{"id":1018,"date":"2008-10-19T14:30:53","date_gmt":"2008-10-19T12:30:53","guid":{"rendered":"http:\/\/www.corelan.be:8800\/index.php\/2008\/10\/19\/using-2-internet-links-with-juniper-screenos-firewalls-to-separate-traffic-and-apply-traffic-shaping\/"},"modified":"2008-10-19T14:30:53","modified_gmt":"2008-10-19T12:30:53","slug":"using-2-internet-links-with-juniper-screenos-firewalls-to-separate-traffic-and-apply-traffic-shaping","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2008\/10\/19\/using-2-internet-links-with-juniper-screenos-firewalls-to-separate-traffic-and-apply-traffic-shaping\/","title":{"rendered":"Using 2 internet links with Juniper screenos Firewalls to separate traffic (pbr) and apply traffic shaping"},"content":{"rendered":"<p>Scenario : you have 1 Juniper firewall, which has 2 internet connections : an expensive but reliable 4Mbit connection, and a fast, less expensive, but less reliable 20Mbit connection.<\/p>\n<p>Goal : use the reliable connection for smtp traffic (1Mbit) and http traffic (3Mbit), and route all other internet traffic over the other connection<\/p>\n<p><a href=\"\/wp-content\/uploads\/2008\/10\/multipleisp.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" title=\"multiple ISP\" style=\"border-top-width: 0px; display: inline; border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px\" height=\"424\" alt=\"multiple ISP\" src=\"\/wp-content\/uploads\/2008\/10\/multipleisp-thumb.png\" width=\"556\" border=\"0\" \/><\/a> <\/p>\n<p>The techniques that we\u2019ll use to make this work are : routing, policy based routing, traffic shaping and policies<\/p>\n<p>This is how it is done :<\/p>\n<p>&#160;<\/p>\n<h3>Routing<\/h3>\n<p>When you only have one internet connection, the default route on your firewall points to the ISP router. But now we have 2 ISP routers, so we\u2019ll have to make a choice :<\/p>\n<ul>\n<li>route all traffic to ISP router 1 by default (not recommended, because most traffic should go to ISP 2) <\/li>\n<li>route all traffic to ISP router 2 by default (looks better, but we still need to find a solution for the smtp and http traffic) <\/li>\n<li>use Equal Cost Multipath routing by creating 2 default routes with the same preference, and point each route to another ISP router (not recommended here, because ECMP routing is used to equally load balance internet traffic, on a session basis. We need to be very specific in what needs to be routed to ISP1 and what needs to be routed to ISP2) <\/li>\n<li>use PBR (Policy Based Routing) =&gt; this is what we need. Using PBR, you can specify a next-hop and filter on IP addresses, ports, ToS bits, which suits our needs here <\/li>\n<\/ul>\n<p>&#160;<\/p>\n<p>In order to use PBR, we need to<\/p>\n<ul>\n<li>Create an extended access list <\/li>\n<li>Create a match group <\/li>\n<li>Assign the extended access list to the group <\/li>\n<li>Create action groups to identify the next-hop router for each ISP <\/li>\n<li>Create PBR policy <\/li>\n<li>Enable PBR on the ingress interface <\/li>\n<li>Apply PBR to the ingress zone and bind the policy to the zone <\/li>\n<li>Create a policy to allow traffic <\/li>\n<\/ul>\n<p>There are 2 ways to route the traffic : either you set the default route to the ISP that will carry the majority of the traffic and use an ACL to send traffic to the other ISP (preferred and easiest configuration), or do it the hard way (without default route) and separate\/reroute traffic using 2 access lists. <\/p>\n<p>If you want to use the easy config (default route to 2.2.2.2), then you only need to create an acl that kicks in for the smtp and http traffic.&#160; But since I want to demonstrate the possibilities of PBR, I\u2019ll do it the hard way in this example :<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">\n\n## set up the access-lists\nssg5-<span style=\"color: #0000ff\">&gt;<\/span> set vrouter trust-vr\nssg5(trust-vr)-<span style=\"color: #0000ff\">&gt;<\/span> set access-list extended 10 dst-port 25-25 protocol tcp entry 1\nssg5(trust-vr)-<span style=\"color: #0000ff\">&gt;<\/span> set access-list extended 10 dst-port 80-80 protocol tcp entry 2\n\nssg5(trust-vr)-<span style=\"color: #0000ff\">&gt;<\/span> set access-list extended 20 dst-port 1-24 entry 1\nssg5(trust-vr)-<span style=\"color: #0000ff\">&gt;<\/span> set access-list extended 20 dst-port 26-79 entry 2\nssg5(trust-vr)-<span style=\"color: #0000ff\">&gt;<\/span> set access-list extended 20 dst-port 81-65535 entry 3\nssg5(trust-vr)-<span style=\"color: #0000ff\">&gt;<\/span> set access-list extended 20 dst-port 25-25 protocol udp