SRX

Hi,

I'm new to Juniper products and having problems configuring my new SRX100H2 with BT Infinity broadband. I already serched through the forum and also read at least 20 post on how to configure this firewall with BT broadband but stil unable to set it up. Most of the posts I found advising to configure interface fe-0/0/0 wirth pppoe but every time I do that I receive following:

command:

set interfaces fe-0/0/0 unit 0 family inet address xxx

error:

"Can't configure protocol family with encapsulation ppp-over-ether"

Finally decided to configure ge-0/0/7 interface executing following commands but no no avail:

set interfaces ge-0/0/7 unit 0 encapsulation ppp-over-ether
set interfaces pp0 unit 0 ppp-options chap default-chap-secret xxx
set interfaces pp0 unit 0 ppp-options chap local-name xxx
set interfaces pp0 unit 0 ppp-options chap no-rfc2486
set interfaces pp0 unit 0 ppp-options chap passive

set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/7.0
set interfaces pp0 unit 0 pppoe-options idle-timeout 0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 1
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet mtu 1492

set interfaces pp0 unit 0 family inet address xxxx

Here are the sattistics after commiting the changes attached.

Device SRX100H2 OS: Junos 12.1X44-D35.5

Please assist.

Also here is the config:

version 12.1X44-D35.5;
system {
    host-name xxx;
    time-zone GMT;
    root-authentication {
        encrypted-password "$1$g1LKcA/K$kbS8jSIrtRZsnBtGY5vTp0"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    name-resolution {
        no-resolve-on-input;
    }
    login {
        user itcode {
            uid 2001;
            class super-user;
            authentication {
                encrypted-password "$1$x0xUT79Y$zNCiKa8HDkzrNyhCZGs/91"; ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface vlan.1;
            }
            https {
                system-generated-certificate;
                interface vlan.1;
            }
            session {
                idle-timeout 60;
            }
        }
        dhcp {
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
                router {
                    192.168.1.1;
                }
            }
            propagate-settings fe-0/0/0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server uk.ntp.pool.org;
    }
}
interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    fe-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            encapsulation ppp-over-ether;
        }
    }
    pp0 {
        unit 0 {
            ppp-options {
                chap {
                    default-chap-secret "$9$0kUPIESLX-24ZlKX-bwJZ36/CBIrev7db"; ## SECRET-DATA
                    local-name "username";
                    no-rfc2486;
                    passive;
                }
            }
            pppoe-options {
                underlying-interface ge-0/0/7.0;
                idle-timeout 0;
                auto-reconnect 1;
                client;
            }
            family inet {
                mtu 1492;
                address xxx;
            }
        }
    }
    vlan {
        unit 1 {
            family inet {
                address 192.168.1.1/24;

Attachment(s)

statistics.txt   19 KB 1 version

Sorry, the command I'm trying to execute is:

"set interfaces fe-0/0/0 unit 0 encapsulation ppp-over-ether inet address"

and receiving error:

"Can't configure protocol family with encapsulation ppp-over-ether"

Why I am unable to configure fe-0/0/0 interface with encapsulation ppp-over-ether. I've seen many post instructing to do that:

https://www.fir3net.com/Firewalls/Juniper/srx-pppoe.html

http://www.nish.com/2014/08/juniper-srx-config-on-plusnet-fttc-bt-infinity/

Also I should have added this to my original post but I connected SRX100 directry to openreach modem (not using BT Hub).

Can anyone tell me what I'm doing wrong please?

hello ,

I see that in fe-0/0/0 you already have " family inet DHCP " . Delet this part and configure it again .

# delete interface fe-0/0/0

# set interfaces fe-0/0/0 unit 0 encapsulation ppp-over-ether

Thank you very much! I have been able to configure fe-0/0/0 interface as pppoe but I am still unable to reach internet. I can see that the interface is connected and CHAP auth has been successfull but I am unbale to ping any name/ip on the internet. Can you please help!?

Here is my current config and troubleshooting data attached:

version 12.1X44-D35.5;
system {
    host-name GKDC;
    time-zone GMT;
    root-authentication {
        encrypted-password "$1$HWhPPood$hMjCAYtSMLQ9VmqX1lq9a1"; ## SECRET-DATA
    }
    name-server {
        194.74.65.68;
        194.72.9.38;
    }
    name-resolution {
        no-resolve-on-input;
    }
    login {
        user itcode {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "$1$DR6Tb7XM$kOhN648nxlyVYdrIGOTxj."; ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
        web-management {
            http {
                interface fe-0/0/1.0;
            }
            https {
                system-generated-certificate;
                interface [ fe-0/0/1.0 fe-0/0/0.0 ];
            }
            session {
                idle-timeout 60;
            }
        }
        dhcp {
            propagate-settings fe-0/0/0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server uk.ntp.pool.org;
    }
}
interfaces {
    fe-0/0/0 {
        unit 0 {
            encapsulation ppp-over-ether;
        }
    }
    ge-0/0/0 {
        unit 0 {
            encapsulation ppp-over-ether;
        }
    }
    fe-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.0.1/24;
            }
        }
    }
    pp0 {
        unit 0 {
            ppp-options {
                chap {
                    default-chap-secret "$9$FOcU/CpcSeX7VO1SeMWdVk.mfn/0BIrKM"; ## SECRET-DATA
                    local-name "xxx@hg23.btclick.com";
                    no-rfc2486;
                    passive;
                }
            }
            pppoe-options {
                underlying-interface fe-0/0/0.0;
                idle-timeout 0;
                auto-reconnect 1;
                client;
            }
            family inet {
                mtu 1492;
                address 213.123.xxx.xxx/31;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 {
            next-hop pp0.0;
            metric 0;
        }
    }
}
protocols {
    stp;
}
security {
    flow {
        tcp-mss {
            all-tcp {
                mss 1300;
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set nsw_srcnat {
                from zone trust;
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone Internet {
            policy All_trust_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            interfaces {
                fe-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            http;
                            https;
                            ssh;
                        }
                    }
                }
            }
        }
        security-zone Internet {
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            dhcp;
                            ssh;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            interfaces {
                pp0.0;
            }
        }
    }
}

