Routing
Routing

Filter Based Forwarding (FBF) on SRX

a week ago

Hello,

 

I would like to route specific traffic (172.24.32.0/20) towards next-hop 172.22.2.10. So i have configured a firewall filter, but it doesnt seems to work. Can anyone identifies mistakes or have any idea how to solve this.

 

 

Firewall filter:

firewall {
family inet {
filter OTnew-traffic-foward-to-OTold{
term 10 {
from {
source-address {
192.22.2.0/24;
}
destination-address {
172.24.32.0/20;
}
}
then {
routing-instance as-ot-10;
}
}
term default}
then accept;


routing-instances {
as-ot-10 {
description OT-PolicyRoute;
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 172.22.2.10;


[edit]
routing-options {
interface-routes {
rib-group inet group-1;
}
rib-groups {
group-1{
import-rib [ inet.0 as-ot-10.inet.0 ];
}
}

 

 

 

 

 

 

SRX snippet config:

}
lo0 {
unit 0 {
family inet {
filter {
input protect-re;
}
}
family inet6 {
filter {
input protect-re6;
}
}
}

reth1 {
description nlrtm1-sw333c;
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
lacp {
active;
periodic slow;
}
}
unit 30 {
description "OT-application vlan 30";
vlan-id 30;
family inet {
filter {
input OTnew-traffic-foward-to-OTold;
}
address 172.22.2.1/24;



firewall {
family inet {
filter protect-re {
term established-tcp-v4 {
from {
protocol tcp;
tcp-established;
}
then accept;
}
term icmp-v4 {
from {
protocol icmp;
icmp-type [ echo-request echo-reply unreachable time-exceeded source-quench ];
}
then accept;
}
term udp-traceroute-v4 {
from {
protocol udp;
destination-port 33434-33523;
}
then accept;
}
term dns-v4 {
from {
source-prefix-list {
nameserver-addresses;
}
protocol udp;
source-port 53;
}
then accept;
}
term ntp-v4 {
from {
source-prefix-list {
ntp-addresses;
}
protocol udp;
source-port 123;
}
then accept;
}
term ssh {
from {
source-prefix-list {
office;
ISP.net;
internal;
}
protocol tcp;
destination-port ssh;
}
then accept;
}
term discard-the-rest-v4 {
then {
discard;
}
}
}
filter OTnew-traffic-foward-to-OTold {
term 10 {
from {
source-address {
172.22.2.0/24;
}
destination-address {
172.24.32.0/20;
}
}
then accept;
}
}
}
family inet6 {
filter protect-re6 {
term deny-all {
then discard;
}
}
}
}
routing-instances {
as-ot-10 {
description OT-PolicyRoute;
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 172.22.2.10;
}
}
}
}
protocols {
lldp {
interface all;
}
}
routing-options {
interface-routes {
rib-group inet group-1;
}
rib inet.0 {
static {
route 0.0.0.0/0 next-hop [ 192.168.150.29 192.168.250.29 ];
}
}
rib inet6.0 {
static {
route ::0/0 next-hop [ 2a00:1830:0:1:40::c0a9:7c1d 2a00:1730:0:1:40::c0a9:e01e ];
}
}
rib-groups {
group-1 {
import-rib [ inet.0 as-ot-10.inet.0 ];
}
}
forwarding-table {
export load-sharing-per-packet;

 

 

 

 

6 REPLIES 6
Routing

Re: Filter Based Forwarding (FBF) on SRX

a week ago

Hi,

Seems like your source-address in the SRX fw filter is incorrect. Based on the earlier filter you pasted this should be 192.22.2.0/24.

<..>

source-address {
172.22.2.0/24;
}

<..>

Fix this and verify if that resolves your issue.

 

** Please mark as solution if this solves the issue so others can benefit from the post.

Routing

Re: Filter Based Forwarding (FBF) on SRX

a week ago

1. Firewall config is not matching  in SRX snippet config with the first firewall config.  Please correct.

2. Incoming and outgoing interface is same reth1.30. So you have to configure intra-zone security policy (eg:- Zone-A to Zone-A)

 

 

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Routing

Re: Filter Based Forwarding (FBF) on SRX

a week ago

sorry, it was supposed to be source-address 172.22.2.0/24 in the firewall filter configuraion that i paste. But if u look at the SRX configuration below u will see that i have configured the correct source-address (172.22.2.0/24).

Routing

Re: Filter Based Forwarding (FBF) on SRX

a week ago

This are the zones/and policies that i have configured:

 

policies {
from-zone trust to-zone untrust {
policy any-to-any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy allow_ssh_https {
match {
source-address any;
destination-address any;
application [ junos-ssh junos-http junos-https ];
}
then {
permit;
}
}
}

from-zone ot-application to-zone untrust {
policy OT-application-to-Untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone untrust {
address-book {
address office-1 x.x.x.x/29;
address office-2 x.x.x.x/27;
address office-3 x.x.x.x/32;
address office-4 x.x.x.x/32;
address office-5 x.x.x.x/29;
address-set offices {
address office-1;
address office-2;
address office-3;
address office-4;
address office-5;
}
}
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/7.1409;
ge-5/0/7.2409;
}
}
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
reth0.100;
}
}
security-zone ot-application {
interfaces {
reth1.30 {
host-inbound-traffic {
system-services {
all;
}
}
}

Routing
Solution
Accepted by topic author Suli
Friday

Re: Filter Based Forwarding (FBF) on SRX

a week ago

Configure security policy from zone ot-application to zone ot-application and check. 

 

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Routing

Re: Filter Based Forwarding (FBF) on SRX

Friday

sorry for a late response. I tested this just now and looks good and working.

 

thanksssss.