Routing

Expand all | Collapse all

Firewall Filter using a source-address

Jump to Best Answer
  • 1.  Firewall Filter using a source-address

    Posted 02-20-2020 08:32

    I am still learning about Junos and I have what I think is a simple question regarding a filter using a source address. I am wanting to edit this filter to apply only to 10.50.0.0 and above and ignore address 10.0.0.0 to 10.49.255.254. I think the solution is to change the source-address to 10.50.0.0/8 but that seems counter intuitive. Any assistance would be appreciated,thanks.

    filter filter-cgnat2 {
    term cgnat-src {
    from {
    source-address {
    100.64.0.0/16;
    10.0.0.0/8;
    }
    }



  • 2.  RE: Firewall Filter using a source-address

     
    Posted 02-20-2020 10:40

    This has not much to do with filter. It's purely an issue with subnetting and VLSM/CIDR 

     

    Do you want to match the addresses from 10.50.0.0 to 10.255.255.255? 

     

    This consists of:

    10.128.0.0/9 (10.128.0.0 - 10.255.255.255)

    10.64.0.0/10 (10.64.0.0 - 10.127.255.255)

    10.56.0.0/13 (10.56.0.0. - 10.63.255.255)

    10.52.0.0/14 (10.52.0.0 - 10.55.255.255)

    10.50.0.0/15 (10.50.0.0 - 10.51.255.255)

     

    You can find some helpful subnet calculator tools: http://www.subnet-calculator.com/subnet.php?net_class=A 

    But didn't find a perfect tool for this case. 

     

    BTW, this is really a BAD requirement. Anyone who operates the network should convert their minds to be more "binary" 



  • 3.  RE: Firewall Filter using a source-address
    Best Answer

    Posted 02-20-2020 13:01

    Could you break this into two terms. The first catches everything from 10.0.0.0 to 10.50.0.0, and accepts traffic without any additional action.

    Term 2 catches everything in 10.0.0.0/8 that hasn't been matched yet, and applies whatever action you need.

     

    filter filter-cgnat2 {

      term cgnat-src-1 {

        from {

          source-address {

            10.0.0.0/11     # 10.0.0.0 - 10.31.255.255

            10.32.0.0/12     # 10.32.0.0 - 10.47.255.255

            10.48.0.0/15    # 10.48.0.0 - 10.49.255.255

            10.50.0.0/16    # 10.50.0.0 - 10.50.255.255

          }

        }

      }
      term cgnat-src-2 {
        from {
          source-address {
            100.64.0.0/16;
            10.0.0.0/8;
          }

        }

        then {

          # Action

        }

      }
    }



  • 4.  RE: Firewall Filter using a source-address

    Posted 03-02-2020 15:43

    I was finally able to test this out and the two term solution has solved my problem until I can get another solution in place thank you.

     



  • 5.  RE: Firewall Filter using a source-address

    Posted 03-08-2020 14:35

    That's great news!



  • 6.  RE: Firewall Filter using a source-address

     
    Posted 02-21-2020 03:33
    Hi WadeH,

    For your specific question, thought "source-address 10.50.0.0/16" will meet your requirement, it only matches 10.50.0.0 to 10.50.255.255 and does NOT match 10.0.0.0 to 10.49.255.254.

    Hope this helps.

    Regards,
    -r.

    --------------------------------------------------

    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).


  • 7.  RE: Firewall Filter using a source-address

     
    Posted 02-24-2020 16:31

    For these arbitrary ranges as you requrie 10.50.0.0-10.255.255.255. (note 255 is the end not 254) 

    You can use the IP range to CIDR convertor.

     

    https://ipaddressguide.com/cidr

     

    Result:

    10.50.0.0/15
    10.52.0.0/14
    10.56.0.0/13
    10.64.0.0/10
    10.128.0.0/9

     

     



  • 8.  RE: Firewall Filter using a source-address

    Posted 02-25-2020 14:20

    How did you go Wade? Did you get to the bottom of this?