It apears "term 3" is far below "term 1" and "term 2". It appears ping and Telnet traffic from 192.168.4.128/26 would match terms "ping" and "telnet"; therefore, they will never hit "term 3" and not use filter-based forwarding.
Does this explain the behavior you are seeing? If so, I believe the configuration-mode command "insert firewall filter next-hop-office-DMZservers term 3 after term 2" will solve this problem. -Jon On Thu, Sep 27, 2012 at 11:26 AM, Brendan Regan <brendan.bre...@gmail.com>wrote: > > firewall { > filter next-hop-office-DMZservers { > inactive: term allow-all-traffic { > then accept; > } > term 1 { > from { > source-address { > 192.168.4.0/26; > 212.111.101.0/27; > } > } > then { > routing-instance 4.0/26-source; > } > } > term 2 { > from { > source-address { > 192.168.4.64/26; > } > } > then { > routing-instance 4.64/26-source; > } > } > term telnet { > from { > source-address { > 212.111.102.0/24; > 192.168.4.0/24; > } > protocol tcp; > port telnet; > } > then accept; > } > term ping { > from { > source-address { > 212.111.102.0/24 > 192.168.4.0/24; > > } > protocol icmp; > } > then accept; > } > term snmp { > from { > source-address { > 212.111.102.0/24 > } > protocol udp; > port snmp; > } > then accept; > } > term http { > from { > source-address { > 212.111.102.0/24 > } > protocol tcp; > port http; > } > then accept; > } > term 3 { > from { > source-address { > 192.168.4.128/26; > } > } > then { > routing-instance PDU1178; > } > } > term accept-remaining-traffic { > then { > count remaining-traffic-counter; > accept; > } > } > } > } > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp