SRX Services Gateway
Reply
Trusted Contributor
mawr
Posts: 236
Registered: ‎06-11-2010
0

Firewall policer not working properly

[ Edited ]

Greetings,

 

I configured a firewall policy and policer to limit traffic coming from a guest wireless network.  However, the guest network still uses the maximum connection bandwidth and other traffic doesn't supercede it.  I tested the filter by changing the rule from accept to deny and it worked so the filter is working properly but the policer isn't.

 

I've applied the policer to the WAN outgoing, and VLAN incoming but the problem still persists.  As such, my first question is: what is the correct way to apply a firewall filter to an interface, and the second is, do you know what's wrong with the policer?

 

Thanks,

 

mawr

 

## Last changed: 2010-08-22 14:02:12 CDT
version 10.1R3.7;
interfaces {
    interface-range interfaces-trust {
        member fe-0/0/1;
        member fe-0/0/2;
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/0 {
        unit 0 {
            family inet {
                rpf-check;
                filter {
                    input internet-incoming-filter;
                }
                address xxx.xxx.xxx.xxx/29;
                address xxx.xxx.xxx.xxx/29;
            }
        }
    }
    fe-0/0/6 {
        vlan-tagging;
        unit 5 {
            vlan-id 5;
            family inet {
                filter {
                    input guest-incoming-filter;
                }
                address 192.168.5.1/24;
            }
        }
        unit 15 {
            vlan-id 15;
            family inet {
                address 192.168.15.1/24;
            }
        }
        unit 25 {
            vlan-id 25;
            family inet {
                address 192.168.25.1/24;
            }
        }
    }
    fe-0/0/7 {
        vlan-tagging;
        unit 10 {
            vlan-id 10;
            family inet {
                address 192.168.10.1/24;
            }
        }
        unit 20 {
            vlan-id 20;
            family inet {
                filter {
                    input guest-incoming-filter;
                }
                address 192.168.20.1/24;
            }
        }
        unit 30 {
            vlan-id 30;
            family inet {
                address 192.168.30.1/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input routing-engine-incoming-filter;
                }
                address 127.0.0.1/32;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                rpf-check fail-filter trusted-rpf-fail-filter;
                address 192.168.168.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop xxx.xxx.xxx.xxx;
    }
}
firewall {
    family inet {
        filter guest-incoming-filter {
            term guest-network-prioritize {
                from {
                    interface fe-0/0/7.20;
                    interface fe-0/0/6.5;
                }
                then {
                    policer guest-network-policer;
                    loss-priority high;
                    accept;
                }
            }
            term forward-to-destination {
                then accept;
            }
        }
    policer guest-network-policer {
        filter-specific;
        if-exceeding {
            bandwidth-limit 768k;
            burst-size-limit 2k;
        }
        then discard;
    }
}

 

Contributor
Manny
Posts: 19
Registered: ‎04-17-2010
0

Re: Firewall policer not working properly

Try applying the policer as "Output" on the interface.

Trusted Contributor
bufo333
Posts: 51
Registered: ‎12-22-2009
0

Re: Firewall policer not working properly

The problem is that your first term is not matching any traffic. If you make the following changes it will work:

 

 

term forward-to-destination {

then {

                    policer guest-network-policer;

                    loss-priority high;

                    accept;

                }

}

John Burns
Trusted Contributor
mawr
Posts: 236
Registered: ‎06-11-2010
0

Re: Firewall policer not working properly

[ Edited ]

bufo333 wrote:

The problem is that your first term is not matching any traffic. If you make the following changes it will work:

 

 

term forward-to-destination {

then {

                    policer guest-network-policer;

                    loss-priority high;

                    accept;

                }

}


I'm a little confused as changing the "accept" to "discard" in the first term causes all traffic to be blocked thus indicating that the filter is working properly.  My original intent with this filter was to apply it to the egress queue on the external interface as I wanted traffic from both destinations to be subject to the same policer.  Is this not correct?

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.