SRX Services Gateway
SRX Services Gateway

Download policer won't work

‎02-20-2019 07:03 AM

Hi!

 

I have a srx 240 cluster and want to limit the download speed to one of my server.

 

Here's how I wanted to do this:

 

#Policer 50Mbit/s

set firewall policer policer-50mbit if-exceeding bandwidth-limit 50m
set firewall policer policer-50mbit if-exceeding burst-size-limit 128k
set firewall policer policer-50mbit then discard

 

#Filter

set firewall family inet filter download-limit term wsus-server from source-address 192.168.0.1/32
set firewall family inet filter download-limit term wsus-server then policer policer-50mbit
set firewall family inet filter download-limit term wsus-server then accept

 

#Configuring policer on the interface the server 192.168.0.1 is connected to

set interfaces reth5.10 family inet filter input download-limit

 

When this configuration is active, the whole 192.168.0.0/24 subnet is limited to 50Mbit/s. Why`s that?

The WAN interface is reth0.1 configured with interface NAT.

 

 

Kind regards

Andy

4 REPLIES 4
SRX Services Gateway

Re: Download policer won't work

[ Edited ]
‎02-20-2019 07:13 AM

 Hello,

According to Your config and assuming You did not omit filter terms, You are rate-limiting the traffic FROM 192.168.0.1 AND dropping all traffic from the rest of 192.168.0.0/24 subnet - because there is no "else allow" term:

 


@MetzingerAn wrote:

 

#Filter

set firewall family inet filter download-limit term wsus-server from source-address 192.168.0.1/32
set firewall family inet filter download-limit term wsus-server then policer policer-50mbit
set firewall family inet filter download-limit term wsus-server then accept

 


 

You need to add last term with "accept" to actually allow the rest of 192.168.0.0/24 subnet to communicate with outside world:

 

set firewall family inet filter download-limit term else then accept

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
SRX Services Gateway

Re: Download policer won't work

‎02-20-2019 08:13 AM

Hi Alex!

 

Oh my. I added the line

set firewall family inet filter download-limit term else then accept

to this config. All clients in the /24 network are now able to download at full speed :-) including the 192.168.0.1/32... 

I don't get it...

SRX Services Gateway
Solution
Accepted by topic author MetzingerAn
‎02-20-2019 11:42 AM

Re: Download policer won't work

‎02-20-2019 08:27 AM

Hello,

 


@MetzingerAn wrote:

Hi Alex!

 

All clients in the /24 network are now able to download at full speed :-) including the 192.168.0.1/32... 

I don't get it...


You rate-limited the packets with SRC IP 192.168.0.1  - which from this host' point of view is UPLOAD.

if You need to limit DOWNLOAD TO this host, You need to construct a different filter and apply it in "output" direction to the same interface. 

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
SRX Services Gateway

Re: Download policer won't work

‎02-20-2019 08:28 AM

Since you want to limit download speed you have to apply the filter in input direction  on WAN interface with destination IP as NAT address of the server or apply the filter on reth5.10 interface with real ip address of the server as destination address.

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!