Hi mate,
I checked the documentation and found this article:
https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/topic-map/filter-based-forwarding-policy-based-routing.html
In their example, R2 has a similar configuration as yours but they include a routing-instance where the traffic should go. I rebuild your setup with your configuration and experienced the same problem as you. Also please notice, that the "then accept" in your term 1 overrides the "next-ip" statement.
I then created a routing-instance of type forwarding, imported only the interface route for my next-hop interface and added the routing-instance statement after the next-ip statement as described in the article. Then, my traffic went the way it should have taken in the first place.
Here is some configuration for you to follow along:
interfaces {
xe-0/0/0 {
unit 0 {
family inet {
address 10.0.0.11/31;
}
}
}
xe-0/0/0 {
unit 0 {
family inet {
address 10.0.0.12/31;
}
}
}
xe-0/0/2 {
unit 0 {
family inet {
filter {
input NAT;
}
address 2.0.0.9/30;
}
}
}
}
policy-options {
policy-statement copy-interface {
term 1 {
from {
route-filter 10.0.0.10/31 exact;
}
to rib fbf.inet.0;
then accept;
}
term 2 {
then reject;
}
}
}
firewall {
family inet {
filter NAT {
term 1 {
from {
source-address {
2.0.0.10/32;
}
}
then {
count nat-traffic;
next-ip 10.0.0.10/32 routing-instance fbf;
}
}
term 2 {
then accept;
}
}
}
}
routing-instances {
net {
instance-type vrf;
interface xe-0/0/1.10;
interface xe-0/0/1.20;
route-distinguisher 172.16.0.6:100;
vrf-target target:64512:100;
vrf-table-label;
}
}
routing-options {
interface-routes {
rib-group inet to-fbf-instance;
}
static {
route 0.0.0.0/0 next-hop 10.0.0.13;
}
rib-groups {
to-fbf-instance {
import-rib [ inet.0 fbf.inet.0 ];
import-policy copy-interface;
}
}
}
routing-instances {
fbf {
instance-type forwarding;
}
}
I hope this helps you. If you encounter any additional questions, please don't mind asking!
BR, Johannes
------------------------------
Johannes | Systems Engineer
A computer's attention span is only as long as its power cord.
------------------------------
Original Message:
Sent: 09-26-2023 22:20
From: gongyayu
Subject: FBF questions
I have the following topology
What I need is when the traffic sourcing from 172.16.2.X, the next hop is 10.50.1.25, otherwise, the next hop is via the default route,
set firewall family inet filter NAT-PBR term 1 from source-prefix-list net-172.16.2.0/24
set firewall family inet filter NAT-PBR term 1 then count nat-Traffic
set firewall family inet filter NAT-PBR term 1 then next-ip 10.50.1.25/32
set firewall family inet filter NAT-PBR term 1 then accept
set firewall family inet filter NAT-PBR term 2 then accept
set interfaces ge-0/0/6 family inet filter input NAT-PBR
When the traffic sources from 172.16.2.X, I can see the count increasing, but traffic still goes to the default.
Any ideas ?
thanks !!