Mailing List Archive: Firewall filter rule based on external reachability of server

We’ve had similar instances of where we’ve needed to accomplish the same effect.

Creating a "DDOS-Scrub" routing instance, and using your firewall rule to punt that traffic to the routing instance, this will give you more flexibility.
You could could then use RPM to check ping to 0/0 next-hop (your mitigation device), and if that fails, fall back to a lower cost LT interface to main table.

> On Mar 29, 2023, at 2:15 PM, Matthew Crocker via juniper-nsp <juniper-nsp@puck.nether.net> wrote:
>
>
> Hello,
>
> I have a filter setup :
>
> term DDOS {
> from {
> destination-prefix-list {
> DDOS-Customers;
> }
> }
> then {
> count DDOS;
> next-ip 192.168.126.2/32;
> }
> }
>
> The 192.168.126.2 IP is the DDOS mitigation device. Is there a way I can setup the router to ping the 192.168.126.2 address, set a ‘reachable variable’ and then use that variable in the filter. So if the device goes down the filter term is bypassed and traffic flows to the customer bypassing the DDOS mitigation machine.
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp