Juniper SRX: load-balancing based on source-ip

In a poor mans multi-homing setup, you may have a firewall with two ISP connections, each connection with its own IP space. This makes load-balancing a bit tricky. You can't just do per-session load balancing because that causes the clients public IP address to change at random. For some applications, that is not a problem, but there are many that lock a user to a specific IP. A common example are banking websites, as soon as the IP address changes, the user session is terminated.
An easy workaround would be to disable load-balancing for HTTP and HTTPS sessions, but nowadays that's most of the traffic.

In searching for a solution to this problem, I thought of a very easy workaround: load-balancing based on the clients (internal) IP address. This ensures that the same client always uses the same ISP connection, so the public IP address remains the same. Assuming a random distribution of the internal IP addresses, this should provide an even distribution of sessions between the two ISPs.

As it turns out, this can be done in JunOS quite easily. All it takes is a special use of subnet masks. Assuming you have two routing-instances, one for each ISP, the following firewall filter applied on the client-facing interface will distribute the traffic across the two connections. All clients whose IP address ends in an even number, are routed via ISP1 and clients whose IP address ends in an uneven number, are sent via ISP2.

firewall {
    family inet {
        filter source-based-lb {
            term even {
                from {
                    source-address {
                        10.32.0.0/255.255.0.1;
                    }
                }
                then {
                    routing-instance fbf-prefer-isp1;
                }
            }
            term odd {
                from {
                    source-address {
                        10.32.0.1/255.255.0.1;
                    }
                }
                then {
                    routing-instance fbf-prefer-isp2;
                }
            }
            term default {
                then accept;
            }
        }
    }
}

Of course, replace 10.32. with the users IP range. I tried using 0.0.0.0/0.0.0.1 and 0.0.0.1/0.0.0.1 in the firewall filter but that seems to trigger a bug in the junos CLI.

Comments

hello
can you please post all SRX's config?

thanx

Add new comment

Subscribe to Comments for "Juniper SRX: load-balancing based on source-ip"