Introduction
Due to my and wifes work we both work remotely most of the time. Therefore we got ourself two different internet connections from two different ISPs with two different mediums. One internet access is over VDSL and the another one works over cable. So we should be save for outages, because we’re one different ISPs and mediums.
In the next step we wanted a automatic failover, if the primary internet access is down, without manually changing routes or disconnection from router. This also should be reverted, as soon as the primary access is up and running.
Topology
Configuration
TLDR;LUL
This is the TLDR; version
- Configure rpm probes. In this case two probes to google and quad9 dns server with ping. Keep in mind, that in my case the rpm probes are only used in the primary isp connection
- Configure ip-monitoring based on rpm probes, which should trigger a change of route, if all probes fail
- Configure policy-options to export routes based on route-filters
- Configure static default route in each routing-instance of isp
- Configure route-import to import routes of primary isp
- Configure also the subnets of each isp network as static route in the default instance, to have those networks be reachable
set services rpm probe ISP-Primary test GOOGLE-DNS probe-type icmp-ping
set services rpm probe ISP-Primary test GOOGLE-DNS target address 8.8.8.8
set services rpm probe ISP-Primary test GOOGLE-DNS probe-count 3
set services rpm probe ISP-Primary test GOOGLE-DNS probe-interval 2
set services rpm probe ISP-Primary test GOOGLE-DNS test-interval 5
set services rpm probe ISP-Primary test GOOGLE-DNS routing-instance ISP-Primary
set services rpm probe ISP-Primary test GOOGLE-DNS thresholds successive-loss 3
set services rpm probe ISP-Primary test GOOGLE-DNS hardware-timestamp
set services rpm probe ISP-Primary test QUAD9-DNS probe-type icmp-ping
set services rpm probe ISP-Primary test QUAD9-DNS target address 9.9.9.9
set services rpm probe ISP-Primary test QUAD9-DNS probe-count 3
set services rpm probe ISP-Primary test QUAD9-DNS probe-interval 2
set services rpm probe ISP-Primary test QUAD9-DNS test-interval 3
set services rpm probe ISP-Primary test QUAD9-DNS routing-instance ISP-Primary
set services rpm probe ISP-Primary test QUAD9-DNS thresholds successive-loss 3
set services rpm probe ISP-Primary test QUAD9-DNS hardware-timestamp
set services ip-monitoring policy HELLO-IS-ISP-Primary-OKAY match rpm-probe ISP-Primary
set services ip-monitoring policy HELLO-IS-ISP-Primary-OKAY then preferred-route route 0.0.0.0/0 next-hop 192.168.179.1
set policy-options policy-statement ipv6-default term 0 from route-filter ::/0 exact
set policy-options policy-statement ipv6-default term 0 then accept
set policy-options policy-statement ipv4-default-telekom term 0 from instance ISP-Secondary
set policy-options policy-statement ipv4-default-telekom term 0 from route-filter 0.0.0.0/0 exact
set policy-options policy-statement ipv4-default-telekom term 0 then accept
set policy-options policy-statement ipv4-default-vodafone term 0 from instance ISP-Primary
set policy-options policy-statement ipv4-default-vodafone term 0 from route-filter 0.0.0.0/0 exact
set policy-options policy-statement ipv4-default-vodafone term 0 then accept
set routing-instances ISP-Secondary interface ge-0/0/2.0
set routing-instances ISP-Secondary instance-type virtual-router
set routing-instances ISP-Secondary routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.179.1
set routing-instances ISP-Primary interface ge-0/0/0.0
set routing-instances ISP-Primary instance-type virtual-router
set routing-instances ISP-Primary routing-options rib ISP-Primary.inet6.0 static route ::/0 next-hop ge-0/0/0.0
deactivate routing-instances ISP-Primary routing-options rib ISP-Primary.inet6.0
set routing-instances ISP-Primary routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.178.1
set routing-instances ISP-Primary routing-options instance-export ipv6-default
set routing-instances ISP-Primary routing-options instance-export ipv4-default-vodafone
set routing-options static route 192.168.179.0/24 next-table ISP-Secondary.inet.0
set routing-options static route 192.168.178.0/24 next-table ISP-Primary.inet.0
set routing-options instance-import ipv6-default
set routing-options instance-import ipv4-default-vodafone
Summary
With configuring a failover from primary to secondary with ip-monitoring, everything works pretty fine. As soon as the primary ips connection is down, the rpm probes a failing their tests. After the tests have failed, the ip-monitoring policy is going to failed and applying the preferred-route of the secondary isp. As soon as the primary isp connection is up and running, the rpm probes are succeeding and then the ip-monitoring is green again and the applied preferred-route is reverted.
I was very frustrated, that in the beginning nothing worked as I wanted. Playing around to find the correction configuration, was not easy, because I only had the option to tinker, when my wife wasn’t working or was not at using the internet at home. This was mostly the case at night after 23:00..
Sources/Research
- https://supportportal.juniper.net/s/article/Configuring-dual-ISP-on-SRX-device-to-connect-to-Sky-Enterprise?language=en_US
- https://rtodto.net/dual-isp-failover-with-rpm-ip-monitoring/
- https://junipertrain.wordpress.com/2017/02/18/destination-nat-on-juniper-srx-in-a-dual-isp-environment-dealing-with-routing-instances/
- https://mustbegeek16.rssing.com/chan-16094570/latest.php
- https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/policy-configuring-route-lists-for-use-in-routing-policy-match-conditions.html
- https://community.juniper.net/discussion/internet-failover-with-dual-isp-configuration-and-routing-instances-by-using-ip-monitoring
- https://www.redelijkheid.com/blog/2013/8/16/junos-dual-isp-backup-route-configuration