For what it's worth I duplicated your config on an EX2300-C and it works correctly for me.
interfaces {
ge-0/0/11 {
unit 0 {
family inet {
filter {
input uplink_ingress_filter;
}
address 192.168.0.1/24;
}
}
}
}
policy-options {
prefix-list admin_access {
1.1.1.1/32;
}
prefix-list ptplink_ipv4 {
192.168.0.1/32;
}
}
firewall {
family inet {
filter uplink_ingress_filter {
term term1 {
from {
source-prefix-list {
admin_access;
}
destination-prefix-list {
ptplink_ipv4;
}
protocol tcp;
destination-port 22;
}
then accept;
}
term term2 {
from {
source-address {
0.0.0.0/0;
}
destination-prefix-list {
ptplink_ipv4;
}
protocol tcp;
destination-port ssh;
}
then {
reject;
}
}
term 3 {
then accept;
}
}
}
}
With dummy address 1.1.1.1 only in the admin prefix-list I'm unable to ssh from 192.168.0.2
MacBook-Air:~ ps$ ssh -l root 192.168.0.1
ssh: connect to host 192.168.0.1 port 22: Connection refused
Then add 192.168.0.2:
prefix-list admin_access {
1.1.1.1/32;
192.168.0.2/32;
}
And I'm in:
MacBook-Air:~ ps$ ssh -l root 192.168.0.1
Password:
This is on 19.1R1. Any chance
a. you're running an early buggy code version?
b. the ssh traffic is coming in over a different interface?
As unintuitive as it sounds, applying the filter to an lo0 interface, even if it does not have an address configured, will also block ssh traffic to the RE. This avoids having to place a filter on all external interfaces, or even specify destination addresses (ptplink_ipv4)
[edit interfaces]
+ lo0 {
+ unit 0 {
+ family inet {
+ filter {
+ input uplink_ingress_filter;
+ }
+ }
+ }
+ }