FBF is not working

eng_gannaeng_ganna Registered Users Posts: 3 ■□□□□□□□□□
Hi all,
below is my FBF configuration on Juniper srx 240

vlan {
unit 0 {
description Internal_LAN;
family inet {
filter {
input FILTER1;
}
address 172.20.1.1/16;
}
}
}
}
routing-options {
interface-routes {
rib-group inet IMPORT-PHY;
}
static {
route 0.0.0.0/0 next-hop [ a.a.a.57 b.b.b.25 c.c.c.65 d.d.d.73 e.e.e.1 ];
route a.a.a.57/32 next-hop a.a.a.58;
}
rib-groups {
IMPORT-PHY {
import-rib [ inet.0 routing-table-ISP1.inet.0 routing-table-ISP2.inet.0 routing-table-ISP3.inet.0 routing-table-ISP4.inet.0 routing-table-ISP5.inet.0 ];
}
}
}
protocols {
isis {
rib-group inet IMPORT-PHY;
interface all;
}
}
security {
nat {
source {
rule-set interface-nat {
from zone trust;
to zone untrust;
rule rule1 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat interface;
}
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000;
timeout 20;
}
land;
}
}
}
zones {
security-zone trust {
tcp-rst;
host-inbound-traffic {
system-services {
any-service;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
http;
https;
ssh;
telnet;
dhcp;
ping;
}
}
}
vlan.0 {
host-inbound-traffic {
system-services {
any-service;
}
}
}
ge-0/0/1.0;
ge-0/0/2.0;
ge-0/0/3.0;
}
}
security-zone untrust {

screen untrust-screen;
interfaces {
ge-0/0/4.0 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
ge-0/0/5.0 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
ge-0/0/6.0;
ge-0/0/7.0 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
ge-0/0/8.0 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy default-deny {
match {
source-address any;
destination-address any;
application [ junos-http junos-http-ext junos-https ];
}
then {
permit;
}
}
}
}
utm {
feature-profile {
anti-virus {
type kaspersky-lab-engine;
}
}
utm-policy UTM-Policy {
anti-virus {
http-profile junos-av-defaults;
}
traffic-options {
sessions-per-client {
over-limit log-and-permit;
}
}
}
}
}
firewall {
filter FILTER1 {
term TERM1 {
from {
source-address {
172.20.1.4/32;
172.20.1.3/32;
10.1.1.51/32;
}
}
then {
routing-instance routing-table-ISP1;
}
}
term TERM3 {
from {
source-address {
172.20.1.5/32;
172.20.1.6/32;
172.20.1.7/32;
172.20.1.8/32;
}
}
then {
routing-instance routing-table-ISP2;
}
}
term TERM2 {
from {
source-address {
172.20.1.9/32;
}
}
then {
routing-instance routing-table-ISP3;
}
}
term TERM4 {
from {
source-address {
172.20.1.10/32;
172.20.1.11/32;
172.20.1.12/32;
}
}
then {
routing-instance routing-table-ISP4;
}
}
term TERM5 {
from {
source-address {
172.20.1.13/32;
172.20.1.14/32;
172.20.1.15/32;
}
}
then {
routing-instance routing-table-ISP5;
}
}
term TERM6 {
from {
source-address {
172.20.1.16/32;
172.20.1.17/32;
}
}
then {
routing-instance routing-table-ISP6;
}
}
term deny {
from {
source-address {
10.0.0.0/8;
192.168.0.0/16;
}
}
then {
reject network-unreachable;
}
}
term Default {
then accept;
}
}
}
routing-instances {
"routing-table-ISP1 " {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop a.a.a.57;
preference 100;
}
}
}
}
routing-table-ISP2 {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop b.b.b.25;
preference 100;
}
}
}
}
routing-table-ISP3 {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop e.e.e.1;
preference 100;
}
}
}
}
routing-table-ISP4 {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop c.c.c.65;
preference 100;
}
}
}
}
routing-table-ISP5 {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop d.d.d.73;
preference 100;
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}

the summary of above configuration is that ge-0/0/1-->ge-0/0/3 is in internal lan (trusted zone) and logical interface vlan.0 is layer3 interface (172.20.1.1/16)
and interfaces ge-0/0/4-->ge0/0/8 is in untrusted zone
and each port in untrusted zone is connected to router from diffrent isp
so I did filter based forwarding (FILTER1)and applied it on interface vlan.o
but it didnot work
The ping to vlan.0 didnot work from source addresses in filter (ex. 172.20.1.4)
but it is ok from diffrent IP in the same range
Finally: I put my gateway in my internal host , Juniper srx vlan.0 172.20.1.1
and based on the source address it redirect me to one of ISP's
But I cannot see my router juniper from addresses inside the filter and of course browsing isnot work
PLEASE HELP ME

Comments

  • mayhem87mayhem87 Member Posts: 73 ■■□□□□□□□□
    do you have your interfaces in vlan 3? i notice that the RVI is for vlan 3 yet don't see where the interfaces were also placed into vlan 3. Still new to Juniper so maybe I missed it?
  • eng_gannaeng_ganna Registered Users Posts: 3 ■□□□□□□□□□
    I put ge-0/0/1, ge-0/0/2,ge-0/0/3 in vlan-trust from the beginning but the problem that internet browsing isnot working from the client that have IP 172.20.1.4 and gateway 172.20.1.1 although it see the network but cannot ping to gateway (juniper)
    and cannot browse the internet, it is firewall problem but I donot know it
  • mayhem87mayhem87 Member Posts: 73 ■■□□□□□□□□
    so 172.20.1.3/32 is able to do everything just fine? Is the traffic from these 2 ip's coming in from the same port?
  • eng_gannaeng_ganna Registered Users Posts: 3 ■□□□□□□□□□
    hi every one,
    I could access the internet through Juniper but there is another problem, it is all traffic go through one ISP although that I made filter terms that load balance traffic depend on source and apply it on vlan-trust zone
    also static route in routing option has static route to 0.0.0.0/0 network with next hop a.a.a.57 and preference 5
    and qualified next hop d.d.d.73 with the same preference
    but the Juniper 172.20.1.1 forward all traffic from any source to one ISP only although of applying FBF
    help me please
    thanks
Sign In or Register to comment.