next-hop pp0.0;
> 		}
> 	}
> }
>
> ......
>
> firewall family inet filter cat
> term route-to-cat {
>   from {
>       source-address {
>           10.121.0.0/24;
>       }
>   }
>   then {
>       routing-instance cat;
>   }
> }
> term default {
>   then accept;
> }
>
> .....
>
> interfaces ge-0/0/0.99
> description cctv;
> vlan-id 99;
> family inet {
>   mtu 1500;
>   filter {
>       input cat;
>   }
>   address 10.121.0.200/24;
> }
>
> .....
>
> security policies from-zone cctv to-zone untrust
> policy proxmox-inet {
>   match {
>       source-address any;
>       destination-address any;
>       application any;
>   }
>   then {
>       permit;
>   }
> }
>
> security policies from-zone untrust to-zone cctv
> policy cctv-access {
>   match {
>       source-address any;
>       destination-address any;
>       application any;
>   }
>   then {
>       permit;
>   }
> }
>
>
> Everything looks OK, outgoing traffic goes via pp0.0
>
> After that, configure dest nat:
>
> pool cctv-rdr {
>   address 10.121.0.101/32;
> }
>
> rule-set cctv-rdr {
>   from interface pp0.0;
>   rule cctv-rdr {
>       match {
>           destination-address 1.1.1.2/32;
>       }
>       then {
>           destination-nat {
>               pool {
>                   cctv-rdr;
>               }
>           }
>       }
>   }
> }
>
>
> Traffic comes through pp0.0 but returns through pp0.1
> That breaks port forward (due to uplink urpf).
>
> Where I'm wrong in my configuration?
>
> Thanks!
>
>
> --
> WBR, Yuriy B. Borysov
> YOKO-UANIC | YOKO-RIPE	
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp