[j-nsp] SRx self-generated traffic

[Ben Dale]

On 18 May 2015, at 11:21 pm, M Abdeljawad via juniper-nsp <juniper-nsp at puck.nether.net> wrote:

> Hello
> I have three questions related to SRX self-generated traffic
> 1- How to force the SRX self-generated traffic to get out to internet through certain link (suppose I have two internet connections)?

Self-generated traffic will use inet.0 to determine the best path anywhere.  I'm not aware of any way to perform policy-based routing on self-generated traffic, as FBF is applied on ingress.

> 2- Is it possible to carry the self-generated traffic over a VPN tunnel terminated on the SRX?

Yes, however there are some caveats to this approach depending on the specific traffic you are generating.  

In general though, you want to have numbered interfaces (eg: your st0.x interface has an IP address assigned to it) so that the source IP of the traffic is something sane (traffic sourced from an unnumbered tunnel interface will otherwise select the underlying interface IP address, which may be public).

Depending on what you are trying to do, you might find this useful:

set system default-address-selection 

This sources all system-generated IP traffic from the loopback interface if one is defined.  Depending on which zone your loopback is in, you can then configure policies to suit.

> 3-Can we proxy the self-generated traffic to some proxy server?

In the case of traffic like syslog, DNS and software updates then yes this should be possible (for various definitions of "proxy").

Cheers,

Ben