Hello,
I have an EX2200 (12.3R6.6), and I'm trying to create a firewall filter that will restrict inbound and outbound traffic for ge-0/0/5 to specific source/destination addresses. This is for an old NAS that holds replicated backups, and it does not have built-in functionality for access control lists.
I tried following the procedure listed here: http://www.juniper.net/documentation/en_US/junos12.3/topics/task/configuration/firewall-filter-ex-series-cli.html
I created a firewall filter for the ethernet-switching family, and I added one term to accept traffic from a single IP address:
{master:0}[edit firewall family ethernet-switching]
user@SWITCH# show
filter NAS-Inbound {
term NAS-Inbound-Allow {
from {
source-address {
192.168.1.66/32;
}
}
}
}
Then I applied the firewall filter to the input of ge-0/0/5:
{master:0}[edit interfaces ge-0/0/5 unit 0 family ethernet-switching]
user@SWITCH# show
port-mode access;
vlan {
members VLAN2;
}
filter {
input NAS-Inbound;
}
After I commit the change, I cannot ping the NAS from anywhere on our network, even from the IP address that the rule should allow. That IP address is on the same VLAN as the NAS. If I remove that filter from ge-0/0/5, I can ping the NAS. I tried specifying "set then accept" to the NAS-Inbound-Allow term, and then I applied the filter to ge-0/0/5 again, but then I still can't ping the NAS. When the filter is applied, the NAS becomes unreachable.
I want the filter to apply only to ge-0/0/5 instead of VLAN2, if possible. What am I doing incorrectly?
Thank you.