Ethernet Switching
Ethernet Switching

Firewall filters: "Internet-only" for a VLAN

[ Edited ]
‎03-23-2018 06:39 AM

Hi there,

 

I like to take my first steps into the world of firewall filtering on EX3300 switches, but the more I read the more I'm getting confused! :-)

My first project is: From vlan123 everything should be forbidden except "going to the internet" and ICMP traffic for monitoring purposes.

 

This is my first try. I didn't test it yet, because that's only possible on saturday's during "maintenance time".

 

firewall {
	family inet
		filter vlan123-filters
			term allow-internet {
				from {
					protocol [ tcp udp ];
					port [ 53 80 443 ];
				}
				then accept;
			term allow-icmp {
				from {
					protocol icmp:
				}
				then accept;
			}
	vlans {
		vlan123 {
			filter {
				input vlan123-filters;
				output vlan123-filters;
			}
		}
	}
}

 

What do you think about that? I would be very glad about comments so I can give it a try tomorrow!

 

Thanks a lot and many greets

Stephan

5 REPLIES 5
Ethernet Switching

Re: Firewall filters: "Internet-only" for a VLAN

‎03-23-2018 07:44 AM

Ok.. I don't have a lab box to test it but I guess, you should configure "from destination-port"  in the term allow-internet, and should apply the filter under family inet hierarchy. i.e. "set interface <interface name> unit <unit no> family inet filter input <filter name>

 

rest looks good to me.

Ethernet Switching

Re: Firewall filters: "Internet-only" for a VLAN

[ Edited ]
‎03-23-2018 09:05 AM

Hey Kingsman,

 

thanks for your fast reply!

 


@Kingsman wrote:

you should configure "from destination-port"  in the term allow-internet

 

 ok, I will try.

 


@Kingsman wrote:

and should apply the filter under family inet hierarchy. i.e. "set interface <interface name> unit <unit no> family inet filter input <filter name>


 

From what I can see via "tabtab-autocompletion and ?" the following would be possible:

 

set interfaces vlan.123 family inet filter...

 

Does this look good in order to apply the filters to the whole VLAN?

 

Many greets

Stephan

 

 

Ethernet Switching

Re: Firewall filters: "Internet-only" for a VLAN

‎03-23-2018 12:18 PM

Hi Stephan,

 

Yes it is..

 

 

You can refer to any example from Juniper tech pubs:

 

Example: Configuring Interface-Specific Firewall Filter Counters

 

Guidelines for Configuring Firewall Filters

 

[KUDOS PLEASE! If you think I earned it!

If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]

 

//Regards

AD

 

 

Ethernet Switching

Re: Firewall filters: "Internet-only" for a VLAN

‎03-24-2018 11:27 AM

Hi again,

 

now I spent a few hours trying a lot of things, also inspired by this thread:

https://forums.juniper.net/t5/Ethernet-Switching/Guest-Internet-Access-Firewall-Filter/m-p/45607#M23...

But unfortunately I didn't get the expected results.

 

Two further questions arised:

1. I don't understand "inet" vs. "ethernet-switching" when it comes to filters and VLANs. What path should I try?

2. I don't understand "VLAN" vs. "VLAN interface" and where is the right place to apply firewall filters

 

I didn't mention that our internet gateway is located in another VLAN than our "Internet only" VLAN. Referring the thread mentioned above things are getting trickier thus, doesn't it?

 

Thanks a lot for your patience and your support and many greets

Stephan

Ethernet Switching

Re: Firewall filters: "Internet-only" for a VLAN

[ Edited ]
‎03-24-2018 12:17 PM

 

 

 

But unfortunately, I didn't get the expected results.

can you explain what did you try ? (scenario & config)

 

1. I don't understand "inet" vs. "ethernet-switching" when it comes to filters and VLANs. What path should I try?

 

 

inet and ethernet-switching are the family which you configure under interface.  family inet is used for ipv4 and family eithernet-switchings is used for layer 2 stuff ( filtering traffic based on src/dst mac address etc)

 

if you want to filter traffic based on src/dst ip address & ports, apply the filter under family inet

if yuu want to filter the traffic based on src/dst mac address, apply the filter under family ethernet-switching

 

 2. I don't understand "VLAN" vs. "VLAN interface" and where is the right place to apply firewall filters

 

vlan interface is nothing but svi (in cisco) rvi (in juniper)

 

HTH