Routing

Expand all | Collapse all

Filter Based Forwarding (FBF) on SRX

Jump to Best Answer
  • 1.  Filter Based Forwarding (FBF) on SRX

    Posted 09-11-2019 08:41

    Hello,

     

    I would like to route specific traffic (172.24.32.0/20) towards next-hop 172.22.2.10. So i have configured a firewall filter, but it doesnt seems to work. Can anyone identifies mistakes or have any idea how to solve this.

     

     

    Firewall filter:

    firewall {
    family inet {
    filter OTnew-traffic-foward-to-OTold{
    term 10 {
    from {
    source-address {
    192.22.2.0/24;
    }
    destination-address {
    172.24.32.0/20;
    }
    }
    then {
    routing-instance as-ot-10;
    }
    }
    term default}
    then accept;


    routing-instances {
    as-ot-10 {
    description OT-PolicyRoute;
    instance-type forwarding;
    routing-options {
    static {
    route 0.0.0.0/0 next-hop 172.22.2.10;


    [edit]
    routing-options {
    interface-routes {
    rib-group inet group-1;
    }
    rib-groups {
    group-1{
    import-rib [ inet.0 as-ot-10.inet.0 ];
    }
    }

     

     

     

     

     

     

    SRX snippet config:

    }
    lo0 {
    unit 0 {
    family inet {
    filter {
    input protect-re;
    }
    }
    family inet6 {
    filter {
    input protect-re6;
    }
    }
    }

    reth1 {
    description nlrtm1-sw333c;
    vlan-tagging;
    redundant-ether-options {
    redundancy-group 1;
    lacp {
    active;
    periodic slow;
    }
    }
    unit 30 {
    description "OT-application vlan 30";
    vlan-id 30;
    family inet {
    filter {
    input OTnew-traffic-foward-to-OTold;
    }
    address 172.22.2.1/24;



    firewall {
    family inet {
    filter protect-re {
    term established-tcp-v4 {
    from {
    protocol tcp;
    tcp-established;
    }
    then accept;
    }
    term icmp-v4 {
    from {
    protocol icmp;
    icmp-type [ echo-request echo-reply unreachable time-exceeded source-quench ];
    }
    then accept;
    }
    term udp-traceroute-v4 {
    from {
    protocol udp;
    destination-port 33434-33523;
    }
    then accept;
    }
    term dns-v4 {
    from {
    source-prefix-list {
    nameserver-addresses;
    }
    protocol udp;
    source-port 53;
    }
    then accept;
    }
    term ntp-v4 {
    from {
    source-prefix-list {
    ntp-addresses;
    }
    protocol udp;
    source-port 123;
    }
    then accept;
    }
    term ssh {
    from {
    source-prefix-list {
    office;
    ISP.net;
    internal;
    }
    protocol tcp;
    destination-port ssh;
    }
    then accept;
    }
    term discard-the-rest-v4 {
    then {
    discard;
    }
    }
    }
    filter OTnew-traffic-foward-to-OTold {
    term 10 {
    from {
    source-address {
    172.22.2.0/24;
    }
    destination-address {
    172.24.32.0/20;
    }
    }
    then accept;
    }
    }
    }
    family inet6 {
    filter protect-re6 {
    term deny-all {
    then discard;
    }
    }
    }
    }
    routing-instances {
    as-ot-10 {
    description OT-PolicyRoute;
    instance-type forwarding;
    routing-options {
    static {
    route 0.0.0.0/0 next-hop 172.22.2.10;
    }
    }
    }
    }
    protocols {
    lldp {
    interface all;
    }
    }
    routing-options {
    interface-routes {
    rib-group inet group-1;
    }
    rib inet.0 {
    static {
    route 0.0.0.0/0 next-hop [ 192.168.150.29 192.168.250.29 ];
    }
    }
    rib inet6.0 {
    static {
    route ::0/0 next-hop [ 2a00:1830:0:1:40::c0a9:7c1d 2a00:1730:0:1:40::c0a9:e01e ];
    }
    }
    rib-groups {
    group-1 {
    import-rib [ inet.0 as-ot-10.inet.0 ];
    }
    }
    forwarding-table {
    export load-sharing-per-packet;

     

     

     

     



  • 2.  RE: Filter Based Forwarding (FBF) on SRX

     
    Posted 09-11-2019 08:53

    Hi,

    Seems like your source-address in the SRX fw filter is incorrect. Based on the earlier filter you pasted this should be 192.22.2.0/24.

    <..>

    source-address {
    172.22.2.0/24;
    }

    <..>

    Fix this and verify if that resolves your issue.

     

    ** Please mark as solution if this solves the issue so others can benefit from the post.



  • 3.  RE: Filter Based Forwarding (FBF) on SRX

    Posted 09-11-2019 09:02

    sorry, it was supposed to be source-address 172.22.2.0/24 in the firewall filter configuraion that i paste. But if u look at the SRX configuration below u will see that i have configured the correct source-address (172.22.2.0/24).



  • 4.  RE: Filter Based Forwarding (FBF) on SRX

    Posted 09-11-2019 09:09

    This are the zones/and policies that i have configured:

     

    policies {
    from-zone trust to-zone untrust {
    policy any-to-any {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone untrust to-zone trust {
    policy allow_ssh_https {
    match {
    source-address any;
    destination-address any;
    application [ junos-ssh junos-http junos-https ];
    }
    then {
    permit;
    }
    }
    }

    from-zone ot-application to-zone untrust {
    policy OT-application-to-Untrust {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    }
    zones {
    security-zone untrust {
    address-book {
    address office-1 x.x.x.x/29;
    address office-2 x.x.x.x/27;
    address office-3 x.x.x.x/32;
    address office-4 x.x.x.x/32;
    address office-5 x.x.x.x/29;
    address-set offices {
    address office-1;
    address office-2;
    address office-3;
    address office-4;
    address office-5;
    }
    }
    host-inbound-traffic {
    system-services {
    all;
    }
    }
    interfaces {
    ge-0/0/7.1409;
    ge-5/0/7.2409;
    }
    }
    security-zone trust {
    host-inbound-traffic {
    system-services {
    all;
    }
    }
    interfaces {
    reth0.100;
    }
    }
    security-zone ot-application {
    interfaces {
    reth1.30 {
    host-inbound-traffic {
    system-services {
    all;
    }
    }
    }



  • 5.  RE: Filter Based Forwarding (FBF) on SRX
    Best Answer

    Posted 09-11-2019 09:13

    Configure security policy from zone ot-application to zone ot-application and check. 

     

     

     



  • 6.  RE: Filter Based Forwarding (FBF) on SRX

    Posted 09-13-2019 00:57

    sorry for a late response. I tested this just now and looks good and working.

     

    thanksssss.



  • 7.  RE: Filter Based Forwarding (FBF) on SRX

    Posted 09-11-2019 09:00

    1. Firewall config is not matching  in SRX snippet config with the first firewall config.  Please correct.

    2. Incoming and outgoing interface is same reth1.30. So you have to configure intra-zone security policy (eg:- Zone-A to Zone-A)