Routing

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  Problem filtering traffic between VLANs on EX4200

    Posted 03-09-2022 17:07

    Hello everyone,

    We have a stack of 4 x EX4200-48T (12.3R2.5]) switches and we're trying to configure filters between VLANs/IPs.

    The task is pretty simple:

    To block access to 192.168.77.0/24 ( VLAN 77 ) for anyone except 192.168.11.101/32 (vlan 11), 192.168.13.112/32 (vlan 13)

     All of the three VLANs have L3 interface on the stack.

    After a little bit of struggling with applying it in the right direction, we have managed to do it, but the problem now is that it filters the traffic in both directions…

    Here is the config of the filter:

     

    firewall {

        family inet {

            filter VoiceFilter-egress {

                term allowTraffic {

                    from {

                        source-address {

                            192.168.11.101/32;

                            192.168.13.112/32;

                        }

                    }

                    then accept;

                }

            }

    }

     

    It's applied with the following command:

    set interfaces vlan.77 family inet filter output VoiceFilter-egress

     

    Therefore, the result of this config is that I can successfully access hosts in VLAN 77 (192.168.77.0/24) only from 192.168.11.101/32 and 192.168.13.112/32, but unfortunately, the communication from VLAN 77 (192.168.77.0/24) is limited only to those hosts ( it seems that the filter is working bidirectional). The goal is to have no restrictions for traffic exiting VLAN 77

    There are no other applied filters on VLAN 77 or VLAN 11 and VLAN 13.

    Is this a normal behavior filter to restrict traffic in both directions?

    I appreciate your help!

    Regards,

    Georgi



    ------------------------------
    Georgi Mihalev
    ------------------------------

    ------------------------------
    Georgi Mihalev
    ------------------------------


  • 2.  RE: Problem filtering traffic between VLANs on EX4200

    Posted 03-10-2022 13:15
    Hi Georgi,

    it is normal, take in consideration that the default behavior of a firewall filter is to block, meaning that the traffic destined to 192.168.77.0/24 from any source that isn't 192.168.11.101/32/192.168.13.112/32, will be dropped.

    this means that even when your input filter is empty and you are allowing all the traffic to pass through, the responses for that traffic will be dropped, this is a staless "firewall" to say it in a way. 

    now one workaround that you may try depending on the traffic, is to allow TCP established sessions, this way you will be blocking SYN packets but you will still allow the response to SYN packets (ACK/SYN-ACK, etc). this will fix TCP, but any other service will still fail. 

    for solutions where you need granular blocking sometimes the only option is a firewall. 

    example of allowing tcp established sessions:

    set firewall family inet filter TCP-SYN-ALLOWED term 1 from protocol tcp
    set firewall family inet filter TCP-SYN-ALLOWED term 1 from tcp-established
    set firewall family inet filter TCP-SYN-ALLOWED term 1 then accept
    set firewall family inet filter TCP-SYN-ALLOWED term 2 from source-address 192.168.11.101/32
    set firewall family inet filter TCP-SYN-ALLOWED term 2 from source-address 192.168.13.112/32
    set firewall family inet filter TCP-SYN-ALLOWED term 2 then accept
    set firewall family inet filter TCP-SYN-ALLOWED term default-reject then reject


    ------------------------------
    GABRIEL FLORES
    ------------------------------



  • 3.  RE: Problem filtering traffic between VLANs on EX4200

    Posted 03-11-2022 05:35
    Hi Gabriel,

    Thank you for your answer!

    I think you may be misunderstood me. My problem is with the traffic generated from VLAN 77 to any other VLAN, which gets blocked after applying the above filter.
    I came across the juniper forum on this picture, and this is what I expect when applying the filter. Here is how should the filter work (according to me) between two VLANs when using "output" filter:


    To be more clear about my question, I made a similar picture for my topology for the config bellow:

    firewall {

        family inet {
            filter VoiceFilter-egress {
                term allowTraffic {
                    from {
                        source-address {
                            192.168.11.101/32;
                        }
                        destination-address {
                            192.168.77.10/32;
                        }
                    }
                    then accept;
                }
            }
    }



    set interfaces vlan.77 family inet filter output VoiceFilter-egress


    My problem is the "black arrow" traffic with the exclamation mark next to it. This traffic is not returned traffic, it is generated on 192.168.77.10 (VLAN 77) .This is not working as expected. It works only for 192.168.11.101.

    I'm starting to think that maybe there is some "bug" in the firmware because it's pretty old and maybe I should start with upgrading it first.

    Regards,
    Georgi


    ------------------------------
    Georgi Mihalev
    ------------------------------



  • 4.  RE: Problem filtering traffic between VLANs on EX4200

    Posted 03-11-2022 19:01
    Georgi, 

    But you are taking in consideration that your EX4200 is not a stateful firewall, meaning that if you are blocking traffic in one direction that will still block the responses when passing back to the source, below an example:


    you have vlan20 using the same filter you have but in this case the only source allowed is vlan10, so the filter would look something like this:

    firewall {

        family inet {
            filter VoiceFilter-egress {
                term allowTraffic {
                    from {
                        source-address {
                            1.1.1.1/32;
                        }
                    }
                    then accept;
                }
            }
    }


    If you try pinging from 3.3.3.3 to 1.1.1.1 the ping will work with no issue, same if you ping from 1.1.1.1 to 3.3.3.3, now this is the problem that you are not taking in consideration, if 3.3.3.3 pings 2.2.2.2 the ICMP echo request will arrive to 2.2.2.2 without any issues, but the echo response from 2.2.2.2 towards 3.3.3.3 will be dropped by the filter you are applying in the IRB of vlan 20, because the only source allowed is 1.1.1.1.

    I hope this clarifies your issue. This is not a bug but normal functionality, if you want something like your picture you need a stateful firewall that is capable of tracking sessions/flows.

    thanks,

    ------------------------------
    GABRIEL FLORES
    ------------------------------



  • 5.  RE: Problem filtering traffic between VLANs on EX4200

    Posted 03-14-2022 10:00
    Hi ,

    Thank you all for your responses!

    @GABRIEL FLORES Now I think I understood you. I've missed that part the first time. Your example perfectly explains it :).

    I tried to add the above configuration from your first post by adding the term "allowTCPTraffic", so I can get the TCP traffic working, but I'm still having problems...

    I'm trying to ping 192.168.123.20 from 192.168.77.10, but it doesn't work. (192.168.77.10 is part of vlan77 on which the output filter is applied)

    Here is the config:

    firewall {

        family inet {
            filter VoiceFilter-egress {

                term allowTCPTraffic {
                    from {
                        protocol tcp;
                        tcp-established;
                    }
                    then accept;
                  } 

                  term allowTraffic {

                    from {
                        source-address {
                            192.168.11.101/32;
                        }
                    }
                    then accept;
                }
            }
    }



    @David Divins In the example I've used just vlan11 for simplicity, but actually, I have multiple VLANs which should be restricted to VLAN 77. That's the reason I want to use the "output" filter  (closer to the destination).


    If I understand right here with the stateless firewall filters that EX4200 supports, it's not possible to have rules that can block the connection only in one direction...  
    ex. If I have a filter with soruce 1.1.1.1 and dest 2.2.2.2, then that connection is always allowed in both directions. from 1.1.1.1 to  2.2.2.2 and from 2.2.2.2 to 1.1.1.1?

    Regards,
    Georgi



    ------------------------------
    Georgi Mihalev
    ------------------------------



  • 6.  RE: Problem filtering traffic between VLANs on EX4200

    Posted 03-11-2022 19:01
    This seems to be basic filter logic issue/question.

    From your diagram, it appears that you want an input filter on vlan.11

    That will restrict traffic from VLAN11 to wherever.  Note with that inbound filter, traffic from 77 will make it to 11 but the return traffic will not (except for the 1 allowed Source/Dest pair).

    ------------------------------
    David Divins
    ------------------------------



  • 7.  RE: Problem filtering traffic between VLANs on EX4200

    Posted 03-14-2022 12:14
    Georgi, 

    ICMP/UDP and any other will still be restricted, the only way for your communication to work is using a real firewall. or explicitly configuring a term that allows "trusted" sources, otherwise this wont work. 

    Thanks,


    ------------------------------
    GABRIEL FLORES
    ------------------------------