entry 4\nssg5(trust-vr)-<span style=\"color: #0000ff\">&gt;<\/span> set access-list extended 20 dst-port 80-80 protocol udp entry 5\n\n## create the match groups and assign the extended acl to the group\nssg5(trust-vr)-<span style=\"color: #0000ff\">&gt;<\/span> set match-group name ISP4MBit\nssg5(trust-vr)-<span style=\"color: #0000ff\">&gt;<\/span> set match-group ISP4MBit ext-acl 10 match-entry 10\n\nssg5(trust-vr)-<span style=\"color: #0000ff\">&gt;<\/span> set match-group name ISP20Mbit\nssg5(trust-vr)-<span style=\"color: #0000ff\">&gt;<\/span> set match-group ISP20Mbit ext-acl 20 match-entry 10\n\n## create action groups and set next hop\nssg5(trust-vr)-<span style=\"color: #0000ff\">&gt;<\/span> set action-group name toISP4MBit\nssg5(trust-vr)-<span style=\"color: #0000ff\">&gt;<\/span> set action-group toISP4MBit next-hop 1.1.1.2 action-entry 1\n\nssg5(trust-vr)-<span style=\"color: #0000ff\">&gt;<\/span> set action-group name toISP20MBit\nssg5(trust-vr)-<span style=\"color: #0000ff\">&gt;<\/span> set action-group toISP20MBit next-hop 2.2.2.2 action-entry 1\n\n## create pbr and bind action group with match group\nssg5(trust-vr)-<span style=\"color: #0000ff\">&gt;<\/span> set pbr policy name separate-traffic\nssg5(trust-vr)-<span style=\"color: #0000ff\">&gt;<\/span> set pbr policy separate-traffic match-group ISP4MBit action-group toISP4MBit 1\nssg5(trust-vr)-<span style=\"color: #0000ff\">&gt;<\/span> set pbr policy separate-traffic match-group ISP20MBit action-group toISP20MBit 1\nssg5(trust-vr)-<span style=\"color: #0000ff\">&gt;<\/span> exit\n\n## enable PBR on the ingress interface (in the LAN zone !!!!)\nssg5-<span style=\"color: #0000ff\">&gt;<\/span> set interface ethernet0\/0 pbr\n\n## enable the PBR policy on the entire zone\nssg5-<span style=\"color: #0000ff\">&gt;<\/span> set zone LAN pbr separate-traffic\n\n## create policy to allow traffic\nssg5-<span style=\"color: #0000ff\">&gt;<\/span> set policy from Lan to Internet any any any nat src permit\n<\/pre>\n<\/div>\n<p>&#160;<\/p>\n<p>As explained earlier, in this example we have created an access-list that will cover all non smtp and http traffic. Hence, there is no need for a default route on the firewall. The action-groups will ensure that all traffic go the the correct ISP routers.&#160; The drawback of this configuration is that, if you want to extend the ACL for the 4MbitISP, then you\u2019ll need to change both ACLs, and this will increate complexity without increasing flexibility.<\/p>\n<p>Again, this was just an example, in case you need to use multiple access lists and multiple entries per access list, but it is not the recommended setup.<\/p>\n<p>&#160;<\/p>\n<p>So far so good, but the smtp and http traffic sessions will take as much bandwidth as they can. One of the requirements was to limit the amount of bandwidth that can be taken by SMTP to 1Mbit, and to limit the amount of bandwidth that can be taken by HTTP to 3Mbit.<\/p>\n<p>In fact, we\u2019ll give SMTP 512KB guaranteed, allow burst to 1Mbit, and we\u2019ll give HTTP 2Mbit guaranteed, burst to 3Mbit.&#160; This can be done with traffic shaping :<\/p>\n<p>&#160;<\/p>\n<h3><\/h3>\n<h3>Set up traffic shaping<\/h3>\n<p>Add the following 2 policies BEFORE the any any any policy that we have created above<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">set policy from Lan to Internet &quot;Any&quot; &quot;Any &quot; &quot;SMTP&quot; nat src permit traffic\n     gbw 512 priority 0 mbw 1024\nset policy from Lan to Internet &quot;Any&quot; &quot;Any &quot; &quot;HTTP&quot; nat src permit traffic\n     gbw 2048 priority 0 mbw 3072<\/pre>\n<\/div>\n<p>The gbw parameter indicates the guaranteed bandwdith, the mbw parameter refers to the maximum bandwidth<\/p>\n<p>As soon as you create one policy with traffic shaping parameters, traffic shaping becomes active.&#160; You can globally disable traffic shaping again by using \u201cset traffic-shaping mode off\u201d<\/p>\n<p>You can view the traffic shaping statistics by looking at the policy information.&#160; Suppose the SMTP policy has id 5, then you can see all stats by executing the following command :&#160; \u201cget policy id 5\u201d<\/p>\n<p>&#160;<\/p>\n<h3>Set bandwidth restrictions on an interface<\/h3>\n<p>This option is not required for our example, but if you want to enforce interface based bandwidth restrictions, this is how it can be done :<\/p>\n<p>Suppose you want to limit the amount of bandwidth on interface ethernet0\/1 to 4Mbit, then use these commands :<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">set interface e0\/1 bandwidth ingress mbw 4096\nset interface e0\/1 bandwidth egress mbw 4096<\/pre>\n<\/div>\n<p>As you can see, you can specify different bandwidth parameters based on ingress or egress traffic flow.