Block ICMP on Juniper SRX 210

Assume you have SRX connected to a VLAN, example 192.168.1.0/24. SRX has IP in that subnet, like 192.1168.1.1. You have PCs in that same VLAN/subnet and try to block ICMP between those PCs, so you want to effectively block 192.168.1.5 from pinging 192.168.1.6. So is it possible on SRX 210?

Well, you may think that it should be done with some polices like:

match source address my PC
match application [junos-ping, junos-icmp-all.....]

match destiantion address any
then reject


>The result of this policy - you won't be able to ping external hosts (public IPs) but you can ping your local hosts in vlan. This can not be accomplished via policies btw since the PCs are in the same vlan.

Another posibility is to apply firewall filter into vlan confiuration:
set firewall family inet filter icmp term 1 from protocol icmp

set firewall family inet filter icmp term 1 then discard
set firewall family inet filter icmp term 2 then accept
set interfaces vlan unit 2 family inet filter input icmp

The result of this firewall filter - you won't be able to ping external hosts (public IPs) but you can ping your local hosts in vlan. Hosts ARP within the same broadcast domain knows each others MAC addresses and negotiates directly using only L2 infrastructure thus this traffic may even never hit router vlan logical or even physical interface and firewall policies doesn't work in this scenario.

It should me mentioned that configuration like:

set firewall filter qqq term a from protocol icmp
set firewall filter qqq term a then reject
set firewall filter qqq term b then accept
set vlans qqq vlan-id 2
set vlans qqq filter input qqq

does not achieve the assigned task.

Thereby this task can not be carried out on SRX 210. Special thanx for this solutions to JNET Forum Community that helped me to discuss this issue.

Comments

Popular posts from this blog

Mikrotik Router OS CAPsMAN Wifi Controller Simple Configuration

Quality of Service scenarios and configuration HP Series 2530 Switches