Switching

Hi ,

I'm going a little crazy trying to do what has previously never been an issue in other configurations

Basicly all I want to achive is to stop traffic from the subnet 192.168.0.0/24 from accessing reasources on 172.62.0.0/24, 172.62.10.0/24 . Other than that guests on 192.168.0.0/24 can hit anything else ...

The filter I am applying is shown below and I am applying it as an egress filter on the vlan associated with 192.168.0.0/24

set firewall family ethernet-switching filter Egress-Block-Guest-Wireless term Block-guests from source-address 192.168.0.0/24
set firewall family ethernet-switching filter Egress-Block-Guest-Wireless term Block-guests from destination-address 172.62.0.0/24
set firewall family ethernet-switching filter Egress-Block-Guest-Wireless term Block-guests from destination-address 172.62.10.0/24
set firewall family ethernet-switching filter Egress-Block-Guest-Wireless term Block-guests then discard
set firewall family ethernet-switching filter Egress-Block-Guest-Wireless term Allow-Guests then accept
set vlans vlan50 filter output Egress-Block-Guest-Wireless

once I apply the filter however it seems to do nothing ... Clients on 192.168.0.0/0 within vlan50 can still hit the reasources which I am trying to deny them access to.

I'm a bit confused as I have done similar configurations previously without having an issue but this one seems to be causing me endless grief

The hardware which this configuration is running on is a switch stack of 5 EX4200's which are all in the same comms cabinet and are all running JunOS 11.4R5.7 which is the JTAC reccomended release .

I have attached an edited version of my configuration with the relivant parts left in but non relivant sections taken away

Any assistance anyone can provide would be greatly apreciated as I'm at a bit of a loss as to why the filter isn't working

Thanks in advance to anyone

Attachment(s)

ex-config2.txt   3 KB 1 version

Have you tried applying the filter in the "input" direction of VLAN50?  I wonder if the traffic is being routed to the other vlans before the firewall policy can be applied in the output direction of VLAN50.

Hi , thanks for your reply .

I haven't tried an input filter yet however being that the gateway for the vlan is the only exit point for traffic before it can can hit other traffic I don't see how it could be routing prior to having the filter applied 😞

When i trace traffic between the client on the 192.168.0.0 subnet it first hits 192.168.0.254 ( the gateway and layer 3 interface configured for that VLAN ) and then it hits it's destination ( assuming that destination is within a different subnet)

Also if i understand the way that a VLAN filter is applied it should also be filtering inter-vlan communication so I'm not sure how traffic would be able to route without going through the filter?

I am happy to try anything at this point but an ingress filter seems quite backwards for my requirements as VLAN50 is the vlan I don't trust to access my other subnets and not everything I am trying to stop would be stopped by an ingress filter ( there are actually about 30 subnets I am trying to block I am just using 2 as an example case and for troubleshooting the configuration)

https://www.juniper.net/techpubs/en_US/junos11.1/topics/concept/firewall-filter-ex-series-packet-understanding.html

I do see what you are saying about the "exit point" for the VLAN, but I think it might be forwording to the routing interface before the VLAN filter can be applied. 

You could simply allow your desire traffic and then have a generic block for all other private IP addresses:

allow:

192.168.0.0/24

deny:

192.168.0.0/16

172.16.0.0/12

10.0.0.0/8

This would allow all local subnet and Internet traffic and deny any other private traffic.  You might have to include some downstream hops, DNS servers, etc if they reside on another private network and are not NAT'ed.  But you'd never have to touch the policy again for any future VLANs you create.  Any reason not to put the filter on the RVI (VLAN Interface) instead of the actual VLAN? 

