Junos OS

last person joined: 6 days ago 

Ask questions and share experiences about Junos OS.

  • 1.  Firewall and DHCP relay not playing nice

    Posted 03-25-2011 12:28

    I have a firewall rule set up for an interface on our vlan deticated for VoIP devices.  The firewall rule is designed to prevent anyone from hooking up a computer and browsing the internet.  It's set up to allow all of our IP addresses, as well as our VoIP vendor IPs.

     

    All that works fine, after a few lessons on Juniper firewall rules compared to Cisco ACLs.  But, while the Cisco I pulled worked with the ACLs and DHCP-relay agent, the Juniper Forwarding Engine set up for bootp doesn't work with the firewall rule in place.

     

    It's not in the rule now, but I did try adding destination-port bootps to the match conditions, and there was no change.

     

    Device info:

     

    timg@Grant> show version                   
    Hostname: Grant
    Model: j4350
    JUNOS Software Release [10.4R2.7]
    JUNOS Web Management [10.4R2.6]

     

    Relevant config sections:

     

    timg@Grant> show configuration forwarding-options
    helpers {
        bootp {
            relay-agent-option;
            server 192.168.220.158;
            interface {
                ge-0/0/2.410;
            }
        }
    }


    timg@Grant> show configuration firewall
    family inet {
        filter VoIP {
            term Grant_VoIP_Filter {
                from {
                    destination-address {
                        209.68.27.16/32;
                    }
                    destination-prefix-list {
                        Local-IPs;
                        VoIP Vendor;
                    }
                }
                then accept;
            }
            term else {
                then {
                    discard;
                }
            }
        }
    }

    timg@Grant> show configuration interfaces ge-0/0/2  
    vlan-tagging;
    unit 410 {
        description Phone;
        vlan-id 410;
        family inet {
            inactive: filter {
                input VoIP;
            }
            address 192.168.6.1/23;
        }
    }



  • 2.  RE: Firewall and DHCP relay not playing nice
    Best Answer

    Posted 03-26-2011 07:46

    Hello,

    The BOOTP/DHCP uses 255.255.255.255 as dst.IP in 1st (DHCP Discover) and 3rd (DHCP Request) transaction packets. Please have a look at sample pkt captures on Wireshark website

    http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=dhcp.pcap

    Also, clients can go directly to the server to renew DHCP lease.

    Therefore, you need to add something like that to Your firewall filter VoIP:

     

     

     

    set firewall family inet filter VoIP term DHCP from destination-address 255.255.255.255/32
set firewall family inet filter VoIP term DHCP from destination-address <your DHCP server IP@>/32
set firewall family inet filter VoIP term DHCP from destination-port bootps
set firewall family inet filter VoIP term DHCP then accept
insert firewall family inet filter VoIP term DHCP before term else

     

     

     

     

    HTH

    Regards

    Alex



  • 3.  RE: Firewall and DHCP relay not playing nice

    Posted 03-27-2011 15:01

    Okay, so I have to add the broadcast address to the filter, but do I also need to add the destination port?  I figured the destination port would be sufficient when I did it earlier.

     

    Since the DHCP Renew process is unicast, and the destination is included in my prefix-list, I shouldn't need to add it as well, correct?  Actually, I know that becuse renewals were working, only the DHCPDISCOVER was failing.

     

    I'll add that and try it out, thank you!

     

     



  • 4.  RE: Firewall and DHCP relay not playing nice

    Posted 03-28-2011 16:16

    You're my own personal hero, that worked.

     

     

     

    Thanks



  • 5.  RE: Firewall and DHCP relay not playing nice

    Posted 03-29-2011 00:31

    Glad to help

    Also I fixed the syntax in the solution post.