[j-nsp] Filter based forwarding issue
Jonathan Looney
jonlooney at gmail.com
Sat Sep 29 10:37:17 EDT 2012
It apears "term 3" is far below "term 1" and "term 2". It appears ping and
Telnet traffic from 192.168.4.128/26 would match terms "ping" and "telnet";
therefore, they will never hit "term 3" and not use filter-based forwarding.
Does this explain the behavior you are seeing?
If so, I believe the configuration-mode command "insert firewall filter
next-hop-office-DMZservers term 3 after term 2" will solve this problem.
-Jon
On Thu, Sep 27, 2012 at 11:26 AM, Brendan Regan <brendan.bregan at gmail.com>wrote:
>
> firewall {
> filter next-hop-office-DMZservers {
> inactive: term allow-all-traffic {
> then accept;
> }
> term 1 {
> from {
> source-address {
> 192.168.4.0/26;
> 212.111.101.0/27;
> }
> }
> then {
> routing-instance 4.0/26-source;
> }
> }
> term 2 {
> from {
> source-address {
> 192.168.4.64/26;
> }
> }
> then {
> routing-instance 4.64/26-source;
> }
> }
> term telnet {
> from {
> source-address {
> 212.111.102.0/24;
> 192.168.4.0/24;
> }
> protocol tcp;
> port telnet;
> }
> then accept;
> }
> term ping {
> from {
> source-address {
> 212.111.102.0/24
> 192.168.4.0/24;
>
> }
> protocol icmp;
> }
> then accept;
> }
> term snmp {
> from {
> source-address {
> 212.111.102.0/24
> }
> protocol udp;
> port snmp;
> }
> then accept;
> }
> term http {
> from {
> source-address {
> 212.111.102.0/24
> }
> protocol tcp;
> port http;
> }
> then accept;
> }
> term 3 {
> from {
> source-address {
> 192.168.4.128/26;
> }
> }
> then {
> routing-instance PDU1178;
> }
> }
> term accept-remaining-traffic {
> then {
> count remaining-traffic-counter;
> accept;
> }
> }
> }
> }
>
More information about the juniper-nsp
mailing list