JuniperSRX300

Juniper SRX300 Dual Wan Failover Config

As I had tough time finding any helpful working config online and by gathering data from many sources i managed to get it all working , so this might help someone in need.
this works on SRX300, Running Junos 15.XXXX
Connection Overview
TWO ISPs connected to Juniper as GE0/0/0 ISP1, GE0/0/1 ISP2
Single LAN GE0/0/5 LAN1
in this config we got RPM probes setup to detect PING response on both WAN interfaces and then we switch Routing table based on results of RPM Probes Monitoring.

as i started from scratch by deleting entire config completely so few basic bits like logging etc not in this config that you can easily enable from webinterface or add to config.
you can download config as Text file here SRX 300 Dual Wan Failover Setup Config


## Last changed: 2016-09-01 17:55:19 UTC
version 15.1X49-D45;
system {
root-authentication {
encrypted-password “$5$7Fr4yWai$ZsEpHHbyYA7Tqxf7aro8D7UoCxGLIMrtNDfmkysTiI.”;
}
name-server {
8.8.4.4;
8.8.8.8;
}
services {
web-management {
http {
interface [ ge-0/0/0.0 ge-0/0/1.0 ge-0/0/5.0 ];
}
}
dhcp {
pool 192.168.1.0/24 {
address-range low 192.168.1.10 high 192.168.1.250;
router {
192.168.1.254;
}
}
}
}
}
services {
rpm {
probe probe-isp1 {
test test-isp1 {
probe-type icmp-ping;
target address 8.8.8.8;
probe-count 3;
probe-interval 15;
test-interval 10;
thresholds {
successive-loss 3;
total-loss 3;
}
destination-interface ge-0/0/0.0;
next-hop 10.0.5.1;
}
}
probe probe-isp2 {
test test-isp2 {
probe-type icmp-ping;
target address 8.8.8.8;
probe-count 3;
probe-interval 15;
test-interval 10;
thresholds {
successive-loss 3;
total-loss 5;
}
destination-interface ge-0/0/1.0;
next-hop 172.16.13.1;
}
}
}
ip-monitoring {
policy track-isp1 {
match {
rpm-probe probe-isp1;
}
then {
preferred-route {
routing-instances ISP1 {
route 0.0.0.0/0 {
next-hop 172.16.13.1;
}
}
}
}
}
policy track-isp2 {
match {
rpm-probe probe-isp2;
}
then {
preferred-route {
routing-instances ISP2 {
route 0.0.0.0/0 {
next-hop 10.0.5.1;
}
}
}
}
}
}
}
security {
nat {
source {
rule-set rs1 {
from zone LAN;
to zone Internet1;
rule r1 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set rs2 {
from zone LAN;
to zone Internet2;
rule r2 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone LAN to-zone Internet1 {
policy All_LAN_Internet1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone LAN to-zone Internet2 {
policy All_LAN_Internet2 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone LAN {
host-inbound-traffic {
system-services {
dhcp;
http;
https;
ping;
ssh;
}
}
interfaces {
ge-0/0/5.0;
ge-0/0/4.0;
ge-0/0/3.0;
}
}
security-zone Internet1 {
host-inbound-traffic {
system-services {
ping;
https;
ssh;
http;
dhcp;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone Internet2 {
host-inbound-traffic {
system-services {
dhcp;
http;
https;
ping;
ssh;
}
}
interfaces {
ge-0/0/1.0;
}
}
}
}
interfaces {
ge-0/0/0 {
description ISP1;
unit 0 {
family inet {
address 10.0.5.10/24;
}
}
}
ge-0/0/1 {
description ISP2;
unit 0 {
family inet {
address 172.16.13.230/24;
}
}
}
ge-0/0/3 {
description LAN3;
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/4 {
description LAN2;
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/5 {
description LAN1;
unit 0 {
family inet {
address 192.168.1.254/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-table ISP1.inet.0;
}
rib-groups {
ISP1-to-ISP2 {
import-rib [ ISP1.inet.0 ISP2.inet.0 ];
}
ISP2-to-ISP1 {
import-rib [ ISP2.inet.0 ISP1.inet.0 ];
}
}
}
routing-instances {
ISP1 {
instance-type virtual-router;
interface ge-0/0/0.0;
routing-options {
interface-routes {
rib-group inet ISP1-to-ISP2;
}
static {
route 0.0.0.0/0 next-hop 10.0.5.1;
}
}
}
ISP2 {
instance-type virtual-router;
interface ge-0/0/1.0;
routing-options {
interface-routes {
rib-group inet ISP2-to-ISP1;
}
static {
route 0.0.0.0/0 next-hop 172.16.13.1;
}
}
}
}


 

2 thoughts on “Juniper SRX300 Dual Wan Failover Config”

  1. Interesting. I just purchased 2 srx300’s to both help me study for my JNCIS & to be part of a personal lab. I am still fairly new to networking & I’ve never configured a router like this to route out to the internet.

    I’m really happy I cam accross this, it gives me a starting point for setting up NAT routing. Though if I can get your advice, would it be a good idea to have my srx devices routed out to the internet? I’m getting a strong impression that that might actually be a horrible idea in the long run.

Leave a Reply

Your email address will not be published. Required fields are marked *