Knowledge Search


×
 

How to configure Filter Based Forwarding on SRX for a typical dual-ISP scenario

  [KB17223] Show Article Properties


Summary:

For routing different kinds of traffic out of different interfaces, on Junos there is a feature called Filter Based Forwarding (FBF).

This article shows a configuration example of FBF in a typical dual-ISP scenario.

Symptoms:

The following example shows how to configure FBF for a common scenario. In this scenario, hosts on an internal LAN connect to the internet using two different ISPs. FBF can be used to select which traffic will be sent to which ISP. This can be used to provide load balancing and redundancy.

Solution:

Example configuration:

To implement this scenario an input firewall filter will be configured on the internal LAN interface (ge-0/0/0.0 in this case). This filter will be used to forward the incoming traffic towards one of two different routing instances (routing tables). One routing table has a best default route towards ISP1 and a second best route towards ISP2. In the other routing instance the route preferences are reversed.

When one of the interfaces goes down, all new sessions will be going through the interface that is still up.
In this example the traffic is source NAT'ed to the outgoing interface IP address. This will make sure that the response from the server on the Internet will come back to the same interface again and no asymmetric traffic will exist (which is not supported in a flow based configuration).

The example filter used here is used to send packets with destination ports 22, 3389 or 8080 towards ISP2 and the rest to ISP1. It is also possible to select on different criteria, such as source or destination IP addresses.

interfaces {                           
    ge-0/0/0 {
        unit 0 {
            description Internal_LAN;
            family inet {
                filter {
                    input FILTER1;
                }
                address 172.30.72.253/23;
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            description ISP1;
            family inet {
                address 10.1.1.1/24;
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            description ISP2;
            family inet {
                address 10.2.2.1/24;   
            }
        }
    }
}


##### This configuration with rib groups is used to import the directly connected routes into the routing tables. The static default route shown here is used for the traffic originated from the SRX itself.

routing-options {
    interface-routes {
        rib-group inet IMPORT-PHY;
    }
    static {
        route 0.0.0.0/0 next-hop [ 10.1.1.2 10.2.2.2 ];
    }
    rib-groups {
        IMPORT-PHY {
            import-rib [ inet.0 routing-table-ISP1.inet.0 routing-table-ISP2.inet.0 ];
        }
    }
}


##### This is the filter that decides which traffic is sent to which ISP

firewall {
    filter FILTER1 { 
       term mgmtallow { #This term is necessary for allowing managment traffic/host-inbound traffic.
            from {
                   destination-address 172.30.72.253/23;
               }
            then {
                   accept;
                }
           }                  
       term TERM1 {
            from {
                destination-port [ 22 3389 8080 ];
            }
            then {
                routing-instance routing-table-ISP2;
            }
        }
        term default {
            then {
                routing-instance routing-table-ISP1;
            }
        }
    }
}

routing-instances {
    routing-table-ISP1 {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 {
                    next-hop 10.1.1.2;
                    qualified-next-hop 10.2.2.2 {
                        preference 100;
                    }
                }
            }
        }
    }
    routing-table-ISP2 {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 {
                    next-hop 10.2.2.2;
                    qualified-next-hop 10.1.1.2 {
                        preference 100;
                    }                  
                }
            }
        }
    }
}


In addition, the necessary security policies and nat policies should to be in place as well. Here is an example:

security {
    nat {
        source {
            rule-set OUTGOING {
                from zone trust;
                to zone untrust;
                rule rule1 {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }

    zones {
        security-zone trust {
            tcp-rst;
            host-inbound-traffic {
                system-services {      
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                fe-0/0/2.0;
                fe-0/0/3.0;
            }
        }


    policies {
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }





Verifying the configuration:

The configuration can be verified as follows. Two kinds of traffic are sent and checked if they are routed as expected. Traffic with destination ports 22, 3389 or 8080 should go to ISP2 (fe-0/0/3.0) and the rest goes to ISP1 (fe-0/0/2.0).

The resulting security flow session created in SRX:

root@srx210> show security flow session destination-port 22
Session ID: 4336, Policy name: default-permit/5, Timeout: 1784
  In: 172.30.73.129/45893 --> 4.4.4.4/22;tcp, If: ge-0/0/0.0
  Out: 4.4.4.4/22 --> 10.2.2.1/7523;tcp, If: fe-0/0/3.0


===> Correct
 

  • An internal host (172.30.73.129) opens an SSH (port 22) session to 4.4.4.4 (an internet IP address).

The resulting security flow session created in SRX:

root@srx210> show security flow session destination-port 23
Session ID: 4380, Policy name: default-permit/5, Timeout: 1768
  In: 172.30.73.129/36448 --> 4.4.4.4/23;tcp, If: ge-0/0/0.0
  Out: 4.4.4.4/23 --> 10.1.1.1/8481;tcp, If: fe-0/0/2.0


===> Correct

 

  • An internal host (172.30.73.129) opens a telnet (port 23) session to 4.4.4.4 (an internet IP address).
Related Links: