version 12.1X46-D40.2;
groups {
node0 {
system {
host-name SRX_node0;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 192.168.3.221/24;
}
}
}
}
}
node1 {
system {
host-name SRX_node1;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 192.168.3.222/24;
}
}
}
}
}
}
apply-groups "${node}";
system {
time-zone GMT-5;
root-authentication {
}
name-server {
8.8.8.8;
8.8.4.4;
}
login {
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface reth1.1;
}
https {
system-generated-certificate;
interface reth1.1;
}
}
}
syslog {
archive size 1m files 10;
user * {
any emergency;
}
file messages {
any error;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file screen {
any any;
match RT_SCREEN;
}
file traffic-log {
any any;
match RT_FLOW_SESSION;
}
}
max-configurations-on-flash 49;
max-configuration-rollbacks 49;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
chassis {
cluster {
traceoptions {
file cluster size 200k files 5;
flag all;
}
reth-count 2;
redundancy-group 1 {
node 0 priority 254;
node 1 priority 1;
interface-monitor {
ge-0/0/0 weight 255;
ge-3/0/0 weight 255;
}
}
redundancy-group 2 {
node 0 priority 254;
node 1 priority 1;
interface-monitor {
ge-0/0/1 weight 255;
ge-3/0/1 weight 255;
}
}
redundancy-group 0 {
node 0 priority 254;
node 1 priority 1;
}
}
}
interfaces {
ge-0/0/0 {
gigether-options {
redundant-parent reth0;
}
}
ge-0/0/1 {
gigether-options {
redundant-parent reth1;
}
}
ge-3/0/0 {
gigether-options {
redundant-parent reth0;
}
}
ge-3/0/1 {
gigether-options {
redundant-parent reth1;
}
}
fab0 {
fabric-options {
member-interfaces {
ge-0/0/5;
}
}
}
fab1 {
fabric-options {
member-interfaces {
ge-3/0/5;
}
}
}
lo0 {
unit 1 {
description LOOPBACK-FOR-SSH;
family inet {
address 192.168.11.1/32;
}
}
}
reth0 {
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
}
unit 111 {
vlan-id 111;
family inet {
filter {
input INPUT;
}
address 1.1.1.40/24 {
primary;
preferred;
}
address 1.1.1.41/24;
}
}
unit 222 {
vlan-id 222;
family inet {
filter {
input INPUT;
}
address 2.2.2.2/30;
}
}
}
reth1 {
vlan-tagging;
redundant-ether-options {
redundancy-group 2;
}
unit 1 {
description Common-LAN;
vlan-id 1;
family inet {
address 10.0.0.1/23;
}
}
unit 999 {
description test_net;
vlan-id 999;
family inet {
address 192.168.50.1/24;
}
}
}
swfab0 {
fabric-options {
member-interfaces {
ge-0/0/4;
}
}
}
swfab1 {
fabric-options {
member-interfaces {
ge-3/0/4;
}
}
}
}
routing-options {
interface-routes {
rib-group inet inside;
}
static {
route 0.0.0.0/0 next-table ISP1.inet.0;
}
rib-groups {
inside {
import-rib [ inet.0 ISP2.inet.0 ISP1.inet.0 ];
}
}
}
security {
address-book {
global {
}
screen {
ids-option SCREEN {
inactive: icmp {
ip-sweep threshold 1000000;
fragment;
large;
flood threshold 20;
ping-death;
}
ip {
bad-option;
record-route-option;
timestamp-option;
security-option;
stream-option;
source-route-option;
unknown-protocol;
tear-drop;
}
tcp {
syn-fin;
fin-no-ack;
tcp-no-flag;
syn-frag;
syn-ack-ack-proxy;
syn-flood {
alarm-threshold 30;
attack-threshold 30;
source-threshold 30;
destination-threshold 30;
timeout 10;
}
land;
winnuke;
tcp-sweep threshold 1000000;
}
inactive: udp {
flood threshold 2000;
udp-sweep threshold 1000000;
}
inactive: limit-session {
source-ip-based 100;
destination-ip-based 100;
}
}
}
nat {
source {
pool ISP1-41 {
address {
1.1.1.41/32;
}
}
pool ISP2 {
address {
2.2.2.2/32;
}
}
pool ISP1-40 {
address {
1.1.1.40/32;
}
}
rule-set SOURCE-NAT-ISP1 {
from routing-instance default;
to routing-instance ISP1;
rule SOURCE-NAT-ISP1-41 {
match {
source-address [ 10.0.1.22/32 10.0.1.46/32 10.0.1.3/32 ];
}
then {
source-nat {
pool {
ISP1-41;
}
}
}
}
rule SOURCE-NAT-ISP1-40 {
match {
source-address 10.0.0.0/23;
}
then {
source-nat {
pool {
ISP1-40;
}
}
}
}
}
rule-set SOURCE-NAT-ISP2 {
from routing-instance default;
to routing-instance ISP2;
rule SOURCE-NAT-ISP2 {
match {
source-address 10.0.0.0/23;
}
then {
source-nat {
pool {
ISP2;
}
}
}
}
}
}
destination {
rule-set DSTNAT-ISP1 {
from zone WAN-ISP1;
}
rule-set DSTNAT-ISP2 {
from zone WAN-ISP2;
}
}
}
policies {
from-zone WAN-ISP1 to-zone LAN1 {
}
from-zone WAN-ISP2 to-zone LAN1 {
}
from-zone LAN1 to-zone LAN999 {
}
from-zone LAN999 to-zone LAN1 {
}
from-zone WAN-ISP1 to-zone LAN999 {
}
from-zone WAN-ISP2 to-zone LAN999 {
}
from-zone LAN1 to-zone WAN-ISP1 {
policy PERMITALL {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone LAN1 to-zone WAN-ISP2 {
policy PERMITALL {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone LAN1 to-zone LAN1 {
policy PERMITALL {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone WAN-ISP1 {
screen SCREEN;
host-inbound-traffic {
system-services {
ping;
ssh;
}
}
interfaces {
reth0.111;
}
}
security-zone WAN-ISP2 {
screen SCREEN;
host-inbound-traffic {
system-services {
ping;
ssh;
}
}
interfaces {
reth0.222;
}
}
security-zone LAN1 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
reth1.1;
lo0.1;
}
}
security-zone LAN999 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
reth1.999;
}
}
}
}
firewall {
family inet {
filter INPUT {
term SSH_DENY {
from {
destination-address {
1.1.1.40/32;
1.1.1.41/32;
2.2.2.2/32;
}
protocol tcp;
destination-port ssh;
}
then {
discard;
}
}
term DEFAULT {
then accept;
}
}
}
}
routing-instances {
ISP1 {
instance-type virtual-router;
interface reth0.111;
routing-options {
interface-routes {
rib-group inet inside;
}
static {
route 0.0.0.0/0 next-hop 2.2.2.254;
}
}
}
ISP2 {
instance-type virtual-router;
interface reth0.222;
routing-options {
interface-routes {
rib-group inet inside;
}
static {
route 0.0.0.0/0 next-hop 2.2.2.1;
}
}
}
}
services {
rpm {
probe ISP {
test PINGTEST-GOOGLE {
probe-type icmp-ping;
target address 8.8.8.8;
probe-count 10;
probe-interval 5;
test-interval 30;
source-address 1.1.1.40;
routing-instance ISP1;
thresholds {
successive-loss 10;
}
}
test PINGTEST-YANDEX {
probe-type icmp-ping;
target address 77.88.8.1;
probe-count 10;
probe-interval 5;
test-interval 30;
source-address 1.1.1.40;
routing-instance ISP1;
thresholds {
successive-loss 10;
}
}
}
}
ip-monitoring {
policy ISP {
match {
rpm-probe ISP;
}
then {
preferred-route {
routing-instances ISP1 {
route 0.0.0.0/0 {
next-hop 2.2.2.1;
}
}
}
}
}
}
}version 12.1X46-D40.2;
groups {
node0 {
system {
host-name SRX_node0;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 192.168.3.221/24;
}
}
}
}
}
node1 {
system {
host-name SRX_node1;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 192.168.3.222/24;
}
}
}
}
}
}
apply-groups "${node}";
system {
time-zone GMT-5;
root-authentication {
encrypted-password "";
}
name-server {
8.8.8.8;
8.8.4.4;
}
login {
user me {
uid 2000;
class super-user;
authentication {
encrypted-password "";
}
}
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface reth1.1;
}
https {
system-generated-certificate;
interface reth1.1;
}
}
}
syslog {
archive size 1m files 10;
user * {
any emergency;
}
file messages {
any error;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file screen {
any any;
match RT_SCREEN;
}
file traffic-log {
any any;
match RT_FLOW_SESSION;
}
}
max-configurations-on-flash 49;
max-configuration-rollbacks 49;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 10.10.1.10;
}
}
chassis {
cluster {
traceoptions {
file cluster size 200k files 5;
flag all;
}
reth-count 2;
redundancy-group 1 {
node 0 priority 254;
node 1 priority 1;
interface-monitor {
ge-0/0/0 weight 255;
ge-3/0/0 weight 255;
}
}
redundancy-group 2 {
node 0 priority 254;
node 1 priority 1;
interface-monitor {
ge-0/0/1 weight 255;
ge-3/0/1 weight 255;
}
}
redundancy-group 0 {
node 0 priority 254;
node 1 priority 1;
}
}
}
interfaces {
ge-0/0/0 {
gigether-options {
redundant-parent reth0;
}
}
ge-0/0/1 {
gigether-options {
redundant-parent reth1;
}
}
ge-3/0/0 {
gigether-options {
redundant-parent reth0;
}
}
ge-3/0/1 {
gigether-options {
redundant-parent reth1;
}
}
fab0 {
fabric-options {
