The problem I am seeing is as follows:
- Device 2 has 172.17.7.240 set as its default gateway
- Attempting to access 8.8.8.8, Device 2 is correctly routed to 172.17.7.240 and then 172.17.0.3
- Attempting to access 172.17.99.99, Device 2 is correctly routed to 172.17.7.240 and then incorrectly 172.17.0.3, where the route fails, of course
Hmmm, I *thought* the issue was that Device 2 was routing to 8.8.8.8 via 172.17.0.1 as per your OP?
Okay, if that isn't the problem and routing from vlan 10 to 99 IS the problem, this makes (a little) more sense.
There is a bug in the implementation of RIB on the EX platform, where local routes shared across the routing instances, while routes look valid in the routing table, are not present in the PFE. In other words, if the only route to the destination in the route table of the routing instances you're forwarding via is the route put there as a result of the RIB import, then traffic won't reach it via the route. However, when we encountered the bug it resulted in traffic not reaching the destination at all.
Just to see if this bug is the problem add a term above your t2 term in your first-fbf-filter, we called ours "match_direct" so it was clear the term matched "direct" routes in the routing table. For you it would go along the lines of :
set firewall family inet filter first-fbf-filter term match_direct from destination address 172.17.99.0/24
set firewall family inet filter first-fbf-filter term match_direct then accept
insert firewall family inet filter first-fbf-filter term match_direct before term t2
So, for any traffic entering your first-fbf-filter, if the traffic is destined for 172.17.99.0/24 (you can make this 172.17.99.99/32 if you wish, obviously) then it will use the inet.0 routing table and should therefore be routed correctly.
I can't remember if "Local" routes were similarly affected by this bug, I don't *think* they were, so you could just try to add a static route to this routing instance for the individual host :
set routing-instances ri-b routing-options static route 172.17.99.99/32 next-hop 172.17.99.240
Let me know how you get on...