<\/p>\n<p>&#160;<\/p>\n<h3>What if one of your internet connections uses DHCP ?<\/h3>\n<p>If one of your internet connections uses DHCP, this will have an impact on the cost of the default route. You can put one of the links in another vrouter, so you can play with the PBR in your trust-vr and send traffic via the custom vrouter<\/p>\n<p><a title=\"http:\/\/8021q.blogspot.com\/2007\/09\/juniper-netscreen-dual-untrust.html\" href=\"http:\/\/8021q.blogspot.com\/2007\/09\/juniper-netscreen-dual-untrust.html\">http:\/\/8021q.blogspot.com\/2007\/09\/juniper-netscreen-dual-untrust.html<\/a><\/p>\n<p>&#160;<\/p>\n<h3>Some notes<\/h3>\n<h4>1. Cross-VR PBR :<\/h4>\n<p>If you have multiple VR\u2019s and you need to redirect traffic via PBR to another VR, then make sure that the action-group only contains a next-hop entry and not a next-interface entry. Especially with some older ScreenOS versions, when configuring this via the WebGui, the \u201cnext-interface null\u201d statement may be added and the setup would not work.&#160; Check out <a title=\"http:\/\/kb.juniper.net\/index?page=content&amp;id=KB9404&amp;actp=search&amp;searchid=1231989420431\" href=\"http:\/\/kb.juniper.net\/index?page=content&amp;id=KB9404&amp;actp=search&amp;searchid=1231989420431\">http:\/\/kb.juniper.net\/index?page=content&amp;id=KB9404&amp;actp=search&amp;searchid=1231989420431<\/a> for more information. (KB also contains some information about a routing table host entry (\/32) for referencing the next-hop value.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Scenario : you have 1 Juniper firewall, which has 2 internet connections : an expensive but reliable 4Mbit connection, and a fast, less expensive, but less reliable 20Mbit connection. Goal : use the reliable connection for smtp traffic (1Mbit) and http traffic (3Mbit), and route all other internet traffic over the other connection The techniques &hellip; <a href=\"https:\/\/www.corelan.be\/index.php\/2008\/10\/19\/using-2-internet-links-with-juniper-screenos-firewalls-to-separate-traffic-and-apply-traffic-shaping\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> \"Using 2 internet links with Juniper screenos Firewalls to separate traffic (pbr) and apply traffic shaping\"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[554,164,127],"tags":[3735,1408],"class_list":["post-1018","post","type-post","status-publish","format-standard","hentry","category-juniper","category-networking","category-security","tag-juniper-netscreen-screenos","tag-routing"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Using 2 internet links with Juniper screenos Firewalls to separate traffic (pbr) and apply traffic shaping - Corelan | Exploit Development &amp; Vulnerability Research<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.corelan.be\/index.php\/2008\/10\/19\/using-2-internet-links-with-juniper-screenos-firewalls-to-separate-traffic-and-apply-traffic-shaping\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Using 2 internet links with Juniper screenos Firewalls to separate traffic (pbr) and apply traffic shaping - Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"og:description\" content=\"Scenario : you have 1 Juniper firewall, which has 2 internet connections : an expensive but reliable 4Mbit connection, and a fast, less expensive, but less reliable 20Mbit connection. Goal : use the reliable connection for smtp traffic (1Mbit) and http traffic (3Mbit), and route all other internet traffic over the other connection The techniques &hellip; Continue reading &quot;Using 2 internet links with Juniper screenos Firewalls to separate traffic (pbr) and apply traffic shaping&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.corelan.be\/index.php\/2008\/10\/19\/using-2-internet-links-with-juniper-screenos-firewalls-to-separate-traffic-and-apply-traffic-shaping\/\" \/>\n<meta property=\"og:site_name\" content=\"Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/corelanconsulting\" \/>\n<meta property=\"article:published_time\" content=\"2008-10-19T12:30:53+00:00\" \/>\n<meta name=\"author\" content=\"corelanc0d3r\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@corelanc0d3r\" \/>\n<meta