[j-nsp] filter based forwarding of self-generated traffic

Daniel Hagerty hag at smartleaf.com
Thu Dec 7 10:14:17 EST 2017


[ Please pardon any duplication, it looks like my first post attempt
was scrubbed. ]

    I have built up a lab to test a configuration where I'd like an
srx240 to route some of its self generated to a secondary ISP via
filter based forwarding.  I'm utterly failing at this.

    I can trivially get the config to work as I want for other hosts
being forwarded by the srx, but not the srx's own traffic.  srx
traffic that meets filter forwarding criteria always receives
"Operation not permitted" error messages, as if there's a default
reject somewhere that I haven't found.

    Can anybody tell me what I'm missing here?  I've tried fiddling
many ways and have yet to figure it out.  The seemingly relevant bits
of config are below.  Thanks in advance.

version 12.3X48-D50.6;
security {
    policies {
        from-zone internet to-zone internet {
            policy sure {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone internet to-zone inside {
            policy sure {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone inside to-zone internet {
            policy sure {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone junos-host to-zone internet {
            policy sure {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone internet to-zone junos-host {
            policy sure {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone inside to-zone junos-host {
            policy sure {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone junos-host to-zone inside {
            policy sure {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone internet {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
                ge-0/0/2.0;
            }
        }
        security-zone inside {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        description "Faux Internal";
        unit 0 {
            family inet {
                inactive: filter {
                    input forward;
                }
                address 192.168.1.1/24;
            }
        }
    }
    ge-0/0/1 {
        description "Faux isp1 ethernet";
        unit 0 {
            family inet {
                address 172.22.1.2/24;
            }
        }
    }
    ge-0/0/2 {
        description "Faux isp2 ethernet";
        unit 0 {
            family inet {
                filter {
                    output accept;
                }
                address 10.50.1.2/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                filter {
                    output forward;
                }
                address 10.127.1.2/32;
            }
        }
    }
}
routing-options {
    interface-routes {
        rib-group inet interface-routes;
    }
    static {
        route 0.0.0.0/0 next-hop 172.22.1.1;
    }
    rib-groups {
        interface-routes {
            import-rib [ inet.0 isp2.inet.0 ];
        }
    }
}
firewall {
    filter forward {
        term t1 {
            from {
                source-address {
                    10.50.1.2/32;
                }
            }
            then {
                count isp2;
                log;
                routing-instance isp2;
            }
        }
        term t2 {
            then {
                count isp1;
                log;
                accept;
            }
        }
    }
    filter accept {
        term t1 {
            then accept;
        }
    }
}
routing-instances {
    cc {
        instance-type virtual-router;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 10.50.1.1;
            }
        }
    }
}


More information about the juniper-nsp mailing list