Hi Victor,
I changed it to "virtual-router" because this article. but you are right. It doesn't help. It's fine to use "forwarding"
Juniper SRX FBF NAT issues | SRX
I'm new in the community. My post was delayed because it needed to be checked by Juniper.
Thank you for your help. It works in a new term.
------------------------------
POHUI HUANG
------------------------------
Original Message:
Sent: 09-21-2023 09:07
From: joaov
Subject: FBF doesn't work after I add icmp protocol
Hi Pohui,
did you tried include a new term?
i mean:
#Rename the term 2 to "term 100"
rename firewall family inet filter webFilter term 100 to term 1
#create term 2 entry
set firewall family inet filter webFilter term 2 from protocol icmp
set firewall family inet filter webFilter term 2 then routing-instance webtraffic
#put the term 2 before term 100
insert firewall family inet filter webFilter term 2 before term 100
Also, the instance-type recomended by juniper is "forwarding". Your routing-instance is configured as "virtual-router".
------------------------------
João Victor
Original Message:
Sent: 09-19-2023 00:31
From: POHUI HUANG
Subject: FBF doesn't work after I add icmp protocol
Hi Everyone,
I'm doing a lab on vSRX. I'm wondering that webFilter doesn't work if I add protocol icmp. Here is the command it was.
set firewall family inet filter webFilter term 1 from protocol icmp
I tried to create an other filter to blind the interface. but one interface only can blind one filter. so I have to find a way to fill it in the webfilter.
I want the http/https/icmp from Linux they all go to ge 0/0/2.
Here is official example Example: Configuring Filter-Based Forwarding | Junos OS | Juniper Networks
root# show |display set|no-more
set version 20200609.165031.6_builder.r1115480
set system root-authentication encrypted-password "$6$B9YQiKf1$yhnHl12FwXj0RMWzQRVzh44AonO9wPz.695e02PMGZFQLwdH6U5rB.W/eOCz78gd8LNboG9LMg8KHomdlsI4i/"
set system services ssh
set system services web-management http interface fxp0.0
set system services web-management https system-generated-certificate
set system services web-management https interface fxp0.0
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set security address-book Lan address vPC 172.16.1.11/32
set security address-book Lan address Linux-PC 172.16.1.12/32
set security address-book Lan attach zone trust
set security address-book Wan address Linux-Nat 172.16.2.12/32
set security address-book Wan attach zone untrust
set security flow traceoptions file kk.log
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter f1 source-prefix 192.168.175.166/32
set security flow traceoptions packet-filter f1 destination-prefix 172.16.2.12/32
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule 1 match destination-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule 1 then source-nat interface
set security nat destination pool Linux address 172.16.1.12/32
set security nat destination rule-set untrust-to-trust from zone untrust
set security nat destination rule-set untrust-to-trust rule 1 match destination-address 172.16.2.12/32
set security nat destination rule-set untrust-to-trust rule 1 then destination-nat pool Linux
set security nat proxy-arp interface ge-0/0/2.0 address 172.16.2.12/32
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy Linux-PC match source-address any
set security policies from-zone untrust to-zone trust policy Linux-PC match destination-address Linux-PC
set security policies from-zone untrust to-zone trust policy Linux-PC match application junos-ssh
set security policies from-zone untrust to-zone trust policy Linux-PC match application junos-icmp-all
set security policies from-zone untrust to-zone trust policy Linux-PC then permit
set security policies from-zone untrust to-zone trust policy vPC match source-address any
set security policies from-zone untrust to-zone trust policy vPC match destination-address vPC
set security policies from-zone untrust to-zone trust policy vPC match application junos-icmp-all
set security policies from-zone untrust to-zone trust policy vPC then deny
set security zones security-zone trust tcp-rst
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces ge-0/0/2.0
set interfaces ge-0/0/0 unit 0 family inet address 192.168.175.230/25
set interfaces ge-0/0/1 unit 0 family inet filter input webFilter
set interfaces ge-0/0/1 unit 0 family inet address 172.16.1.1/24
set interfaces ge-0/0/2 unit 0 family inet address 172.16.2.1/24
set interfaces fxp0 unit 0
set firewall family inet filter webFilter term 1 from source-address 172.16.1.12/32
set firewall family inet filter webFilter term 1 from destination-port http
set firewall family inet filter webFilter term 1 from destination-port https
set firewall family inet filter webFilter term 1 then routing-instance webtraffic
set firewall family inet filter webFilter term 2 then accept
set routing-instances webtraffic routing-options static route 0.0.0.0/0 next-hop 172.16.2.2
set routing-instances webtraffic instance-type virtual-router
set routing-options static route 0.0.0.0/0 next-hop 192.168.175.254
set routing-options interface-routes rib-group inet FBF-rib
set routing-options rib-groups FBF-rib import-rib inet.0
set routing-options rib-groups FBF-rib import-rib webtraffic.inet.0
------------------------------
POHUI HUANG
------------------------------