Junos OS

Hi

If i acitvate this firewall filter to the loopback interface the both vrrp nodes goes to master. Is something missing?

 

firewall {
    filter PROTECT-RE {
        term SSH {
            from {
                source-address {
                    172.16.200.0/24;
                    172.31.151.0/24;
                }
                protocol tcp;
                port [ ssh http ];
            }
        }
        term BGP {
            from {
                address {
                    172.18.123.5/32;
                }
                protocol tcp;
                port bgp;
            }
            then accept;
        }
        term ICMP {
            from {
                source-address {
                    172.16.200.0/24;
                    172.31.151.0/24;
                }
                protocol icmp;
            }
            then accept;
        }
        term VRRP {
            from {
                source-address {
                    172.16.1.2/32;
                    }
                protocol vrrp;
            }
            then accept;
        }
        term REST {
            then {
                log;
                syslog;
                discard;
            }
        }
    }
}

 

best regards

iglu

 

 

Hi Iglu,

 

 That's probably an issue with your 'from' address. What does your log tell you? (I see you have both log and syslog in the last term)

 

Cheers

Erdem

Hi erdems

In wich log i have to check?

 

regards

iglu

Hi Iglu,

 

 A syslog file with 'firewall xxx' (or 'any any', obviously) would catch firewall logs. To keep your logfiles 'clean and ordered' and for future troubleshooting, you may wish to configure something like the following:

 

system {

    syslog {
        file firewall {
            firewall any;

            archive size 5m files 10;
        }
    }

}

 

 What is 172.16.1.2? The remote endpoint of your interface configured for VRRP? or remote node's loopback? Have you tried removing it from your term, like:

 

        term VRRP {
            from {
                protocol vrrp;
            }
            then accept;
        }

 

Cheers,

Erdem

Hi Iglu

 

Your VRRP term has to accept both incoming and outgoing vrrp traffic

 

If not the two vrrp instances won't be able to discuss together!

 

You should't have this:

 

        term VRRP {
            from {
                source-address {
                    172.16.1.2/32;
                    }
                protocol vrrp;
            }

            then accept;

        } 

 

 

but something like that:

 

        term VRRP {
            from {
                address {
                    172.16.1.0/xx;   (your vrrp ip network)

                    }
                protocol vrrp;
            }
            then accept;

        } 

 

 

Give us some news 😉 

 

       

Hi

I have configured the following.

 

term VRRP {
        from {
            protocol vrrp;
        }
        then accept;

 

also tried

 

 term VRRP {
        from {
            protocol vrrp;
            interface ge-0/0/0.0;
        }
        then accept;

 

did not work to.

 

I also removed the

        term REST {
            then {
                log;
                syslog;
                discard;
            }

and it did not work.

 

Here the logs:

 

Mar 15 18:06:44  rt02 last message repeated 4 times
Mar 15 18:06:45  rt02 fwdd[4328]: PFE_FW_SYSLOG_IP: FW: ge-2/0/0.0   D icmp 204.8.21.1 91.194.196.0     8     0 (1 packets)
Mar 15 18:06:45  rt02 /kernel: FW: ge-0/0/0.0   D unkn 91.194.196.2 224.0.0.18     0     0
Mar 15 18:06:49  rt02 last message repeated 4 times
Mar 15 18:06:49  rt02 fwdd[4328]: PFE_FW_SYSLOG_IP: FW: ge-2/0/0.0   D  tcp 62.90.30.66 62.179.118.226  3810   135 (1 packets)
Mar 15 18:06:50  rt02 /kernel: FW: ge-0/0/0.0   D unkn 91.194.196.2 224.0.0.18     0     0
Mar 15 18:06:50  rt02 fwdd[4328]: PFE_FW_SYSLOG_IP: FW: ge-2/0/0.0   D icmp 204.8.21.1 91.194.196.0     8     0 (1 packets)
Mar 15 18:06:51  rt02 /kernel: FW: ge-0/0/0.0   D unkn 91.194.196.2 224.0.0.18     0     0
Mar 15 18:06:54  rt02 last message repeated 4 times
Mar 15 18:06:55  rt02 fwdd[4328]: PFE_FW_SYSLOG_IP: FW: ge-2/0/0.0   D icmp 204.8.21.1 91.194.196.0     8     0 (1 packets)
Mar 15 18:06:55  rt02 /kernel: FW: ge-0/0/0.0   D unkn 91.194.196.2 224.0.0.18     0     0
Mar 15 18:07:04  rt02 last message repeated 11 times

 

any idea?

 

cheers iglu

 

Hi Iglu,

 

 I'm not 100% sure about your topology, but here are a few tips:
 

- removing the last term will not do any good since by default the last firewall filter will drop anyting that's not accepted before. f you want to temporarily take the filter out completely; do a 'deactivate interfaces lo0.0 family inet filter' and commit.

- do you have your vrrp networks included in your ICMP term? According to RFC2338 ( http://www.ietf.org/rfc/rfc2338.txt ), ICMP redirects may be used when VRRP is running between a group of routers, where the topology is non-symmetric.

