SRX

Hello,

 

I got an internet connection with a routed subnet.

I want to be able to configure it on my SRX, but it is hard!

I want the routed subnet to be on a vlan, so i can configure other hosts on the vlan to use a public ip address.

 

I know the Cisco IOS config. Can you help me out?

 

interface FastEthernet4
description verbinding == HVN Internet ==
no ip address
duplex auto
speed auto
pppoe-client dial-pool-number 1
!
interface Vlan1
description local-lan
ip address <EERSTE IP UIT ROUTED SUBNET> <MASK>
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer1
description == Internet Dialer ==
mtu 1492
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username <PPP USERNAME> password <PPP PASSWORD>
no cdp enable
!

 

my Junos part so far:

 

fe-0/0/7 {
unit 0 {
encapsulation ppp-over-ether;
}
}

 

pp0 {
traceoptions {
flag all;
}
unit 0 {
description ISP1;
point-to-point;
ppp-options {
pap {
default-password ""; ## SECRET-DATA
local-name NAME;
local-password ""; ## SECRET-DATA
passive;
}
}
pppoe-options {
underlying-interface fe-0/0/7.0;
client;
}
no-keepalives;
family inet {
mtu 1492;
negotiate-address;
}
}

 

negotiate-address seems to be necessary, else no ppp connection. it gets the first ip address of the subnet, but i want it to be also part of a VLAN.

hmmm i am a bit disappointed no one knows how to configure pppoe with a subnet ip address and member of a vlan.

i figured it out myself. documentation on the srx/junos product is very poor.....

 

interfaces {

fe-0/0/7 {
unit 0 {

encapsulation ppp-over-ether;
}

}
pp0 {

traceoptions {
flag all;
}
unit 0 {
description ISP1;
point-to-point;
ppp-options {
pap {
default-password "SECRET";
local-name SECRET;
local-password "SECRET";
passive;
}
}
pppoe-options {
underlying-interface fe-0/0/7.0;
client;
}
no-keepalives;
family inet {
mtu 1492;
unnumbered-address vlan.3 destination GATEWAY-IP;
}
}

}

vlan {
unit 3 {
family inet  {
address INTERNET-IP/32; ## NETMASK /32 IS VERY IMPORTANT! 
}
}

}

 

 

if you connect another machine to a vlan.3 port, you are able to give it an ip-address in your subnet with the proper subnetmask. in my case i have a /28 network so use that on the other machine. keep it at /32 in the juniper config.

use the INTERNET-IP as the gateway on the other machine.

this solution is broken on versions higher than 11.4r8.4.

i have a support case opened and juniper escalated it to software engineering (as of now the ticket is open more than one month).

i keep you posted.

Hello herwarth,

 

I see this is an old post.

Did you manage to solve this?

I need a setup just like this on a Juniper SRX100.

 

Kind regards

 

yes i have managed it with help of support:

 

interfaces {

    pp0 {
        traceoptions {
            flag all;
        }
        unit 0 {
            description ISP1;
            point-to-point;
            ppp-options {
                pap {
                    default-password "secret";
                    local-name secret;
                    local-password "secret";
                    passive;
                }
            }
            pppoe-options {
                underlying-interface ge-0/0/15.0;
                idle-timeout 0;
                auto-reconnect 10;
                client;
            }
            no-keepalives;
            family inet {
                negotiate-address;
            }
        }

    }

    ge-0/0/15 {
        unit 0 {
            description PPPoE-glasvezel;
            encapsulation ppp-over-ether;
        }
    }

    vlan {
        unit 0 {
            enable;
            description dmz;
            family inet {
                address <first ip in subnet>/28;
            }
        }

   }

}

routing-options {

    rib inet.0 {
        static {
            route 0.0.0.0/0 {
                next-hop pp0.0;
            }

        }

    }

}

security {

    zones {
        security-zone isp1 {
            screen internet;
            host-inbound-traffic {
                system-services {
                    ping;
                    ssh;
                    ike;
                    https;
                }
            }
            interfaces {
                pp0.0;
            }

       }

        security-zone dmz {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
}

vlans {
    default {
        l3-interface vlan.2;
    }
    dmz {
        vlan-id 8;
        l3-interface vlan.0;
    }

}

 

Hi,

 

OK thanks for your config. I will try it out.

So basically the SRX wil have the first ip in subnet twice.

1 in the pp0 and then again in vlan0.

 

You example looks very interesting.  The rib-group "inside" is missing from the example.

 

Can you provide the routing-instance "inside" and a security policy to allow traffic in and out from routed subnet.

 

Your input will be very much appreciated, as I use the same type of setup.  I will be able to eliminate the pppoe router and connect directly to the SRX.

 

Currently I have to have an extra router in classic routing mode with the WAN connection as the PPPoE and the LAN configured as the routed subnet.  The LAN connection from this router is connected to ge-0/0/0.0 (untrust) (with the second IP in the routed subnet being used) on the Juniper SRX, and a static route 0.0.0.0/0 next-hop (first IP in routed subnet)  

Hi,

 

I have the exact same situation here and I'm only just getting started to learn the SRX device. I even think we share the same provider! I'm replacing my old Draytek router with a Juniper SRX210, but as a newby I'm struggling to get it configured.

 

I've done a quick test with a configuration based on your example, but routing the public subnet didn't work yet. I couldn't connect to any of my servers by their public IP addresses. Could it be that labatman was onto something?

