Hi,
I'm having an issue with Filter Based Forwarding using the ACX2200 in a test lab before production.
Model: acx2200
Junos: 20.4R3-S2.6
I've followed a few guides and I understand with this type of configuration you can't put the filter on the physical interface so I've put it on the forwarding options.
I have a laptop connected to the 172.16.1.1/24 interface and I'm trying to setup a routing-instance so that it goes through the 10.1.1.55 interface and then off to the internet.
This is so I can do load balancing with two different ISP's based on the source address of my internal network.
With the configuration below it seems like the filter is working and sending it to the routing-instance but I can't ping out past the router and receive a reply from the interface 172.16.1.1 that the Destination is not reachable. I also receive error messages which I attached below, but I can't seem to make out why it's occurring but it's clear that why I can't get past the interface.
Here is the configuration
interfaces {
ge-0/0/2 {
unit 0 {
family inet {
address 172.16.1.1/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 10.1.1.55/24;
}
}
}
}
forwarding-options {
family inet {
filter {
input wifi-route;
}
}
}
firewall {
family inet {
filter wifi-route {
term allow {
from {
source-address {
172.16.1.0/24;
}
then {
log;
routing-instance test;
}
}
term default {
then accept;
}
}
}
}
routing-instances {
test {
routing-options {
static {
route 0.0.0.0/0 next-hop 10.1.1.1;
}
}
instance-type forwarding;
}
}
routing-options {
interface-routes {
rib-group inet fbf-group;
}
rib-groups {
fbf-group {
import-rib [ inet.0 test.inet.0 ];
}
}
}
admin@TST.SVR.TST>
I can see the route in the routing-instance test
admin@TST.SVR.TST> show route
inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.1.1.0/24 *[Direct/0] 00:06:46
> via ge-0/0/3.0
10.1.1.55/32 *[Local/0] 00:06:46
Local via ge-0/0/3.0
172.16.1.0/24 *[Direct/0] 00:06:06
> via ge-0/0/2.0
172.16.1.1/32 *[Local/0] 00:06:06
Local via ge-0/0/2.0
192.168.30.254/32 *[Local/0] 23:56:05
Reject
test.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:06:46
> to 10.1.1.1 via ge-0/0/3.0
10.1.1.0/24 *[Direct/0] 00:06:46
> via ge-0/0/3.0
10.1.1.55/32 *[Local/0] 00:06:46
Local via ge-0/0/3.0
172.16.1.0/24 *[Direct/0] 00:06:06
> via ge-0/0/2.0
172.16.1.1/32 *[Local/0] 00:06:06
Local via ge-0/0/2.0
192.168.30.254/32 *[Local/0] 23:21:57
Reject
admin@TST.SVR.TST>
I can see the log as well is working and allowing it through the filter.
admin@TST.SVR.TST> show firewall log
Log :
Time Filter Action Interface Protocol Src Addr Dest Addr
15:37:38 pfe A ge-0/0/2.0 UDP 172.16.1.10 8.8.8.8
15:37:38 pfe A ge-0/0/2.0 ICMP 172.16.1.10 8.8.8.8
15:37:38 pfe A ge-0/0/2.0 UDP 172.16.1.10 8.8.8.8
15:37:38 pfe A ge-0/0/2.0 UDP 172.16.1.10 8.8.8.8
15:37:37 pfe A ge-0/0/2.0 UDP 172.16.1.10 8.8.8.8
15:37:37 pfe A ge-0/0/2.0 ICMP 172.16.1.10 8.8.8.8
15:37:37 pfe A ge-0/0/2.0 UDP 172.16.1.10 8.8.8.8
15:37:36 pfe A ge-0/0/2.0 UDP 172.16.1.10 8.8.8.8
I did read somewhere that there was a bug in the JUNOS in which you have to restart the PFE but restarting it doesn't help.
Log messages after a activate the forwarding-options and firewall syntax.
Apr 7 15:51:31 TST.SVR.TST feb0 ACX Error (dfw):acx_dfw_set_bcm_match :Setting VRFid failed filter 22 rv(-7) "Entry not found"
Apr 7 15:51:31 TST.SVR.TST feb0 ACX Error (dfw):acx_dfw_rule_create :Could not set match, unit 0, entry 166, group 2
Apr 7 15:51:31 TST.SVR.TST feb0 ACX Error (dfw):acx_dfw_filter_create_exp :[-1] from acx_dfw_rule_create_exp term(allow)
Apr 7 15:51:31 TST.SVR.TST feb0 ACX Error (dfw):acx_dfw_create_hw_instance :Status:-1 Could not program dfw(wifi-route) type(DYN_VFP_FF)! [-1]
Apr 7 15:51:31 TST.SVR.TST feb0 ACX Error (dfw):acx_dfw_bind_shim :[-1] Could not create dfw(wifi-route) type(DYN_VFP_FF)
Apr 7 15:51:31 TST.SVR.TST feb0 ACX Error (dfw):acx_dfw_ftf_create :[1] bind failed for filter wifi-route
Apr 7 15:51:31 TST.SVR.TST feb0 ACX Error (dfw):acx_dfw_ftf :status:[1] acx_dfw_ftf_create failed.
Apr 7 15:51:31 TST.SVR.TST feb0 PFE_ERROR_FAIL_OPERATION: rt_halp_vectors->rt_table_change failed
Apr 7 15:51:32 TST.SVR.TST feb0 PFE_ERROR_FAIL_OPERATION: route process failed
Any help to figure out these errors would be great as there isn't much on Google.
Thanks
J
------------------------------
JASON WILLIAMS
------------------------------