I also tried a RVI filter prior to posting to find the same issue 😞

I used the following configuration when trying to apply the filter to the RVI ( I had this applied in-place of the VLAN filter at the time it was implemented)

set firewall family inet filter Egress-Block-Guest-Wireless term Block-guests from source-address 192.168.0.0/24
set firewall family inet filter Egress-Block-Guest-Wireless term Block-guests from destination-address 172.62.0.0/24
set firewall family inet filter Egress-Block-Guest-Wireless term Block-guests from destination-address 172.62.10.0/24
set firewall family inet filter Egress-Block-Guest-Wireless term Block-guests then discard
set firewall family inet filter Egress-Block-Guest-Wireless term Allow-Guests then accept

I also tried a filter on both the RVI & the VLAN ( out of desperation lol )

The reason I have elected the VLAN itself as apose to the RVI as a preferance is that once I have the basic troubleshooting version of the filter rule in place I plan to expand the filter to block other traffic including clients on the 192.168.0.0/24 network from communicating with anything except for the gateway ( they are guests so Idealy I don't want them to communicate with eachother in the long run )

If I need to make sacrifices on future plans to make the filter work then sacrifices will need to be made but it all seems like a pretty straight forward requirement which I have achived in other environments without an issue, particularly considering the simplicity of the rule which I am using to test with.

thankyou for the link to the article I think I may have somehow missed that one on my reading and I've bookmarked it for when it's not 1:20am so I don't miss anything when re-reading 🙂

as a matter of intrest I have quickly tested the same policy as an ingress policy instead of an egress and it apears ( so far) to have achived what I am after.

I think my error has been looking at things from the perspective of traffic EXITING the subnet as apose to looking at it as traffic leaving the switches , and likewise I saw ingress as traffic ENTERING the subnet as apose to comming into the switches

Further testing when I am not so tired will be required but thankyou for your assistance so far 🙂

Think I spoke to soon and the ingress filter with the same rules is working a bit too well lol ( can't access those defined subnets but also can't access anything else lol )

Looking at the rules I can't see why even if I have changed to an ingress filter it wouldn't be working as I am still now just stopping traffic from a specific source from hitting specific subnets but for some reason it can't get to the outside world either and none of those blocked subnets are required upstream hops for the network

They are also using an external DNS on that subnet so not sure whats causing a complete cut off of all traffic

But I think I'll get some sleep and have a play in the morning 🙂

I always miss something very obvious at 1AM.  🙂   You'll probably look at it in the morning and kick yourself.

Good luck!

Crap!  It just occurred to me while I was reading something else.  Try changing your filter to a "family ethernet-switching" rather than "family inet".  The inet filters will only work on a routed interface where ethernet-switching can be applied to switch ports.  I use an ethernet-switching filter on my VLANs to classify traffic and remark DSCP bits without any issues (of course, in the input direction).  But I bet that's where your real problem is.  🙂

Sorry I should have clarified that I only tried set firewall family inet  the once and it was before I had posted my query here

The filters I am using start with set firewall family ethernet-switching

To confirm the rules I am currently using are the following; ( once I had it working I wsa going to rename the filter as an ingress or egress depending where I end up having a working solution lol )

set firewall family ethernet-switching filter Egress-Block-Guest-Wireless term Block-guests from source-address 192.168.0.0/24
set firewall family ethernet-switching filter Egress-Block-Guest-Wireless term Block-guests from destination-address 172.62.0.0/24
set firewall family ethernet-switching filter Egress-Block-Guest-Wireless term Block-guests from destination-address 172.62.10.0/24
set firewall family ethernet-switching filter Egress-Block-Guest-Wireless term Block-guests then discard
set firewall family ethernet-switching filter Egress-Block-Guest-Wireless term Allow-Guests then accept
set vlans vlan50 filter input Egress-Block-Guest-Wireless

So trying to break it down into english as I understand it , with an ingress filter the above should be looking for traffic comming into the switch on that VLAN ,

• If the taffic is from source 192.168.0.0/24 and it is trying to access 172.62.0.0/24 it should be denied
• If the traffic is from source 192.168.0.0/24 and is trying to access 172.62.10.0/24 it should be denied
• If the traffic is from ANY source ( including 192.168.0.0/24 ) and is not destined for the above two subnets it should be permitted

Am I missing something ? as now when I turn on the ingress filter I do achive the subnet being isolated however it seems to be TOTALLY isolated from everything.

i.e DNS which sits on 110.*.*.* cannot be accessed which obiously means no resolution  and even pinging 8.8.8.8 is not working 😞

I can also confirm without question that none of the hops which traffic needs to take from 192.168.0.0/24 to the outside world is within the subnets which I am blocking

All Working 🙂

Thanks !!

I'm struggling with similar filter issue.

I would be interested to know your year old solution.

🙂