Junos
Highlighted
Junos

Is there any issue with junos inet6 firewall?

2 weeks ago

Hello,
We trying to configure firewall for inet6 but it seems dropping legit traffic.
So wondering if there is any issue with junos inet6?

Ex series Junos: 15.1R6.7

Thanks

3 REPLIES 3
Highlighted
Junos

Betreff: Is there any issue with junos inet6 firewall?

2 weeks ago

Hello fiber9,

 

to answer this question, it is absolutely necessary that you paste the corresponding config, which includes firewall filter and interface config. Additionally, please tell us more details what exactly happens, source/destination IP, which kind of traffic is dropped and should not be dropped, where is it dropped ...

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution".
If you think that my answer was helpful, please spend some Kudos.
Highlighted
Junos

Betreff: Is there any issue with junos inet6 firewall?

yesterday

Created filter for ipv4 and ipv6 on ex4200.  This works fine on ex4300 running Junos 18.x or 19.x

but on ex4200 running 15.x does not work. So is this junos issue or I am doing wrong?

 

I enable ipv6 bgp established then interface ipv6 traffic drops.

set interfaces lo0 unit 0 family inet6 filter input ipv6filter
set interfaces lo0 unit 0 family inet6 address xxxxxx::1/64
set firewall filter inet6 filter ipv6filter term BGP from source-prefix-list EBGP-ROUTERS
set firewall filter inet6 filter ipv6filter term BGP from payload-protocol tcp
set firewall filter inet6 filter ipv6filter term BGP from port 179
set firewall filter inet6 filter ipv6filter term BGP then accept
set firewall family inet6 filter ipv6filter term ICMP from next-header icmp6
set firewall family inet6 filter ipv6filter term ICMP from icmp-type echo-request
set firewall family inet6 filter ipv6filter term ICMP from icmp-type echo-reply
set firewall family inet6 filter ipv6filter term ICMP then accept
set firewall family inet6 filter ipv6filter term OTHER then discard

 

 

Highlighted
Junos

Betreff: Is there any issue with junos inet6 firewall?

11 hours ago

Hi,

 

two things:

 

- I seem to remember that payload-protocol in the BGP term is a HW depended match condition. Have you tried using next-header like in the ICMP term?

 

- "set firewall filter inet6 ..." would not create a family inet6 filter, but a filter called inet6 but the following keyword "filter" is afaik not valid syntax. Can you please do a "show conf firewall family inet6 filter ipv6filter"?

 

Regards

Ulf

--
If this worked for you please flag my post as an 'Accepted Solution' so others can benefit. A kudo would be cool if you think I earned it.
Feedback