We've recently installed a second Internet connection so I've somewhat successfully configured policy based routing on the edge router which is a Juniper J4350 running JunOS 9.5R1.8.
I followed a guide more or less exactly by example (found here: http://community.riverbed.com/rvrb/attachments/rvrb/rvrb-7/2886/1/Juniper%20PBR.pdf) and the PBR routing works outbound, routing traffic from specific ranges inside the LAN out of an ISP as required, however when enabled the filter also seems to catch other traffic - I can't SSH into the router any longer on the LAN interface, and the configuration also seems to break some IPSEC VPNs going through the same router.
In summary, no PBR and routing was working as expected through a single ISP with the static routing specific under routing-options
.
For reference the parts of configuration I've put in is as follows:
ge-0/0/0 { vlan-tagging; unit 0 { vlan-id 1; family inet { filter { input PBR; } address 192.168.51.13/24; } } unit 16 { description Hants-ext; vlan-id 16; family inet { sampling { input; output; } address 10.249.16.126/25; } } unit 128 { description DMZ; vlan-id 128; family inet { address 10.249.16.129/25; } } unit 150 { description NetworkFlow; vlan-id 150; family inet { address 217.20.18.50/29; } } }
family inet { filter sample-in { term default { then { sample; accept; } } } filter PBR { term traffic_for_hants { from { source-address { 192.168.0.0/16; 172.16.0.0/16; 192.168.12.0/24 except; } } then { routing-instance viaHants; } } term traffic_for_networkflow { from { source-address { 192.168.12.0/24; } } then { routing-instance viaNetworkFlow; } } term default { then accept; } } }
routing-options { interface-routes { rib-group inet fbf-group; } static { route 192.168.0.0/16 next-hop 192.168.51.37; route 10.217.163.0/24 next-hop 192.168.51.37; route 172.19.0.0/16 next-hop 192.168.51.12; route 172.16.0.0/16 next-hop 10.249.16.1; route 0.0.0.0/0 next-hop 10.249.16.1; } rib-groups { fbf-group { import-rib [ inet.0 viaHants.inet.0 viaNetworkFlow.inet.0 ]; } } }
firewall { family inet { filter sample-in { term default { then { sample; accept; } } } filter PBR { term traffic_for_hants { from { source-address { 192.168.0.0/16; 172.16.0.0/16; 192.168.12.0/24 except; } } then { routing-instance viaHants; } } term traffic_for_networkflow { from { source-address { 192.168.12.0/24; } } then { routing-instance viaNetworkFlow; } } term default { then accept; } } } filter all { term all { then { sample; accept; } } } }
routing-instances { viaHants { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 10.249.16.1; route 192.168.0.0/16 next-hop 192.168.51.37; route 10.217.163.0/24 next-hop 192.168.51.37; route 172.19.0.0/16 next-hop 192.168.51.12; route 172.16.0.0/16 next-hop 10.249.16.1; } } } viaNetworkFlow { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 217.20.18.49; route 192.168.0.0/16 next-hop 192.168.51.37; route 10.217.163.0/24 next-hop 192.168.51.37; route 172.19.0.0/16 next-hop 192.168.51.12; route 172.16.0.0/16 next-hop 10.249.16.1; } } } }
Routing tables:
inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 5d 02:52:09 > to 10.249.16.1 via ge-0/0/0.16 10.217.163.0/24 *[Static/5] 5d 02:52:09 > to 192.168.51.37 via ge-0/0/0.0 10.249.16.0/25 *[Direct/0] 38w2d 11:16:31 > via ge-0/0/0.16 10.249.16.126/32 *[Local/0] 38w2d 11:17:33 Local via ge-0/0/0.16 10.249.16.128/25 *[Direct/0] 38w2d 11:16:31 > via ge-0/0/0.128 10.249.16.129/32 *[Local/0] 38w2d 11:17:33 Local via ge-0/0/0.128 172.16.0.0/16 *[Static/5] 5d 02:52:09 > to 10.249.16.1 via ge-0/0/0.16 172.19.0.0/16 *[Static/5] 5d 02:52:09 > to 192.168.51.12 via ge-0/0/0.0 192.168.0.0/16 *[Static/5] 5d 02:52:09 > to 192.168.51.37 via ge-0/0/0.0 192.168.51.0/24 *[Direct/0] 38w2d 11:16:31 > via ge-0/0/0.0 192.168.51.13/32 *[Local/0] 38w2d 11:17:33 Local via ge-0/0/0.0 217.20.18.48/29 *[Direct/0] 1w5d 23:06:44 > via ge-0/0/0.150 217.20.18.50/32 *[Local/0] 1w5d 23:06:44 Local via ge-0/0/0.150 viaHants.inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 6d 08:47:33 > to 10.249.16.1 via ge-0/0/0.16 10.217.163.0/24 *[Static/5] 5d 20:07:57 > to 192.168.51.37 via ge-0/0/0.0 10.249.16.0/25 *[Direct/0] 5d 03:17:39 > via ge-0/0/0.16 10.249.16.126/32 *[Local/0] 20:39:33 Local via ge-0/0/0.16 10.249.16.128/25 *[Direct/0] 5d 03:17:39 > via ge-0/0/0.128 10.249.16.129/32 *[Local/0] 20:39:33 Local via ge-0/0/0.128 172.16.0.0/16 *[Static/5] 5d 20:07:57 > to 10.249.16.1 via ge-0/0/0.16 172.19.0.0/16 *[Static/5] 5d 20:07:57 > to 192.168.51.12 via ge-0/0/0.0 192.168.0.0/16 *[Static/5] 5d 20:07:57 > to 192.168.51.37 via ge-0/0/0.0 192.168.51.0/24 *[Direct/0] 5d 03:17:39 > via ge-0/0/0.0 192.168.51.13/32 *[Local/0] 20:39:33 Local via ge-0/0/0.0 217.20.18.48/29 *[Direct/0] 5d 03:17:39 > via ge-0/0/0.150 217.20.18.50/32 *[Local/0] 20:39:33 Local via ge-0/0/0.150 viaNetworkFlow.inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 6d 08:47:33 > to 217.20.18.49 via ge-0/0/0.150 10.217.163.0/24 *[Static/5] 5d 20:07:57 > to 192.168.51.37 via ge-0/0/0.0 10.249.16.0/25 *[Direct/0] 5d 03:17:39 > via ge-0/0/0.16 10.249.16.126/32 *[Local/0] 20:39:33 Local via ge-0/0/0.16 10.249.16.128/25 *[Direct/0] 5d 03:17:39 > via ge-0/0/0.128 10.249.16.129/32 *[Local/0] 20:39:33 Local via ge-0/0/0.128 172.16.0.0/16 *[Static/5] 5d 20:07:57 > to 10.249.16.1 via ge-0/0/0.16 172.19.0.0/16 *[Static/5] 5d 20:07:57 > to 192.168.51.12 via ge-0/0/0.0 192.168.0.0/16 *[Static/5] 5d 20:07:57 > to 192.168.51.37 via ge-0/0/0.0 192.168.51.0/24 *[Direct/0] 5d 03:17:39 > via ge-0/0/0.0 192.168.51.13/32 *[Local/0] 20:39:33 Local via ge-0/0/0.0 217.20.18.48/29 *[Direct/0] 5d 03:17:39 > via ge-0/0/0.150 217.20.18.50/32 *[Local/0] 20:39:33 Local via ge-0/0/0.150
That's damn nice work! Since you're only really needing to use a different default gateway, I would change things up a little with your firewall filters by adding the destination address 0.0.0.0/0 under the from stanza for each term. That way it only gets applied when the destination is to the outbound ISP. Still, that shouldn't affect accessing the management interface. I also typically add a section that imports all connected routes but I think what you have here is doing that. Can you post the routing tables?
here are some examples I did, where I setup a policy route to redirect traffic to an internal web filtering box.