Routing
Highlighted
Routing

Filter Based Forwarding (FBF) on SRX

‎09-11-2019 08:41 AM

Hello,

 

I would like to route specific traffic (172.24.32.0/20) towards next-hop 172.22.2.10. So i have configured a firewall filter, but it doesnt seems to work. Can anyone identifies mistakes or have any idea how to solve this.

 

 

Firewall filter:

firewall {
family inet {
filter OTnew-traffic-foward-to-OTold{
term 10 {
from {
source-address {
192.22.2.0/24;
}
destination-address {
172.24.32.0/20;
}
}
then {
routing-instance as-ot-10;
}
}
term default}
then accept;


routing-instances {
as-ot-10 {
description OT-PolicyRoute;
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 172.22.2.10;


[edit]
routing-options {
interface-routes {
rib-group inet group-1;
}
rib-groups {
group-1{
import-rib [ inet.0 as-ot-10.inet.0 ];
}
}

 

 

 

 

 

 

SRX snippet config:

}
lo0 {
unit 0 {
family inet {
filter {
input protect-re;
}
}
family inet6 {
filter {
input protect-re6;
}
}
}

reth1 {
description nlrtm1-sw333c;
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
lacp {
active;
periodic slow;
}
}
unit 30 {
description "OT-application vlan 30";
vlan-id 30;
family inet {
filter {
input OTnew-traffic-foward-to-OTold;
}
address 172.22.2.1/24;



firewall {
family inet {
filter protect-re {
term established-tcp-v4 {
from {
protocol tcp;
tcp-established;
}
then accept;
}
term icmp-v4 {
from {
protocol icmp;
icmp-type [ echo-request echo-reply unreachable time-exceeded source-quench ];
}
then accept;
}
term udp-traceroute-v4 {
from {
protocol udp;
destination-port 33434-33523;
}
then accept;
}
term dns-v4 {
from {
source-prefix-list {
nameserver-addresses;
}
protocol udp;
source-port 53;
}
then accept;
}
term ntp-v4 {
from {
source-prefix-list {
ntp-addresses;
}
protocol udp;
source-port 123;
}
then accept;
}
term ssh {
from {
source-prefix-list {
office;
ISP.net;
internal;
}
protocol tcp;
destination-port ssh;
}
then accept;
}
term discard-the-rest-v4 {
then {
discard;
}
}
}
filter OTnew-traffic-foward-to-OTold {
term 10 {
from {
source-address {
172.22.2.0/24;
}
destination-address {
172.24.32.0/20;
}
}
then accept;
}
}
}
family inet6 {
filter protect-re6 {
term deny-all {
then discard;
}
}
}
}
routing-instances {
as-ot-10 {
description OT-PolicyRoute;
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 172.22.2.10;
}
}
}
}
protocols {
lldp {
interface all;
}
}
routing-options {
interface-routes {
rib-group inet group-1;
}
rib inet.0 {
static {
route 0.0.0.0/0 next-hop [ 192.168.150.29 192.168.250.29 ];
}
}
rib inet6.0 {
static {
route ::0/0 next-hop [ 2a00:1830:0:1:40::c0a9:7c1d 2a00:1730:0:1:40::c0a9:e01e ];
}
}
rib-groups {
group-1 {
import-rib [ inet.0 as-ot-10.inet.0 ];
}
}
forwarding-table {
export load-sharing-per-packet;

 

 

 

 

6 REPLIES 6
Highlighted
Routing

Re: Filter Based Forwarding (FBF) on SRX

‎09-11-2019 08:53 AM

Hi,

Seems like your source-address in the SRX fw filter is incorrect. Based on the earlier filter you pasted this should be 192.22.2.0/24.

<..>

source-address {
172.22.2.0/24;
}

<..>

Fix this and verify if that resolves your issue.

 

** Please mark as solution if this solves the issue so others can benefit from the post.

Highlighted
Routing

Re: Filter Based Forwarding (FBF) on SRX

‎09-11-2019 08:59 AM

1. Firewall config is not matching  in SRX snippet config with the first firewall config.  Please correct.

2. Incoming and outgoing interface is same reth1.30. So you have to configure intra-zone security policy (eg:- Zone-A to Zone-A)

 

 

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
Routing

Re: Filter Based Forwarding (FBF) on SRX

‎09-11-2019 09:02 AM

sorry, it was supposed to be source-address 172.22.2.0/24 in the firewall filter configuraion that i paste. But if u look at the SRX configuration below u will see that i have configured the correct source-address (172.22.2.0/24).

Highlighted
Routing

Re: Filter Based Forwarding (FBF) on SRX

‎09-11-2019 09:08 AM

This are the zones/and policies that i have configured:

 

policies {
from-zone trust to-zone untrust {
policy any-to-any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy allow_ssh_https {
match {
source-address any;
destination-address any;
application [ junos-ssh junos-http junos-https ];
}
then {
permit;
}
}
}

from-zone ot-application to-zone untrust {
policy OT-application-to-Untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone untrust {
address-book {
address office-1 x.x.x.x/29;
address office-2 x.x.x.x/27;
address office-3 x.x.x.x/32;
address office-4 x.x.x.x/32;
address office-5 x.x.x.x/29;
address-set offices {
address office-1;
address office-2;
address office-3;
address office-4;
address office-5;
}
}
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/7.1409;
ge-5/0/7.2409;
}
}
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
reth0.100;
}
}
security-zone ot-application {
interfaces {
reth1.30 {
host-inbound-traffic {
system-services {
all;
}
}
}

Highlighted
Routing
Solution
Accepted by topic author Suli
‎09-13-2019 12:56 AM

Re: Filter Based Forwarding (FBF) on SRX

‎09-11-2019 09:12 AM

Configure security policy from zone ot-application to zone ot-application and check. 

 

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
Routing

Re: Filter Based Forwarding (FBF) on SRX

‎09-13-2019 12:57 AM

sorry for a late response. I tested this just now and looks good and working.

 

thanksssss.