Juniper MX. How to send client traffic to a NAT server

Let’s say there is no default route on Juniper MX, or it is not suitable, or client traffic needs to be sent to different NAT servers, in this article I will describe how to do this.

First of all, we will create a separate interface in a separate VLAN, which will face the NAT server, assign an IP address on it and on the NAT server. After creating routing-instances with the virtual-router type, this interface will only be used to communicate with the NAT server. For example:

interfaces ae0 unit 501 vlan-id 501 family inet address 10.0.55.3/24

Since I need to send traffic from several static IP addresses from the management network, as well as traffic from client networks, I decided to make two filters, specifying “interface-specific” in advance in order to apply the filter to different interfaces:

edit firewall family inet filter MANAGEMENT-TO-NAT
set interface-specific
set term LOCAL from source-prefix-list my-prefixes
set term LOCAL from source-prefix-list RFC1918
set term LOCAL from destination-prefix-list my-prefixes
set term LOCAL from destination-prefix-list RFC1918
set term LOCAL then accept
set term NAT from source-prefix-list MANAGEMENT-IP-TO-NAT
set term NAT then routing-instance NAT-RI
set term DEFAULT then accept

Second filter for clients:

edit firewall family inet filter GREY-TO-NAT
set interface-specific
set term LOCAL from source-prefix-list my-prefixes
set term LOCAL from source-prefix-list RFC1918
set term LOCAL from destination-prefix-list my-prefixes
set term LOCAL from destination-prefix-list RFC1918
set term LOCAL then accept
set term NAT from source-prefix-list NAT-PL
set term NAT then routing-instance NAT-RI
set term DEFAULT then accept

I made a general routing-instance (in which 10.0.55.1 is the default gateway, that is, a NAT server, and 172.16.0.0/12 and 10.0.0.0/21 are the networks that need to be sent to NAT):

set routing-instances NAT-RI instance-type virtual-router
set routing-instances NAT-RI interface ae0.501
set routing-instances NAT-RI routing-options static route 0.0.0.0/0 next-hop 10.0.55.1
set routing-instances NAT-RI routing-options static route 172.16.0.0/12 next-table inet.0
set routing-instances NAT-RI routing-options static route 10.0.0.0/21 next-table inet.0

Let’s create the necessary prefix lists:

edit policy-options
set prefix-list MANAGEMENT-IP-TO-NAT 10.0.4.2/32
set prefix-list MANAGEMENT-IP-TO-NAT 10.0.0.22/32
set prefix-list NAT-PL 172.16.0.0/12
set prefix-list my-prefixes x.x.x.0/23
set prefix-list RFC1918 10.0.0.0/21
set prefix-list RFC1918 10.0.55.0/24
set prefix-list RFC1918 172.16.0.0/12

If anything, RFC1918 includes the following subnets (in the previous list I simply shortened them to those that were used on the network):

set prefix-list RFC1918 10.0.0.0/8
set prefix-list RFC1918 172.16.0.0/12
set prefix-list RFC1918 192.168.0.0/16

If ae0.211 looks like this:

edit interfaces ae0
set unit 211 vlan-id 211
set unit 211 family inet address 10.0.4.1/24

Now, in order to send static IP addresses from the management vlan to the routing-instance NAT-RI (to the NAT-RI.inet.0 table), apply the filter:

set interfaces ae0 unit 211 family inet filter input-list MANAGEMENT-TO-NAT
set interfaces ae0 unit 212 family inet filter input-list MANAGEMENT-TO-NAT

To do this for the client network, you need to apply a filter to the dynamic DHCP profile (the higher the precedence value, the lower the filter priority):

edit dynamic-profiles DHCP-IP-Demux interfaces demux0 unit "$junos-interface-unit" family inet
set filter input GREY-TO-NAT precedence 150
set filter output GREY-TO-NAT-OUT precedence 150

The GREY-TO-NAT-OUT filter can be omitted or created empty so that it can be edited later without reauthorizing users, for example, it can be used for traffic mirroring.

Since users already use a dynamic DHCP profile, MX will not allow you to change it since it is in use, so we will create another dynamic DHCP profile in which we will apply the filter:

show DHCP-IP-Demux2 | display set
set dynamic-profiles DHCP-IP-Demux2 interfaces demux0 unit "$junos-interface-unit" no-traps
set dynamic-profiles DHCP-IP-Demux2 interfaces demux0 unit "$junos-interface-unit" proxy-arp restricted
set dynamic-profiles DHCP-IP-Demux2 interfaces demux0 unit "$junos-interface-unit" demux-options underlying-interface "$junos-underlying-interface"
set dynamic-profiles DHCP-IP-Demux2 interfaces demux0 unit "$junos-interface-unit" family inet mac-validate strict
set dynamic-profiles DHCP-IP-Demux2 interfaces demux0 unit "$junos-interface-unit" family inet rpf-check fail-filter RPF-ALLOW-DHCP
set dynamic-profiles DHCP-IP-Demux2 interfaces demux0 unit "$junos-interface-unit" family inet demux-source $junos-subscriber-ip-address
set dynamic-profiles DHCP-IP-Demux2 interfaces demux0 unit "$junos-interface-unit" family inet filter input GREY-TO-NAT
set dynamic-profiles DHCP-IP-Demux2 interfaces demux0 unit "$junos-interface-unit" family inet filter input precedence 150
set dynamic-profiles DHCP-IP-Demux2 interfaces demux0 unit "$junos-interface-unit" family inet unnumbered-address lo0.0
set dynamic-profiles DHCP-IP-Demux2 interfaces demux0 unit "$junos-interface-unit" family inet unnumbered-address preferred-source-address 10.10.0.3

Let’s change it in the DHCP server settings:

edit system server services dhcp-local-server group all
set dynamic-profile DHCP-IP-Demux2

Now you will have to reauthorize all clients for the new dynamic DHCP profile to apply:

clear dhcp server binding all

Or you can use an option that will allow you to apply the new DHCP profile to new client authorizations, and old clients will work with the old DHCP profile until they are reauthorized, but this can take months:

set system dynamic-profile-options versioning

Or you can apply a filter to all device traffic, then you can remove interface-specific from the filter and not re-authorize clients, but I prefer a DHCP profile so as not to create a large general filter:

set forwarding-options family inet filter input IXNFO.COM

Let’s add a static route to the white network that is used for NAT:

set routing-options static route x.x.x.128/25 next-hop x.x.x.11

Let’s look at the routes in the NAT-RI.inet.0 table:

run show route table NAT-RI.inet.0

Naturally, the NAT server must have return routes to MX; I added the white network for NAT to blackhole:

route add -net 10.0.0.0/21 gw 10.0.55.3
route add -net 172.16.0.0/12 gw 10.0.55.3
ip route add blackhole x.x.x.128/25

See my other articles:

Leave a comment

Leave a Reply