Hi Georgi,
it is normal, take in consideration that the default behavior of a firewall filter is to block, meaning that the traffic destined to
192.168.77.0/24 from any source that isn't 192.168.11.101/32/192.168.13.112/32, will be dropped.
this means that even when your input filter is empty and you are allowing all the traffic to pass through, the responses for that traffic will be dropped, this is a staless "firewall" to say it in a way.
now one workaround that you may try depending on the traffic, is to allow TCP established sessions, this way you will be blocking SYN packets but you will still allow the response to SYN packets (ACK/SYN-ACK, etc). this will fix TCP, but any other service will still fail.
for solutions where you need granular blocking sometimes the only option is a firewall.
example of allowing tcp established sessions:
set firewall family inet filter TCP-SYN-ALLOWED term 1 from protocol tcp
set firewall family inet filter TCP-SYN-ALLOWED term 1 from tcp-established
set firewall family inet filter TCP-SYN-ALLOWED term 1 then accept
set firewall family inet filter TCP-SYN-ALLOWED term 2 from source-address 192.168.11.101/32
set firewall family inet filter TCP-SYN-ALLOWED term 2 from source-address 192.168.13.112/32
set firewall family inet filter TCP-SYN-ALLOWED term 2 then accept
set firewall family inet filter TCP-SYN-ALLOWED term default-reject then reject
------------------------------
GABRIEL FLORES
------------------------------
Original Message:
Sent: 03-09-2022 08:31
From: Georgi Mihalev
Subject: Problem filtering traffic between VLANs on EX4200
Hello everyone,
We have a stack of 4 x EX4200-48T (12.3R2.5]) switches and we're trying to configure filters between VLANs/IPs.
The task is pretty simple:
To block access to 192.168.77.0/24 ( VLAN 77 ) for anyone except 192.168.11.101/32 (vlan 11), 192.168.13.112/32 (vlan 13)
All of the three VLANs have L3 interface on the stack.
After a little bit of struggling with applying it in the right direction, we have managed to do it, but the problem now is that it filters the traffic in both directions…
Here is the config of the filter:
firewall {
family inet {
filter VoiceFilter-egress {
term allowTraffic {
from {
source-address {
192.168.11.101/32;
192.168.13.112/32;
}
}
then accept;
}
}
}
It's applied with the following command:
set interfaces vlan.77 family inet filter output VoiceFilter-egress
Therefore, the result of this config is that I can successfully access hosts in VLAN 77 (192.168.77.0/24) only from 192.168.11.101/32 and 192.168.13.112/32, but unfortunately, the communication from VLAN 77 (192.168.77.0/24) is limited only to those hosts ( it seems that the filter is working bidirectional). The goal is to have no restrictions for traffic exiting VLAN 77
There are no other applied filters on VLAN 77 or VLAN 11 and VLAN 13.
Is this a normal behavior filter to restrict traffic in both directions?
I appreciate your help!
Regards,
Georgi
------------------------------
Georgi Mihalev
------------------------------
------------------------------
Georgi Mihalev
------------------------------