Hello,
I would like to route specific traffic (172.24.32.0/20) towards next-hop 172.22.2.10. So i have configured a firewall filter, but it doesnt seems to work. Can anyone identifies mistakes or have any idea how to solve this.
Firewall filter:
firewall {
family inet {
filter OTnew-traffic-foward-to-OTold{
term 10 {
from {
source-address {
192.22.2.0/24;
}
destination-address {
172.24.32.0/20;
}
}
then {
routing-instance as-ot-10;
}
}
term default}
then accept;
routing-instances {
as-ot-10 {
description OT-PolicyRoute;
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 172.22.2.10;
[edit]
routing-options {
interface-routes {
rib-group inet group-1;
}
rib-groups {
group-1{
import-rib [ inet.0 as-ot-10.inet.0 ];
}
}
SRX snippet config:
}
lo0 {
unit 0 {
family inet {
filter {
input protect-re;
}
}
family inet6 {
filter {
input protect-re6;
}
}
}
reth1 {
description nlrtm1-sw333c;
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
lacp {
active;
periodic slow;
}
}
unit 30 {
description "OT-application vlan 30";
vlan-id 30;
family inet {
filter {
input OTnew-traffic-foward-to-OTold;
}
address 172.22.2.1/24;
firewall {
family inet {
filter protect-re {
term established-tcp-v4 {
from {
protocol tcp;
tcp-established;
}
then accept;
}
term icmp-v4 {
from {
protocol icmp;
icmp-type [ echo-request echo-reply unreachable time-exceeded source-quench ];
}
then accept;
}
term udp-traceroute-v4 {
from {
protocol udp;
destination-port 33434-33523;
}
then accept;
}
term dns-v4 {
from {
source-prefix-list {
nameserver-addresses;
}
protocol udp;
source-port 53;
}
then accept;
}
term ntp-v4 {
from {
source-prefix-list {
ntp-addresses;
}
protocol udp;
source-port 123;
}
then accept;
}
term ssh {
from {
source-prefix-list {
office;
ISP.net;
internal;
}
protocol tcp;
destination-port ssh;
}
then accept;
}
term discard-the-rest-v4 {
then {
discard;
}
}
}
filter OTnew-traffic-foward-to-OTold {
term 10 {
from {
source-address {
172.22.2.0/24;
}
destination-address {
172.24.32.0/20;
}
}
then accept;
}
}
}
family inet6 {
filter protect-re6 {
term deny-all {
then discard;
}
}
}
}
routing-instances {
as-ot-10 {
description OT-PolicyRoute;
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 172.22.2.10;
}
}
}
}
protocols {
lldp {
interface all;
}
}
routing-options {
interface-routes {
rib-group inet group-1;
}
rib inet.0 {
static {
route 0.0.0.0/0 next-hop [ 192.168.150.29 192.168.250.29 ];
}
}
rib inet6.0 {
static {
route ::0/0 next-hop [ 2a00:1830:0:1:40::c0a9:7c1d 2a00:1730:0:1:40::c0a9:e01e ];
}
}
rib-groups {
group-1 {
import-rib [ inet.0 as-ot-10.inet.0 ];
}
}
forwarding-table {
export load-sharing-per-packet;