Clik here to view.
I already puslished a blog post concerning policy-based routing on a Juniper firewall within the same virtual router (VR). For some reasons, I was not able to configure PBR correctly when using multiple VRs. Now it works. Image may be NSFW.
Clik here to view.
So, here are the required steps:
(This document from Juniper explains it all. I just made a few screenshots.)
My lab looks like that:
Image may be NSFW.
Clik here to view.
The steps are quite similar to the PBR guide without multiple VRs. However, the “action group” must be set WITHOUT a “next-interface”. This CANNOT be done through the WebGUI, because it ALWAYS sets the “next-interface”, even if the checkmark is not checked! You MUST use the CLI such as this:
set vrouter trust-vr action-group name Action-Surf-DSL set vrouter trust-vr action-group Action-Surf-DSL next-hop 10.49.254.1 action-entry 1
After this, the WebGUI correctly shows this entry without the next-interface. There is a “Note” on the Juniper page that exactly describes this for early ScreenOS 5.3/5.4 versions. However, in my current 6.3.0.r19 version, this is still the case. Furthermore, instead of the self-referenced host route I am using a default route (0.0.0.0/0) to the next-hop value, since it actually is my default router. With this default route, the PBR on the trust-vr works even without this so called self-referenced host route inside the untrust-vr. (Of course, there might be scenarios in which the next-hop value is not the default router. In these situations, you must configure this self-referenced host route.)
Here we go. Refer to the descriptions under the screenshots for more details:
Image may be NSFW.Clik here to view.
Image may be NSFW.Clik here to view.
Image may be NSFW.Clik here to view.
Image may be NSFW.Clik here to view.
Image may be NSFW.Clik here to view.
Image may be NSFW.Clik here to view.
Image may be NSFW.Clik here to view.
Image may be NSFW.Clik here to view.
Image may be NSFW.Clik here to view.
The complete CLI commands (without policies/NAT) are the following:
set vrouter "untrust-vr" set route 0.0.0.0/0 interface ethernet0/3 gateway 10.49.254.1 permanent exit set vrouter "trust-vr" set access-list extended 1 src-ip 192.168.110.0/24 dst-ip 0.0.0.0/0 dst-port 80-80 protocol tcp entry 1 set access-list extended 1 src-ip 192.168.110.0/24 dst-ip 0.0.0.0/0 dst-port 443-443 protocol tcp entry 2 set access-list extended 1 src-ip 192.168.110.0/24 dst-port 30001-30005 protocol tcp entry 3 set access-list extended 1 src-ip 192.168.110.0/24 dst-port 33002-33002 protocol tcp entry 4 set match-group name Match-Surf-DSL set match-group Match-Surf-DSL ext-acl 1 match-entry 1 set action-group name Action-Surf-DSL set action-group Action-Surf-DSL next-hop 10.49.254.1 action-entry 1 set pbr policy name Policy-Surf-DSL set pbr policy Policy-Surf-DSL match-group Match-Surf-DSL action-group Action-Surf-DSL 1 exit set interface ethernet0/5.10 pbr Policy-Surf-DSL
FIN.