Re: [j-nsp] Mx Policy routing problem
Hi Cahit,
> root@mx80-core# show interfaces ae0
> aggregated-ether-options {
> minimum-links 1;
> lacp {
> active;
> periodic fast;
> }
> }
> unit 0 {
> family inet {
> filter {
> input FWDirect;
> }
> address 10.32.35.14/30;
> }
> }
> Request timeout for icmp_seq 14714
> 36 bytes from 10.32.35.14: Destination Net Unreachable
> Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
> 4 5 00 5400 938d 0 38 01 d3ad 192.168.2.102 185.9.159.86
This looks like you are sourcing your traffic from the address on
interface ae0? If this is the case, then it is not actually ingressing
ae0, therefore the firewall won't be hit.
Try testing from the thing connected to ae0 (if you can).
Regards,
Dave
On 23 November 2015 at 10:08, Cahit Eyigünlü wrote:
> Hello friends ;
>
> We have an MX80 router which has connection on ae0 to our isp
>
>
>
> root@mx80-core# show interfaces ae0
> aggregated-ether-options {
> minimum-links 1;
> lacp {
> active;
> periodic fast;
> }
> }
> unit 0 {
> family inet {
> filter {
> input FWDirect;
> }
> address 10.32.35.14/30;
> }
> }
>
>
> [edit]
> root@mx80-core# show firewall
> filter FWDirect {
> term UDPFW {
> from {
> destination-address {
> 185.9.159.86/32;
> }
> protocol udp;
> }
> then {
> log;
> routing-instance UDP-Routes;
> }
> }
> term TCPFW {
> from {
> destination-address {
> 185.9.159.86/32;
> }
> }
> then {
> count TCPFWTR;
> log;
> routing-instance TCP-Routes;
> }
> }
> term Default {
> then accept;
> }
> }
>
> [edit]
> root@mx80-core# show routing-instances
> Normal-Routes {
> instance-type virtual-router;
> }
> TCP-Routes {
> instance-type forwarding;
> routing-options {
> static {
> route 0.0.0.0/0 next-hop 37.123.100.122;
> }
> }
> }
> UDP-Routes {
> instance-type forwarding;
> routing-options {
> static {
> route 0.0.0.0/0 next-hop 37.123.100.98;
> }
> }
> }
>
> [edit]
> root@mx80-core# show protocols ospf
> rib-group SPD-Route;
> area 0.0.0.0 {
> interface all;
> interface ae0.0 {
> disable;
> }
> }
>
> [edit]
>
> root@mx80-core# show routing-options rib-groups
> SPD-Route {
> import-rib [ inet.0 UDP-Routes.inet.0 TCP-Routes.inet.0 ];
> }
>
> [edit]
> root@mx80-core#
>
>
>
> The router has connection to routing instance ip addresses and logging the
> connections :
>
>
> root@mx80-core# run ping 37.123.100.122
> PING 37.123.100.122 (37.123.100.122): 56 data bytes
> 64 bytes from 37.123.100.122: icmp_seq=0 ttl=64 time=1.194 ms
> 64 bytes from 37.123.100.122: icmp_seq=1 ttl=64 time=0.956 ms
> ^C
> --- 37.123.100.122 ping statistics ---
> 2 packets transmitted, 2 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 0.956/1.075/1.194/0.119 ms
>
> [edit]
> root@mx80-core# run ping 37.123.100.98
> PING 37.123.100.98 (37.123.100.98): 56 data bytes
> 64 bytes from 37.123.100.98: icmp_seq=0 ttl=64 time=0.490 ms
> 64 bytes from 37.123.100.98: icmp_seq=1 ttl=64 time=8.739 ms
> 64 bytes from 37.123.100.98: icmp_seq=2 ttl=64 time=0.422 ms
> ^C
> --- 37.123.100.98 ping statistics ---
> 3 packets transmitted, 3 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 0.422/3.217/8.739/3.905 ms
>
> [edit]
> root@mx80-core# run show firewall log
> Log :
> Time FilterAction Interface ProtocolSrc Addr
> Dest Addr
> 08:44:20 pfe A ae0.0 ICMP212.174.232.182
> 185.9.159.86
> 08:44:19 pfe A ae0.0 ICMP212.174.232.182
> 185.9.159.86
> 08:44:18 pfe A ae0.0 ICMP212.174.232.182
> 185.9.159.86
> 08:44:17 pfe A ae0.0 ICMP212.174.232.182
> 185.9.159.86
> 08:44:16 pfe A ae0.0 ICMP212.174.232.182
> 185.9.159.86
> 08:44:15 pfe A ae0.0 ICMP212.174.232.182
> 185.9.159.86
> 08:44:14 pfe A ae0.0 ICMP212.174.232.182
> 185.9.159.86
> 08:44:13 pfe A ae0.0 ICMP212.174.232.182
> 185.9.159.86
> 08:44:12 pfe A ae0.0 ICMP212.174.232.182
> 185.9.159.86
> 08:44:11 pfe A ae0.0 ICMP212.174.232.182
