Routing
Highlighted
Routing

Firewall Filter using a source-address

‎02-20-2020 08:32 AM

I am still learning about Junos and I have what I think is a simple question regarding a filter using a source address. I am wanting to edit this filter to apply only to 10.50.0.0 and above and ignore address 10.0.0.0 to 10.49.255.254. I think the solution is to change the source-address to 10.50.0.0/8 but that seems counter intuitive. Any assistance would be appreciated,thanks.

filter filter-cgnat2 {
term cgnat-src {
from {
source-address {
100.64.0.0/16;
10.0.0.0/8;
}
}

7 REPLIES 7
Highlighted
Routing

Re: Firewall Filter using a source-address

‎02-20-2020 10:40 AM

This has not much to do with filter. It's purely an issue with subnetting and VLSM/CIDR 

 

Do you want to match the addresses from 10.50.0.0 to 10.255.255.255? 

 

This consists of:

10.128.0.0/9 (10.128.0.0 - 10.255.255.255)

10.64.0.0/10 (10.64.0.0 - 10.127.255.255)

10.56.0.0/13 (10.56.0.0. - 10.63.255.255)

10.52.0.0/14 (10.52.0.0 - 10.55.255.255)

10.50.0.0/15 (10.50.0.0 - 10.51.255.255)

 

You can find some helpful subnet calculator tools: http://www.subnet-calculator.com/subnet.php?net_class=A 

But didn't find a perfect tool for this case. 

 

BTW, this is really a BAD requirement. Anyone who operates the network should convert their minds to be more "binary" 


Mengzhe Hu
JNCIE x 3 (SP DC ENT)
Highlighted
Routing
Solution
Accepted by topic author WadeH
4 weeks ago

Re: Firewall Filter using a source-address

‎02-20-2020 01:00 PM

Could you break this into two terms. The first catches everything from 10.0.0.0 to 10.50.0.0, and accepts traffic without any additional action.

Term 2 catches everything in 10.0.0.0/8 that hasn't been matched yet, and applies whatever action you need.

 

filter filter-cgnat2 {

  term cgnat-src-1 {

    from {

      source-address {

        10.0.0.0/11     # 10.0.0.0 - 10.31.255.255

        10.32.0.0/12     # 10.32.0.0 - 10.47.255.255

        10.48.0.0/15    # 10.48.0.0 - 10.49.255.255

        10.50.0.0/16    # 10.50.0.0 - 10.50.255.255

      }

    }

  }
  term cgnat-src-2 {
    from {
      source-address {
        100.64.0.0/16;
        10.0.0.0/8;
      }

    }

    then {

      # Action

    }

  }
}

Highlighted
Routing

Re: Firewall Filter using a source-address

‎02-21-2020 03:32 AM
Hi WadeH,

For your specific question, thought "source-address 10.50.0.0/16" will meet your requirement, it only matches 10.50.0.0 to 10.50.255.255 and does NOT match 10.0.0.0 to 10.49.255.254.

Hope this helps.

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated Smiley Happy.
Highlighted
Routing

Re: Firewall Filter using a source-address

‎02-24-2020 04:31 PM

For these arbitrary ranges as you requrie 10.50.0.0-10.255.255.255. (note 255 is the end not 254) 

You can use the IP range to CIDR convertor.

 

https://ipaddressguide.com/cidr

 

Result:

10.50.0.0/15
10.52.0.0/14
10.56.0.0/13
10.64.0.0/10
10.128.0.0/9

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Routing

Re: Firewall Filter using a source-address

‎02-25-2020 02:19 PM

How did you go Wade? Did you get to the bottom of this?

Highlighted
Routing

Re: Firewall Filter using a source-address

4 weeks ago

I was finally able to test this out and the two term solution has solved my problem until I can get another solution in place thank you.

 

Highlighted
Routing

Re: Firewall Filter using a source-address

3 weeks ago

That's great news!