我正在尝试配置 SRX 路由器,使其自动通过我在美国的一个代理服务器转发所有流量。我创建了一个单独的 VLAN 并配置了代理,但不确定如何通过它路由所有流量。
此任务的目的是创建一个测试网络,使用户出现在代理服务器的位置。(使用代理的外部 IP 地址)
这可能吗?我该怎么做?我的方法正确吗?
谢谢
答案1
这是我通常在 JunOS 上执行此操作的方法。使用 SRX 并不重要,但请记住 NAT 规则仍然适用。
我建议不要将代理服务器与客户端放在同一个 VLAN 上。这样会形成一个很好的路由循环。
set routing-options interface-routes rib-group inet IMPORT-PHY
set routing-options rib-groups IMPORT-PHY import-rib inet.0
set routing-options rib-groups IMPORT-PHY import-rib to-proxy.inet.0
set firewall family inet filter to-proxy term one from destination-port 80
set firewall family inet filter to-proxy term one from destination-port 443
set firewall family inet filter to-proxy term one then count to-proxy
set firewall family inet filter to-proxy term one then log
set firewall family inet filter to-proxy term one then routing-instance to-proxy
set firewall family inet filter to-proxy term two then count to-default-route
set firewall family inet filter to-proxy term two then log
set firewall family inet filter to-proxy term two then accept
set routing-instances to-proxy instance-type forwarding
set routing-instances to-proxy routing-options static route 0.0.0.0/0 next-hop X.X.X.X
然后,您将该过滤器作为系列 inet 过滤器应用于接口(在您的情况下为 VLAN 接口)。
set interfaces vlan.0 family inet filter input to-proxy
请记住,我的示例仅将端口 80/443 捕获到代理,如果您有其他应用程序,或者想要对整个子网执行此操作,则可以在过滤器中匹配源或目标 IP 地址,或者只是发送所有内容。
如果要将所有流量从该 VLAN 发送到代理服务器,请使用以下行:
set routing-options interface-routes rib-group inet IMPORT-PHY
set routing-options rib-groups IMPORT-PHY import-rib inet.0
set routing-options rib-groups IMPORT-PHY import-rib to-proxy.inet.0
set firewall family inet filter to-proxy term one then count to-proxy
set firewall family inet filter to-proxy term one then log
set firewall family inet filter to-proxy term one then routing-instance to-proxy
set routing-instances to-proxy instance-type forwarding
set routing-instances to-proxy routing-options static route 0.0.0.0/0 next-hop X.X.X.X