Please take a moment to read http://bit.ly/demandglobalchange, to help share the message and support the initiative to tell our leaders to focus on addressing the global world problems, instead of complaining about the effects of their lack of leadership. Be a leader yourself, and share this with as many people as possible. #demandglobalchange // https://www.facebook.com/demandglobalchange



Please consider donating: https://www.corelan.be/index.php/donate/


23,251 viewsThis page as PDF (Login first !)

Using 2 internet links with Juniper screenos Firewalls to separate traffic (pbr) and apply traffic shaping

Scenario : you have 1 Juniper firewall, which has 2 internet connections : an expensive but reliable 4Mbit connection, and a fast, less expensive, but less reliable 20Mbit connection.

Goal : use the reliable connection for smtp traffic (1Mbit) and http traffic (3Mbit), and route all other internet traffic over the other connection

multiple ISP

The techniques that we’ll use to make this work are : routing, policy based routing, traffic shaping and policies

This is how it is done :

Routing

When you only have one internet connection, the default route on your firewall points to the ISP router. But now we have 2 ISP routers, so we’ll have to make a choice :

  • route all traffic to ISP router 1 by default (not recommended, because most traffic should go to ISP 2)
  • route all traffic to ISP router 2 by default (looks better, but we still need to find a solution for the smtp and http traffic)
  • use Equal Cost Multipath routing by creating 2 default routes with the same preference, and point each route to another ISP router (not recommended here, because ECMP routing is used to equally load balance internet traffic, on a session basis. We need to be very specific in what needs to be routed to ISP1 and what needs to be routed to ISP2)
  • use PBR (Policy Based Routing) => this is what we need. Using PBR, you can specify a next-hop and filter on IP addresses, ports, ToS bits, which suits our needs here

In order to use PBR, we need to

  • Create an extended access list
  • Create a match group
  • Assign the extended access list to the group
  • Create action groups to identify the next-hop router for each ISP
  • Create PBR policy
  • Enable PBR on the ingress interface
  • Apply PBR to the ingress zone and bind the policy to the zone
  • Create a policy to allow traffic

There are 2 ways to route the traffic : either you set the default route to the ISP that will carry the majority of the traffic and use an ACL to send traffic to the other ISP (preferred and easiest configuration), or do it the hard way (without default route) and separate/reroute traffic using 2 access lists.

If you want to use the easy config (default route to 2.2.2.2), then you only need to create an acl that kicks in for the smtp and http traffic. But since I want to demonstrate the possibilities of PBR, I’ll do it the hard way in this example :


## set up the access-lists
ssg5-> set vrouter trust-vr
ssg5(trust-vr)-> set access-list extended 10 dst-port 25-25 protocol tcp entry 1
ssg5(trust-vr)-> set access-list extended 10 dst-port 80-80 protocol tcp entry 2

ssg5(trust-vr)-> set access-list extended 20 dst-port 1-24 entry 1
ssg5(trust-vr)-> set access-list extended 20 dst-port 26-79 entry 2
ssg5(trust-vr)-> set access-list extended 20 dst-port 81-65535 entry 3
ssg5(trust-vr)-> set access-list extended 20 dst-port 25-25 protocol udp entry 4
ssg5(trust-vr)-> set access-list extended 20 dst-port 80-80 protocol udp entry 5

## create the match groups and assign the extended acl to the group
ssg5(trust-vr)-> set match-group name ISP4MBit
ssg5(trust-vr)-> set match-group ISP4MBit ext-acl 10 match-entry 10

ssg5(trust-vr)-> set match-group name ISP20Mbit
ssg5(trust-vr)-> set match-group ISP20Mbit ext-acl 20 match-entry 10

## create action groups and set next hop
ssg5(trust-vr)-> set action-group name toISP4MBit
ssg5(trust-vr)-> set action-group toISP4MBit next-hop 1.1.1.2 action-entry 1

ssg5(trust-vr)-> set action-group name toISP20MBit
ssg5(trust-vr)-> set action-group toISP20MBit next-hop 2.2.2.2 action-entry 1

## create pbr and bind action group with match group
ssg5(trust-vr)-> set pbr policy name separate-traffic
ssg5(trust-vr)-> set pbr policy separate-traffic match-group ISP4MBit action-group toISP4MBit 1
ssg5(trust-vr)-> set pbr policy separate-traffic match-group ISP20MBit action-group toISP20MBit 1
ssg5(trust-vr)-> exit

## enable PBR on the ingress interface (in the LAN zone !!!!)
ssg5-> set interface ethernet0/0 pbr

## enable the PBR policy on the entire zone
ssg5-> set zone LAN pbr separate-traffic

## create policy to allow traffic
ssg5-> set policy from Lan to Internet any any any nat src permit

As explained earlier, in this example we have created an access-list that will cover all non smtp and http traffic. Hence, there is no need for a default route on the firewall. The action-groups will ensure that all traffic go the the correct ISP routers. The drawback of this configuration is that, if you want to extend the ACL for the 4MbitISP, then you’ll need to change both ACLs, and this will increate complexity without increasing flexibility.