Cheers,
Erdem

Hi Erdem

I am not sure what you mean with non-symetric topology. But the VRRP Network is in the ICMP term included.

 

I put a term "permit any"  at the end and it worked.

 

Best regards

Iglu

Hi Iglu,

 

 In this case, we've indeed identified your previous firewall filter as the blocker for VRRP.

 

 Would you mind pasting your full config, so that we can also check the addressing in several terms, for there might be an overlap and/or a missing network.

 

 I'm sure you wouldn't want to keep the filter as it is now 🙂

 

 Cheers,

 Erdem

Here it is.

 

## Last commit: 2009-03-15 23:39:54 CET by admin
version 9.3R2.8;
system {
    host-name rt02;
}
    services {
        ssh {
            root-login deny;
            protocol-version v2;
            connection-limit 5;
            rate-limit 5;
        }
        web-management {
            http {
                interface [ lo0.0 ge-0/0/3.0 ge-0/0/0.0 ];
            }
        }
    }
    syslog {
        file PFLOGRT02 {
            firewall any;
            archive size 5m files 20 world-readable;
        }
    }
}
interfaces {
    ge-0/0/0 {
        description DMZ;
        unit 0 {
            family inet {
                address 91.194.196.3/25 {
                    vrrp-group 1 {
                        virtual-address 91.194.196.1;
                        authentication-type md5;
                        authentication-key "$9$5z9t0BESlM4ajkmT/9Ap01Icx7Vg4Z"; ## SECRET-DATA
                    }
                }
            }
        }
    }
    ge-0/0/3 {
        description TO-RT01;
        unit 0 {
            family inet {
                address 172.18.123.6/30;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 172.18.123.2/32;
            }
        }
    }
}
forwarding-options {
    packet-capture {
        disable;
        file filename int-capture files 100 size 1k world-readable;
        maximum-capture-size 500;
    }
}
routing-options {
    static {
        route 91.194.196.0/23 discard;
        route 91.194.197.224/27 next-hop 91.194.196.111;
    }
    autonomous-system 43291;
}
protocols {
    bgp {
        group INTERNAL {
            type internal;
            local-address 172.18.123.6;
            export [ NEXT-HOP-SELF CONNECTED REDIST-STATIC ];
            peer-as 43291;
            neighbor 172.18.123.5;
        }
    }
}
policy-options {
    policy-statement BGP-ADV {
        from {
            protocol static;
            route-filter 91.194.196.0/23 exact;
        }
        then accept;
    }
    policy-statement CONNECTED {
        from protocol direct;
        then accept;
    }
    policy-statement DEFAULT-ONLY {
        term ACCEPT-DEFAULT-ONLY {
            from {
                route-filter 0.0.0.0/0 exact;
            }
            then accept;
        }
        term REJECT-OTHERS {
            then reject;
        }
    }
    policy-statement NEXT-HOP-SELF {
        term NEXT-HOP {
            from protocol bgp;
            then {
                next-hop self;
            }
        }
    }
    policy-statement REDIST-STATIC {
        term STATIC-ROUTE {
            from {
                protocol static;
                route-filter 91.194.196.0/23 exact reject;
            }
        }
        term ALLOW-OTHERS {
            then accept;
        }
    }
}
firewall {
    filter PROTECT-RE {
        term SSH {
            from {
                source-address {
                    91.194.196.0/25;
                    172.16.200.0/24;
                    172.31.151.0/24;
                    172.16.250.0/24;
                }
                protocol tcp;
                port [ ssh http ];
            }
        }
        term BGP {
            from {
                address {;
                    172.18.123.5/32;
                }
                protocol tcp;
                port bgp;
            }
            then accept;
        }
        term ICMP {
            from {
                source-address {
                    91.194.196.0/25;
                    172.16.200.0/24;
                    172.31.151.0/24;
                    172.16.250.0/24;
                }
                protocol icmp;
            }
            then accept;
        }
        term VRRP {
            from {
                protocol vrrp;
                interface ge-0/0/0.0;
            }
            then accept;
        }
        term SNMP {
            from {
                source-address {
                    91.194.196.0/25;
                    172.16.200.0/24;
                    172.31.151.0/24;
                    172.16.250.0/24;
                }
                protocol udp;
                port snmp;
            }
            then accept;
        }
        term REST {
            then {
                log;
                syslog;
                discard;
            }
        }
    }
}

 

 

Hi Iglu,

 

 Now I see it. You're using authentication for VRRP, which is defined by protocol #51 (as assigned by iana) . So you'll need to edit your VRRP term as follows:

 

        term VRRP {
            from {
                protocol [ vrrp 51 ];
                interface ge-0/0/0.0;
            }
            then accept;

 

and you're good to go..

 

Cheers,

Erdem

Hi Erdem

 

I have modified the filter and it works. 

Many thanks.

 

best regards

iglu

Hay,

 

You can use multicas address of VRRP "224.0.0.18/32" also.