> 185.9.159.86
> 08:44:10 pfe A ae0.0 ICMP212.174.232.182
> 185.9.159.86
> 08:44:09 pfe A ae0.0 ICMP212.174.232.182
> 185.9.159.86
>
>
>
> but we
[j-nsp] Mx Policy routing problem
Hello friends ;
We have an MX80 router which has connection on ae0 to our isp
root@mx80-core# show interfaces ae0
aggregated-ether-options {
minimum-links 1;
lacp {
active;
periodic fast;
}
}
unit 0 {
family inet {
filter {
input FWDirect;
}
address 10.32.35.14/30;
}
}
[edit]
root@mx80-core# show firewall
filter FWDirect {
term UDPFW {
from {
destination-address {
185.9.159.86/32;
}
protocol udp;
}
then {
log;
routing-instance UDP-Routes;
}
}
term TCPFW {
from {
destination-address {
185.9.159.86/32;
}
}
then {
count TCPFWTR;
log;
routing-instance TCP-Routes;
}
}
term Default {
then accept;
}
}
[edit]
root@mx80-core# show routing-instances
Normal-Routes {
instance-type virtual-router;
}
TCP-Routes {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 37.123.100.122;
}
}
}
UDP-Routes {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 37.123.100.98;
}
}
}
[edit]
root@mx80-core# show protocols ospf
rib-group SPD-Route;
area 0.0.0.0 {
interface all;
interface ae0.0 {
disable;
}
}
[edit]
root@mx80-core# show routing-options rib-groups
SPD-Route {
import-rib [ inet.0 UDP-Routes.inet.0 TCP-Routes.inet.0 ];
}
[edit]
root@mx80-core#
The router has connection to routing instance ip addresses and logging the
connections :
root@mx80-core# run ping 37.123.100.122
PING 37.123.100.122 (37.123.100.122): 56 data bytes
64 bytes from 37.123.100.122: icmp_seq=0 ttl=64 time=1.194 ms
64 bytes from 37.123.100.122: icmp_seq=1 ttl=64 time=0.956 ms
^C
--- 37.123.100.122 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.956/1.075/1.194/0.119 ms
[edit]
root@mx80-core# run ping 37.123.100.98
PING 37.123.100.98 (37.123.100.98): 56 data bytes
64 bytes from 37.123.100.98: icmp_seq=0 ttl=64 time=0.490 ms
64 bytes from 37.123.100.98: icmp_seq=1 ttl=64 time=8.739 ms
64 bytes from 37.123.100.98: icmp_seq=2 ttl=64 time=0.422 ms
^C
--- 37.123.100.98 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.422/3.217/8.739/3.905 ms
[edit]
root@mx80-core# run show firewall log
Log :
Time FilterAction Interface ProtocolSrc Addr
Dest Addr
08:44:20 pfe A ae0.0 ICMP212.174.232.182
185.9.159.86
08:44:19 pfe A ae0.0 ICMP212.174.232.182
185.9.159.86
08:44:18 pfe A ae0.0 ICMP212.174.232.182
185.9.159.86
08:44:17 pfe A ae0.0 ICMP212.174.232.182
185.9.159.86
08:44:16 pfe A ae0.0 ICMP212.174.232.182
185.9.159.86
08:44:15 pfe A ae0.0 ICMP212.174.232.182
185.9.159.86
08:44:14 pfe A ae0.0 ICMP212.174.232.182
185.9.159.86
08:44:13 pfe A ae0.0 ICMP212.174.232.182
185.9.159.86
08:44:12 pfe A ae0.0 ICMP212.174.232.182
185.9.159.86
08:44:11 pfe A ae0.0 ICMP212.174.232.182
185.9.159.86
08:44:10 pfe A ae0.0 ICMP212.174.232.182
185.9.159.86
08:44:09 pfe A ae0.0 ICMP212.174.232.182
185.9.159.86
but we can not access from outside the network :
Request timeout for icmp_seq 14714
36 bytes from 10.32.35.14: Destination Net Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 938d 0 38 01 d3ad 192.168.2.102 185.9.159.86
Request timeout for icmp_seq 14715
36 bytes from 10.32.35.14: Destination Net Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 28e7 0 38 01 3e54 192.168.2.102 185.9.159.86
Request timeout for icmp_seq 14716
36 bytes from 10.32.35.14: Destination Net Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 ffb1 0 38 01 6789 192.168.2.102 185.9.159.86
Request timeout for icmp_seq 14717
36 bytes from 10.32.35.14: Destination Net Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 99ee 0 38 01 cd4c 192.168.2.102 185.9.159.86
Request timeout for icmp_seq 14718
36 bytes from 10.32.35.14: Destination Net Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 a9d1 0