Again, this was just an example, in case you need to use multiple access lists and multiple entries per access list, but it is not the recommended setup.

So far so good, but the smtp and http traffic sessions will take as much bandwidth as they can. One of the requirements was to limit the amount of bandwidth that can be taken by SMTP to 1Mbit, and to limit the amount of bandwidth that can be taken by HTTP to 3Mbit.

In fact, we’ll give SMTP 512KB guaranteed, allow burst to 1Mbit, and we’ll give HTTP 2Mbit guaranteed, burst to 3Mbit. This can be done with traffic shaping :

Set up traffic shaping

Add the following 2 policies BEFORE the any any any policy that we have created above

set policy from Lan to Internet "Any" "Any " "SMTP" nat src permit traffic
     gbw 512 priority 0 mbw 1024
set policy from Lan to Internet "Any" "Any " "HTTP" nat src permit traffic
     gbw 2048 priority 0 mbw 3072

The gbw parameter indicates the guaranteed bandwdith, the mbw parameter refers to the maximum bandwidth

As soon as you create one policy with traffic shaping parameters, traffic shaping becomes active. You can globally disable traffic shaping again by using “set traffic-shaping mode off”

You can view the traffic shaping statistics by looking at the policy information. Suppose the SMTP policy has id 5, then you can see all stats by executing the following command : “get policy id 5”

Set bandwidth restrictions on an interface

This option is not required for our example, but if you want to enforce interface based bandwidth restrictions, this is how it can be done :

Suppose you want to limit the amount of bandwidth on interface ethernet0/1 to 4Mbit, then use these commands :

set interface e0/1 bandwidth ingress mbw 4096
set interface e0/1 bandwidth egress mbw 4096

As you can see, you can specify different bandwidth parameters based on ingress or egress traffic flow.

What if one of your internet connections uses DHCP ?

If one of your internet connections uses DHCP, this will have an impact on the cost of the default route. You can put one of the links in another vrouter, so you can play with the PBR in your trust-vr and send traffic via the custom vrouter

http://8021q.blogspot.com/2007/09/juniper-netscreen-dual-untrust.html

Some notes

1. Cross-VR PBR :

If you have multiple VR’s and you need to redirect traffic via PBR to another VR, then make sure that the action-group only contains a next-hop entry and not a next-interface entry. Especially with some older ScreenOS versions, when configuring this via the WebGui, the “next-interface null” statement may be added and the setup would not work. Check out http://kb.juniper.net/index?page=content&id=KB9404&actp=search&searchid=1231989420431 for more information. (KB also contains some information about a routing table host entry (/32) for referencing the next-hop value.

2008 – 2009, Corelan Team (corelanc0d3r). All rights reserved.

Related Posts:

7 Responses to Using 2 internet links with Juniper screenos Firewalls to separate traffic (pbr) and apply traffic shaping

  • nike says:

    Hy!
    I have a juniper 5gt and 2wan conections. I want to use the above example on my juniper to direct HTTP traffic from 2 computers to my 2 ISP .
    It is possible to do that on my 5gt?
    Can you send me a configuration example on e-mail?
    Thanks!

  • can you open a forum post for this ?
    (go to http://www.corelan.be:8800/index.php/forum/screenos-routing-staticripospfbgp-1/ and create a new topic)

    I will need more information on how the 2 wan connections are connected, so a simple drawing would be nice.

    Also, what version of screenos are you running on the 5gt ?
    thanks

  • Rayb16 says:

    what would the above config look like if I were going to use the default route? what you refer to as the ‘easy config’.

    thanks,
    ray.

    • Ray,
      You basically set the default route to the ISP that will carry the majority of the traffic, and you create just one access-list and pbr that will send some of the traffic to another gateway
      (so instead of using 2 access-lists/pbr’s, you would just need one)

      • Rayb16 says:

        I currently have 2 internet connection connected to the juniper. and have a default route set for each:
        set route 0.0.0.0/0 interface ethernet0/0 gateway 1.2.3.4 preference 20
        set route 0.0.0.0/0 interface ethernet0/1 gateway 5.6.7.8 preference 20

        I will be adding a 3rd internet connection to this juniper on ethernet0/3 that I would like to direct all web traffic to. Do I only need one default gateway statement? Eth0/0 would be considered the primary interface.

        thanks,
        Ray.

  • niessoh says:

    Hi
    If the above scenario is certainly one of the links will interfere
    1- It is so well done to combine the above weight-based interface to share the load ?
    2- Or when a link was interrupted throughout the second link to send traffic from ?

Corelan Live training

Since 2011, Corelan GCV has been teaching live win32 exploit dev classes at various security cons and private companies & organizations.

You can read more about the training and schedules here

Demand Global Change

The world needs your help !

Please take a few moments to read the "Demand Global Change Call For Action" document at
http://bit.ly/demandglobalchange
Read the full document at
http://bit.ly/demandglobalchange_full and share the message with as many people as possible.

Like the Facebook page, and SHARE it with everyone you know.



Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Protected by Copyscape Web Plagiarism Tool

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Corelan on IRC

You can chat with us and our friends on #corelan (freenode IRC)

Categories