 

Joost

this is a better routing-options example. no rib-group

 

routing-options {
    rib inet.0 {
        static {
            route 0.0.0.0/0 {
                next-hop pp0.0;
            }

       }

   }

}

To access routed subnet when connecting via PPPoe, I have done the followng type of configuration:

Check out comments inline.

 

Assumptions:

- Source NAT uses Routed Static IP via pool address

- Static NAT uses Routed Static IP via pool address via match destination-address

- Proxy-arp is need if using more than 1 Static IP from routed subnet

- Policy based VPN uses Routed Static IP via ike gateway external-interface lo0.0

- security-zone Internet (untrust) must have pp0.0 and  lo0.0 in same zone

 

interfaces {
    ge-0/0/0 {
        unit 0 {
            encapsulation ppp-over-ether;
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    lo0 {
        /* Single Public IP Address from Routed Subnet Y.Y.Y.Y/32 for Policy Based VPN */
		unit 0 {
            family inet {
                address Y.Y.Y.Y/32;
            }
        }
    }
    pp0 {
        unit 0 {
            apply-macro Teksavvy;
            ppp-options {
                pap {
                    local-name "username@teksavvy.com";
                    no-rfc2486;
                    local-password "password";
                    passive;
                }
            }
            pppoe-options {
                underlying-interface ge-0/0/0.0;
                idle-timeout 0;
                auto-reconnect 0;
            }                           
            family inet {
                mtu 1492;
                negotiate-address;
            }
        }
    }
    vlan {
        /* Internal Private Subnet */
		unit 1 {
            family inet {
                address 192.168.100.1/24;
            }
        }
    }
}
routing-options {
    static {
        /* Internet Access via pp0.0  */
		route 0.0.0.0/0 {               
            qualified-next-hop pp0.0 {
                metric 1;
            }
        }
    }
}                                  
security {
    ike {
        traceoptions {
            file kmd-trace;
            flag all;
        }                   
        proposal VPN_PRO {
            authentication-method pre-shared-keys;
            dh-group group5;
            authentication-algorithm md5;
            encryption-algorithm aes-256-cbc;
        }
        policy VPN_POL {
            mode main;
            proposals VPN_PRO;
            pre-shared-key ascii-text "password"; 
        }
        gateway VPN_GW {
            ike-policy VPN_POL;
            /* Public IP Address of VPN you are conencting to */
			address X.X.X.X;
			/* Interface that contains the Public IP from the routed subnet */
            external-interface lo0.0;
        }
    }
    ipsec {
        proposal VPN_PRO {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm aes-256-cbc;
        }                               
        policy VPN_POL {
            proposals VPN_PRO;
        }
        /* Policy based VPN */
		vpn VPN_VPN {
            ike {                       
                gateway VPN_GW;
                ipsec-policy VPN_POL;
            }
            establish-tunnels on-traffic;
        }
    }
    address-book {
        global {		
            address InternalService 192.168.100.X/32;			
            address INTERNAL_SM 192.168.100.0/24;
            address VPN_SM 10.10.16.0/20;
        }
    }
    nat {
        source {
            /* Single Public IP Address from Routed Subnet Y.Y.Y.Y/32  */
			pool POOL-PAT {
                address {
                    Y.Y.Y.Y/32;
                }
            }
            rule-set rsSOURCENAT {
                from zone Internal;
                to zone Internet;
                /* rule needed for Policy Based VPN placed above general matching rule rSOURCENAT */
				rule rNONAT {
                    match {
                        source-address 192.168.100.0/24;
                        destination-address 10.10.16.0/20;
                    }
                    then {
                        source-nat {    
                            off;
                        }
                    }
                }
                rule rSOURCENAT {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            /* This forces the Source NAT to use a Single Public IP Address from Routed Subnet */
							pool {
                                POOL-PAT;
                            }
                        }
                    }
                }
            }
        }
        static {
            rule-set rsSTATICNAT {
                from zone Internet;
                rule rIP2 {          
                    match {
                        /* This forces the Static NAT to use a 2nd Single Public IP Address from Routed Subnet */
						destination-address Y.Y.Y.Y+1/32;
                        destination-port junos-http;
                    }
                    then {
                        static-nat {
                            prefix-name {
                                InternalService;
                                mapped-port junos-http;
                            }
                        }
                    }
                }
            }
        }
        /* Proxy-arp needed if using more than 1 Public IP from Routed Subnet */
		proxy-arp {
            interface pp0.0 {
                address {
                    Y.Y.Y.Y/29;
                }
            }
        }
    }
    policies {
        from-zone Internal to-zone Internet {
            policy Internal-to-VPN {
                match {
                    source-address INTERNAL_SM;
                    destination-address VPN_SM;
                    application any;
                }
                then {
                    permit {
                        tunnel {        
                            ipsec-vpn VPN_VPN;
                        }
                    }
                }
            }
            policy All_Internal_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internet to-zone Internal {
            policy InternalService-ACCESS {
                match {
                    source-address any;
                    destination-address InternalService;
                    application any;
                }                       
                then {
                    permit;
                }
            }
            policy permit-InternalService {
                match {
                    source-address InternalService;
                    destination-address any;
                    application junos-http;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Internal {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                vlan.1 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            dhcp;
                            http;
                            https;
                            ssh;
                        }
                    }                   
                }
            }
        }
        security-zone Internet {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
			interfaces {
                /* pp0.0 is external interface with pppoe dhcp address */
				pp0.0;
				/* lo0.0 is external interface with Static IP from Routed subnet for VPN connections */
                lo0.0;
            }
        }
    }
}
vlans {
    vlan1 {
        vlan-id 3;
        l3-interface vlan.1;
    }
}