From fe0a55f97fddb592e3999dc08acd096dc546955e Mon Sep 17 00:00:00 2001
From: Denys Fedoryshchenko <denys.f@collabora.com>
Date: Thu, 21 Sep 2023 03:19:19 +0300
Subject: [PATCH] Add FBF example

---
 Juniper.md | 126 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 126 insertions(+)

diff --git a/Juniper.md b/Juniper.md
index 49f29db..3c30934 100644
--- a/Juniper.md
+++ b/Juniper.md
@@ -574,6 +574,132 @@ interfaces {
 
 ```
 
+### EX4600, QFX
+
+Fundamental difference between EX4500, EX4550 and EX4600, QFX is that EX4500, EX4550 have "instance-type forwarding" and EX4600, QFX don't have it. So you need to use "instance-type virtual-router" instead.
+
+Here is examples for EX4600, QFX, where we redirect traffic from users to nat, and have local bypass.
+
+
+One of them verified and i tested it works:
+
+```
+routing-instances {
+    route-tonat {
+        instance-type virtual-router;
+        routing-options {
+            static {
+                route 0.0.0.0/0 next-hop 10.0.250.2;
+            }
+        }
+        interface irb.161;
+    }
+}
+interfaces {
+    irb {
+        unit 161 {
+            description VRF-TO-NAT;
+            family inet {
+                address 10.0.250.1/24;
+            }
+        }
+    }
+}
+firewall {
+    family inet {
+        filter mainvlan-in {
+            term bypass {
+                from {
+                    destination-address {
+                        10.0.0.0/8;
+                        192.168.0.0/16;
+                        172.16.0.0/12;
+                    }
+                }
+                then accept;
+            }
+            term tonat {
+                from {
+                    source-address {
+                        172.16.0.0/12;
+                    }
+                }
+                then {
+                    routing-instance route-tonat;
+                }
+            }
+            term default {
+                then accept;
+            }
+        }
+    }
+}
+```
+Note: interface irb.161 can be used only one-way, to send traffic to NAT, but not to receive it back. Receive back will be handled automatically, as NAT will decode back to fake ips and fake ips routes are present in default routing instance, so nothing special need to be done.
+Also after that you need to assign filter to interface where traffic from users is coming.
+
+
+Second one is not verified, i adapted it from from article, but it should work and looks more elegant (doesnt need to lose interface for VRF)
+
+```
+FBF-test {
+    instance-type virtual-router;
+    routing-options {
+        static {
+            route 0.0.0.0/0 next-hop 12.12.12.2;
+        }
+        instance-import FBF-export;
+    }
+}
+policy-statement FBF-export {
+    term 1 {
+        from {
+            instance master;
+            route-filter 12.12.12.0/30 exact;
+        }
+        then accept;
+    }
+    term 2 {
+        then reject;
+    }
+}
+firewall {
+    family inet {
+        filter FBF-test {
+            term 1 {
+                from {
+                    destination-address {
+                        10.0.0.0/8;
+                        192.168.0.0/16;
+                        172.16.0.0/12;
+                    }
+                }
+                then accept;
+            }
+            term tonat {
+                from {
+                    source-address {
+                        172.16.0.0/12;
+                    }
+                }
+                then {
+                    count FBF-count;
+                    routing-instance FBF-test;
+                }
+            }
+            term 2 {
+                then accept;
+            }
+        }
+    }
+}
+```
+
+
+Articles:
+
+- https://supportportal.juniper.net/s/article/EX-QFX-Performing-filter-based-forwarding-in-ELS-devices?language=en_US
+
 ## Diagnostics
 
 ### SFP signal monitoring