Hi I am trying to configure transparent proxy with SRX240 and SQUID. SRX240 is my GW and I want to forward traffic using PBR to SQUID server but it's not working.
. Here's my related config.
LAN testing station [security zone LAN] - 192.168.1.98
SQUID proxy [security zone DMZ] - 192.168.200.22
I've configured firewall filter and placed as input on SRX LAN GW interface
# run show configuration firewall family inet filter SQUID
term 1 { from { source-address { 192.168.1.98/32; } destination-address { 0.0.0.0/0; } protocol tcp; destination-port [ 80 443 ]; } then { log; routing-instance SQUID-VRF; } } term 2 { then accept; }
# run show configuration interfaces reth5
description LAN;
redundant-ether-options {
redundancy-group 5;
minimum-links 1;
}
unit 0 {
family inet {
filter {
input SQUID;
}
sampling {
input;
output;
}
address 192.168.1.1/24;
}
}I've configure VRF and routing-options
# run show configuration routing-instances
SQUID-VRF {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.200.22;
}
}
}rib-groups {
IMPORT-PHY {
import-rib [ inet.0 SQUID-VRF.inet.0 ];
}
}and here's my security policy between zones
# run show security policies from-zone LAN to-zone DMZ policy-name allow-web
node0:
--------------------------------------------------------------------------
From zone: LAN, To zone: DMZ
Policy: allow-web, State: enabled, Index: 100, Scope Policy: 0, Sequence number: 15
Source addresses: any
Destination addresses: squid
Applications: junos-http, junos-https
Action: permit, logWhen I initiate http or https traffic from my testing station, no traffic comes on SQUID server
[root@squid ~]# tcpdump -ni eno16780032 not port 22 | grep -i 192.168.1.98
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno16780032, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
[root@squid ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 95 packets, 5100 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 192.168.0.0/23 0.0.0.0/0 tcp dpt:443 to:192.168.200.22:3129
0 0 DNAT tcp -- * * 192.168.0.0/23 0.0.0.0/0 tcp dpt:80 to:192.168.200.22:3128Firewall filter match the traffic but it looks like it's not routed properly
# run show firewall log interface reth5 Log : Time Filter Action Interface Protocol Src Addr Dest Addr 21:22:59 pfe A reth5.0 TCP 192.168.1.98 2.21.74.91 21:22:59 pfe A reth5.0 TCP 192.168.1.98 35.167.151.38 21:22:59 pfe A reth5.0 TCP 192.168.1.98 172.217.23.206 21:22:59 pfe A reth5.0 TCP 192.168.1.98 54.229.224.146 21:22:58 pfe A reth5.0 TCP 192.168.1.98 35.167.184.4 21:22:58 pfe A reth5.0 TCP 192.168.1.98 2.21.74.91 21:22:58 pfe A reth5.0 TCP 192.168.1.98 2.21.74.105
and here's my routing table
inet.0: 24 destinations, 25 routes (24 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 19w1d 10:40:40
> to x.x.x.x via reth1.0
x.x.x.x/29 *[Direct/0] 19w1d 10:40:40> via reth1.0
[Direct/0] 19w1d 10:29:15> via reth1.0
x.x.x.x/32 *[Local/0] 19w1d 11:26:02
Local via reth1.0
x.x.x.x/32 *[Local/0] 19w1d 10:29:15
Local via reth1.0
192.168.1.0/24 *[Direct/0] 19w1d 10:23:37> via reth5.0
192.168.1.1/32 *[Local/0] 35w3d 23:02:46
192.168.200.0/24 *[Direct/0] 19w1d 10:24:53
> via reth6.0
192.168.200.1/32 *[Local/0] 35w3d 23:02:46
SQUID-VRF.inet.0: 18 destinations, 19 routes (18 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:29:07
> to 192.168.200.22 via reth6.0
x.x.x.x/29 *[Direct/0] 00:29:07> via reth1.0
[Direct/0] 00:29:07> via reth1.0
x.x.x.x/32 *[Local/0] 00:29:07
Local via reth1.0
x.x.x.x/32 *[Local/0] 00:29:07
Local via reth1.0
192.168.1.0/24 *[Direct/0] 00:29:07
> via reth5.0
192.168.1.1/32 *[Local/0] 00:29:07
Local via reth5.0
192.168.200.1/32 *[Local/0] 00:29:07I thank you for your advice. If you need more detail, please let me know.