member-interfaces {
ge-0/0/5;
}
}
}
fab1 {
fabric-options {
member-interfaces {
ge-3/0/5;
}
}
}
lo0 {
unit 1 {
description LOOPBACK-FOR-SSH;
family inet {
address 192.168.11.1/32;
}
}
}
reth0 {
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
}
unit 111 {
description ISP1;
vlan-id 111;
family inet {
filter {
input INPUT;
}
address 1.1.1.40/24;{
preferred;
}
address 1.1.1.41/24;
}
}
unit 222 {
description ISP2;
vlan-id 222;
family inet {
filter {
input INPUT;
}
address 2.2.2.2/30;
}
}
}
reth1 {
vlan-tagging;
redundant-ether-options {
redundancy-group 2;
}
unit 1 {
description Common-LAN;
vlan-id 1;
family inet {
address 10.1.0.1/23;
}
}
unit 999 {
description test_net;
vlan-id 999;
family inet {
address 192.168.50.1/24;
}
}
}
swfab0 {
fabric-options {
member-interfaces {
ge-0/0/4;
}
}
}
swfab1 {
fabric-options {
member-interfaces {
ge-3/0/4;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 {
next-hop 1.1.1.254;
metric 50;
}
}
}
security {
screen {
ids-option SCREEN {
inactive: icmp {
ip-sweep threshold 1000000;
fragment;
large;
flood threshold 20;
ping-death;
}
ip {
bad-option;
record-route-option;
timestamp-option;
security-option;
stream-option;
source-route-option;
unknown-protocol;
tear-drop;
}
tcp {
syn-fin;
fin-no-ack;
tcp-no-flag;
syn-frag;
syn-ack-ack-proxy;
syn-flood {
alarm-threshold 30;
attack-threshold 30;
source-threshold 30;
destination-threshold 30;
timeout 10;
}
land;
winnuke;
tcp-sweep threshold 1000000;
}
inactive: udp {
flood threshold 2000;
udp-sweep threshold 1000000;
}
inactive: limit-session {
source-ip-based 100;
destination-ip-based 100;
}
}
}
nat {
source {
pool ISP1-41 {
address {
1.1.1.41/32;
}
}
pool ISP2 {
address {
2.2.2.2/32;
}
}
pool ISP1-40 {
address {
1.1.1.40/32;
}
}
rule-set SOURCE-NAT-ISP1 {
from zone LAN1;
to interface reth0.111;
rule SOURCE-NAT-ISP1-41 {
match {
source-address [ 10.1.1.22/32 ];
}
then {
source-nat {
pool {
ISP1-41;
}
}
}
}
rule SOURCE-NAT-ISP1-40 {
match {
source-address 10.1.0.0/23;
}
then {
source-nat {
pool {
ISP1-40;
}
}
}
}
}
rule-set SOURCE-NAT-ISP2 {
from zone LAN1;
to interface reth0.222;
rule SOURCE-NAT-ISP2 {
match {
source-address 10.1.0.0/23;
}
then {
source-nat {
pool {
ISP2;
}
}
}
}
}
}
destination {
rule-set DSTNAT {
from zone WAN;
.........
}
}
}
policies {
from-zone WAN to-zone LAN1 {
.........
}
from-zone LAN1 to-zone LAN999 {
}
from-zone LAN999 to-zone LAN1 {
}
from-zone WAN to-zone LAN999 {
}
from-zone LAN1 to-zone WAN {
policy PERMITALL {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone LAN1 to-zone LAN1 {
policy PERMITALL {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone WAN {
screen SCREEN;
host-inbound-traffic {
system-services {
ping;
ssh;
}
}
interfaces {
reth0.111;
reth0.222;
}
}
security-zone LAN1 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
reth1.1;
lo0.1;
}
}
security-zone LAN999 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
reth1.999;
}
}
}
}
firewall {
family inet {
filter INPUT {
term SSH_DENY {
from {
destination-address {
1.1.1.40/32;
1.1.1.41/32;
2.2.2.2/32;
}
protocol tcp;
destination-port ssh;
}
then {
discard;
}
}
term DEFAULT {
then accept;
}
}
}
}
services {
rpm {
probe ISP {
test PINGTEST-GOOGLE {
probe-type icmp-ping;
target address 8.8.8.8;
probe-count 10;
probe-interval 5;
test-interval 30;
thresholds {
successive-loss 10;
}
destination-interface reth0.111;
next-hop 1.1.1.254;
}
test PINGTEST-YANDEX {
probe-type icmp-ping;
target address 77.88.8.1;
probe-count 10;
probe-interval 5;
test-interval 30;
thresholds {
successive-loss 10;
}
destination-interface reth0.111;
next-hop 1.1.1.254;
}
}
}
ip-monitoring {
policy ISP {
match {
rpm-probe ISP;
}
then {
preferred-route {
route 0.0.0.0/0 {
next-hop 2.2.2.1;
}
}
}
}
}
}
Один адрес установлен на интерфейсе, а второй как "Virtual IP".
При использовании pfSense 2.5 (на тот момент alpha, а потом beta) - такого не повторялось.
Возможно проблема растет прямо из freebsd.