Routing

hello guys,

i have a problem on implementi a filter based forwarding on my mx. here you can find the configuration that i have done but without success:

firewall {
    family inet {
        filter sm {
            term t1 {
                from {
                    source-address {
                        x.x.x.x/22;
                    }
                }
                then {
                        next-interface  {
                        ge-1/1/0.0;
                        
    ge-1/1/0 {
        speed 1g;
        gigether-options {
            no-auto-negotiation;
        }
        unit 0 {
            family inet {
                address x.x.x.x/30;
            }
        }
    }

        unit 107 {
            vlan-id 107;
            family inet {
                     filter {
                     input sm
               }
                mtu 1500;
                address x.x.x.x/30;
            }
        }

when i configure this the ping on interface ae0.107 stop replying and the filter not work. there is something wrong?

i need to redirect some source traffic to a new fiber, but with another default gateway.

thanks a lot

Giulio

Hi

any filter has at the end an implicit deny any

so all that is not matching will be dropped

so you need another term with no from statement and only "then accept"

regards

alexander

thanks for fast reply, you mean like this?

term t1 {
    from {
        source-address {
            x.x.x.x/22;
        }
    }
    then {
        next-interface {
            ge-1/1/0.0;
        }
    }
}
term t2 {
    then accept;

 or i need to add also the subnet of the interface?

thanks a lot

or is better to do the policy in this way:

flter sm {
      term t1 {
            from {
                  source-address 
                         x.x.x.x/22;
                         
			} 
} 
             then {
                    routing-instance sp1-route-table;
}
term default 
     then {
          accept; 
} 
} 
} 

routing-instance {
      sp1-route-table {
            instance-type forwarding;
            static
                   route 0.0.0.0/0 nexthop x.x.x.x;
}
       }
routing-options {
      interface-routes {
            rib-group inet fbf-group;
      }
      rib-groups {
            fbf-group {
                  import-rib [inet.0 sp1-route-table.inet.0];
}
} 

interfaces ge-1/1/0 {
       unit 0 {
             family inet {
                     flter {
}
} }
     input sm;
}

let me know what you think.

hi

on mx do it like your first suggestion

just follow  -> K.I.S.S;

the fbf you only need for EX or SRX, as they cannot do the simple way of next-interface,

regards

alexander

perfect i will try and let you know the result.

thanks

hello,

 as you suggested the policy works but i have a strange routing. le me explain. what i expect is that when the source in the policy present itself on the egress interface it take only the next interface specified, but not always in this way.

for example

traceroute from the source ip:

1 172.26.3.9                         0%  712  14.3ms     2.4     0.2    58.5     7.2                                                                                                                       
 2 correct public ip                      0%  712   0.3ms     0.5     0.2    24.7     1.8                                                                                                                       
 3 x.x.x.x                    0%  712   4.2ms     2.5     0.4     5.1     1.2                                                                                                                       
 4 x.x.x.x                    0%  712  24.8ms    23.5    21.3    76.7    22.8                                                                                                                       
 5 x.x.x.x                    84..  712 timeout    23.6    23.1    34.8     1.5                                                                                                                       
 6 x.x.x.x                    0%  712  22.5ms      23    22.4    79.3    22.8                                                                                                                       
 7 x.x.x.x                    0%  712  22.6ms    24.7    22.5   124.8    25.9                                                                                                                       
 8 x.x.x.x                     0%  712  31.5ms      32    31.3    77.5    32.1                                                                                                                       
   x.x.x.x                 
 9 x.x.x.x                      0%  712  45.3ms    43.1    34.5   104.2    42.5                                                                                                                       
   x.x.x.x                 
10 x.x.x.x                 0%  712  39.3ms    39.8    38.9    83.1    39.2                                                                                                                       
   x.x.x.x               
11 x.x.x.x                  0%  712  38.6ms      40    38.5   139.3    39.5                                                                                                                       
   x.x.x.x                
12                                  100%  712 timeout                                                                                                                                                       
13 8.8.4.4                            0%  711  38.9ms      39    38.6   107.1    38.1 

this happens only if i have a route for the gateway i choose on the next-interface. if i don't have a specific route but only a default but with major cost(example)

0.0.0.0/0          *[Static/5] 4w1d 12:52:07
                    > to x.x.x.x via ae0.11
                    [BGP/170] 7w1d 19:49:46, localpref 100, from x.x.x.x
                      AS path: I, validation-state: unverified
                    > to x.x.x.x via ge-1/2/0.0
                    [BGP/170] 1d 00:32:50, MED 136, localpref 100, from x.x.x.x
                      AS path: xxxxI, validation-state: unverified
                    > to x.x.x.x via ge-1/1/0.0

the policy redirect me on the static default route instead of the 3rd(chosen on the filter).

what i need to achieve is that all traffic from source that i specified go only on ge-1/1/0.0 even if the route is not preferred.

let me know if something is not clear.

Thanks

i have tryied also with the routing instance, but the result is the same, i enabled the counters but when i show counters there is no match at all.

how i can check if the filter is working?

Thanks

finally i got it woring but only if i add a static default route on inet.0 with another preference.

0.0.0.0/0          *[Static/5] 4w5d 17:10:53
                    > to x.x.x.x via ae0.11
                    [Static/25] 1d 20:37:05
                    > to x.x.x.x via ge-1/1/0.0
                    [BGP/170] 7w6d 00:08:32, localpref 100, from x.x.x.x
                      AS path: I, validation-state: unverified
                    > to x.x.x.x via ge-1/2/0.0
                    [BGP/170] 5d 04:51:36, MED 136, localpref 100, from x.x.x.x
                      AS path: 3269 I, validation-state: unverified
                    > to x.x.x.x via ge-1/1/0.0

as you can see the bgp route not count on filter based, when i add the other default all is woring as expected.