name=\"twitter:site\" content=\"@corelanc0d3r\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/10\\\/19\\\/using-2-internet-links-with-juniper-screenos-firewalls-to-separate-traffic-and-apply-traffic-shaping\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/10\\\/19\\\/using-2-internet-links-with-juniper-screenos-firewalls-to-separate-traffic-and-apply-traffic-shaping\\\/\"},\"author\":{\"name\":\"corelanc0d3r\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\"},\"headline\":\"Using 2 internet links with Juniper screenos Firewalls to separate traffic (pbr) and apply traffic shaping\",\"datePublished\":\"2008-10-19T12:30:53+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/10\\\/19\\\/using-2-internet-links-with-juniper-screenos-firewalls-to-separate-traffic-and-apply-traffic-shaping\\\/\"},\"wordCount\":930,\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"keywords\":[\"juniper netscreen screenos\",\"routing\"],\"articleSection\":[\"Juniper\",\"Networking\",\"Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/10\\\/19\\\/using-2-internet-links-with-juniper-screenos-firewalls-to-separate-traffic-and-apply-traffic-shaping\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/10\\\/19\\\/using-2-internet-links-with-juniper-screenos-firewalls-to-separate-traffic-and-apply-traffic-shaping\\\/\",\"name\":\"Using 2 internet links with Juniper screenos Firewalls to separate traffic (pbr) and apply traffic shaping - Corelan | Exploit Development &amp; Vulnerability Research\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\"},\"datePublished\":\"2008-10-19T12:30:53+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/10\\\/19\\\/using-2-internet-links-with-juniper-screenos-firewalls-to-separate-traffic-and-apply-traffic-shaping\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/10\\\/19\\\/using-2-internet-links-with-juniper-screenos-firewalls-to-separate-traffic-and-apply-traffic-shaping\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/10\\\/19\\\/using-2-internet-links-with-juniper-screenos-firewalls-to-separate-traffic-and-apply-traffic-shaping\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.corelan.be\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Using 2 internet links with Juniper screenos Firewalls to separate traffic (pbr) and apply traffic shaping\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"name\":\"Corelan CyberSecurity Research\",\"description\":\"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.corelan.be\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\",\"name\":\"Corelan CyberSecurity Research\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"width\":200,\"height\":200,\"caption\":\"Corelan CyberSecurity Research\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/corelanconsulting\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\",\"https:\\\/\\\/x.com\\\/corelanconsulting\",\"https:\\\/\\\/instagram.com\\\/corelanconsult\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\",\"name\":\"corelanc0d3r\",\"pronouns\":\"he\\\/him\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"caption\":\"corelanc0d3r\"},\"description\":\"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.\",\"sameAs\":[\"https:\\\/\\\/www.corelan-training.com\",\"https:\\\/\\\/instagram.com\\\/corelanc0d3r\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/petervaneeckhoutte\\\/\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\"],\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/author\\\/admin0\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Using 2 internet links with Juniper screenos Firewalls to separate traffic (pbr) and apply traffic shaping - Corelan | Exploit Development &amp; Vulnerability Research","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.corelan.be\/index.php\/2008\/10\/19\/using-2-internet-links-with-juniper-screenos-firewalls-to-separate-traffic-and-apply-traffic-shaping\/","og_locale":"en_US","og_type":"article","og_title":"Using 2 internet links with Juniper screenos Firewalls to separate traffic (pbr) and apply traffic shaping - Corelan | Exploit Development &amp; Vulnerability Research","og_description":"Scenario : you have 1 Juniper firewall, which has 2 internet connections : an expensive but reliable 4Mbit connection, and a fast, less expensive, but less reliable 20Mbit connection. Goal : use the reliable connection for smtp traffic (1Mbit) and http traffic (3Mbit), and route all other internet traffic over the other connection The techniques &hellip; Continue reading \"Using 2 internet links with Juniper screenos Firewalls to separate traffic (pbr) and apply traffic shaping\"","og_url":"https:\/\/www.corelan.be\/index.php\/2008\/10\/19\/using-2-internet-links-with-juniper-screenos-firewalls-to-separate-traffic-and-apply-traffic-shaping\/","og_site_name":"Corelan | Exploit Development &amp; Vulnerability Research","article_publisher":"https:\/\/www.facebook.com\/corelanconsulting","article_published_time":"2008-10-19T12:30:53+00:00","author":"corelanc0d3r","twitter_card":"summary_large_image","twitter_creator":"@corelanc0d3r","twitter_site":"@corelanc0d3r","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/www.corelan.be\/index.php\/2008\/10\/19\/using-2-internet-links-with-juniper-screenos-firewalls-to-separate-traffic-and-apply-traffic-shaping\/#article","isPartOf":{"@id":"https:\/\/www.corelan.be\/index.php\/2008\/10\/19\/using-2-internet-links-with-juniper-screenos-firewalls-to-separate-traffic-and-apply-traffic-shaping\/"},"author":{"name":"corelanc0d3r","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f"},"headline":"Using 2 internet links with Juniper screenos Firewalls to separate traffic (pbr) and apply traffic shaping","datePublished":"2008-10-19T12:30:53+00:00","mainEntityOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2008\/10\/19\/using-2-internet-links-with-juniper-screenos-firewalls-to-separate-traffic-and-apply-traffic-shaping\/"},"wordCount":930,"publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"keywords":["juniper netscreen screenos","routing"],"articleSection":["Juniper","Networking","Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.corelan.be\/index.php\/2008\/10\/19\/using-2-internet-links-with-juniper-screenos-firewalls-to-separate-traffic-and-apply-traffic-shaping\/","url":"https:\/\/www.corelan.be\/index.php\/2008\/10\/19\/using-2-internet-links-with-juniper-screenos-firewalls-to-separate-traffic-and-apply-traffic-shaping\/","name":"Using 2 internet links with Juniper screenos Firewalls to separate traffic (pbr) and apply traffic shaping - Corelan | Exploit Development &amp; Vulnerability Research","isPartOf":{"@id":"https:\/\/www.corelan.be\/#website"},"datePublished":"2008-10-19T12:30:53+00:00","breadcrumb":{"@id":"https:\/\/www.corelan.be\/index.php\/2008\/10\/19\/using-2-internet-links-with-juniper-screenos-firewalls-to-separate-traffic-and-apply-traffic-shaping\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.corelan.be\/index.php\/2008\/10\/19\/using-2-internet-links-with-juniper-screenos-firewalls-to-separate-traffic-and-apply-traffic-shaping\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.corelan.be\/index.php\/2008\/10\/19\/using-2-internet-links-with-juniper-screenos-firewalls-to-separate-traffic-and-apply-traffic-shaping\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.corelan.be\/"},{"@type":"ListItem","position":2,"name":"Using 2 internet links with Juniper screenos Firewalls to separate traffic (pbr) and apply traffic shaping"}]},{"@type":"WebSite","@id":"https:\/\/www.corelan.be\/#website","url":"https:\/\/www.corelan.be\/","name":"Corelan CyberSecurity Research","description":"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.","publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.corelan.be\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.corelan.be\/#organization","name":"Corelan CyberSecurity Research","url":"https:\/\/www.corelan.be\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","width":200,"height":200,"caption":"Corelan CyberSecurity Research"},"image":{"@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/corelanconsulting","https:\/\/x.com\/corelanc0d3r","https:\/\/x.com\/corelanconsulting","https:\/\/instagram.com\/corelanconsult"]},{"@type":"Person","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f","name":"corelanc0d3r","pronouns":"he\/him","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","url":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","caption":"corelanc0d3r"},"description":"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.","sameAs":["https:\/\/www.corelan-training.com","https:\/\/instagram.com\/corelanc0d3r","https:\/\/www.linkedin.com\/in\/petervaneeckhoutte\/","https:\/\/x.com\/corelanc0d3r"],"url":"https:\/\/www.corelan.be\/index.php\/author\/admin0\/"}]}},"views":26700,"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/1018","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/comments?post=1018"}],"version-history":[{"count":0,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/1018\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/media?parent=1018"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/categories?post=1018"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/tags?post=1018"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}