Attachment(s)

new1.txt   1 KB 1 version

Hello ,

Can you share the output  :

> show route 4.2.2.2

> ping 4.2.2.2

itcode@GKDC> show route 4.2.2.2

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:01:40, metric 1
                    > via pp0.0

itcode@GKDC> ping 4.2.2.2
PING 4.2.2.2 (4.2.2.2): 56 data bytes
64 bytes from 4.2.2.2: icmp_seq=0 ttl=52 time=20.253 ms
64 bytes from 4.2.2.2: icmp_seq=1 ttl=52 time=20.483 ms
64 bytes from 4.2.2.2: icmp_seq=2 ttl=52 time=20.111 ms
64 bytes from 4.2.2.2: icmp_seq=3 ttl=52 time=20.777 ms
64 bytes from 4.2.2.2: icmp_seq=4 ttl=52 time=20.020 ms
64 bytes from 4.2.2.2: icmp_seq=5 ttl=52 time=20.305 ms
64 bytes from 4.2.2.2: icmp_seq=6 ttl=52 time=20.251 ms
64 bytes from 4.2.2.2: icmp_seq=7 ttl=52 time=20.460 ms
^C
--- 4.2.2.2 ping statistics ---
8 packets transmitted, 8 packets received, 0% packet loss
round-trip min/avg/max/stddev = 20.020/20.333/20.777/0.223 ms

Hello ,

So the connectivity of internet from SRX is fine . Now we need to check if the policy from Trust network to WAN is correct and we have source NAT for the internet traffic .

Please confirm the same . 

Hi Sam,

Thanks for all your help so far. I was going to configure the internet connection first and wasn't paying attention to NAT and policies as I was frustrated with not being able to establish internet connection.

It is quite strange though as I can ping some addresses form SRX but others not responding. Also I can ping google's ip address but when pinging 'www.google.com' using the name I'm receiving the following:

ping: sendmsg: No route to host
ping6: wrote www.google.com 16 chars, ret=-1
ping: sendmsg: No route to host
ping6: wrote www.google.com 16 chars, ret=-1
ping: sendmsg: No route to host

At first I thought it is DNS issue but after changing DNS addresses issue persist.

Well, I'll backup the config and try to reconfigure NAT and policies using the wizard and will see how it goes.

Ok, I added NAT and policies. Here is teh config:

nat {
        source {
            rule-set nsw_srcnat {
                from zone trust;
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone Internet to-zone trust {
            policy policy_startup_rvpn_trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn startup_rvpn;
                        }
                    }
                }
            }
            policy POL-Internet_to_trust {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-smtp junos-pptp junos-imap junos-pop3 junos-http junos-https ];
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone Internet {
            policy POL-trust_to_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            interfaces {
                vlan.1 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            http;
                            https;
                            ssh;
                        }
                    }
                }
            }
        }
        security-zone Internet {
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            dhcp;
                            https;
                            ssh;
                            ike;
                        }
                    }
                }
            }
        }
        security-zone untrust;
        security-zone internet {
            interfaces {
                pp0.0;

I'll test tomorrow. In the meantime, can you please have a look and let me know if that looks ok please?

Thanks.

I'm not gonna leave port 80 open but this is just testing configuration.

two things I noticed, without looking at the rest of the config in total: You are sending all your traffic to a vpn tunnel however I do not see any vpn configuration. So i would remove that configuration or place it at the bottom and first establish general connectivity first. I also thought you should add junos-ping.

policies {
        from-zone Internet to-zone trust {
            policy policy_startup_rvpn_trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn startup_rvpn;
                        }
                    }
                }
            }
            policy POL-Internet_to_trust {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-smtp junos-pptp junos-imap junos-pop3 junos-http junos-https junos-ping];
                }
                then {
                    permit

You will also need one of these:

  from-zone trust to-zone trust{
            policy POL-trust_to_trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;

Hello ,

As per the configuration , Traffic from trust to Internet does not have the VPN configuration in the security policy so that should be fine .  This will impact only traffic coming from Internet to trust .

Now the second point that "lyndidon" have pointed out is valid since ICMP should match both side policy to ping so ICMP should be allowed .

Now rest of the NAT and policy looks fine. This setup should Ideally work until there is some serious problem with ISP  . As mentioned you have the DNS setup correctly in SRX , are we using  extrenal DNS or internal ?

Try using the global DNS (4.2.2.2) or google DNS  (8.8.8.8 ) and test the same setup .  When you try to ping "www.google.com" sometime what happens is that the google uses IPV6 DNS query first over IPV4 and there may be possibilities that it may block somewhere , so try some different sites also and let us know . And make sure that you have not enabled IPV6 .

> show security flow status

It is the first policy matching all incoming traffic. Soit isbasically blackholing all incoming traffic from the internet.

I didn't have a chance to test the config yet. I'll be back from holidays next week. Will keep you guys posted. Thanks again!

Hi guys,

I have added junis-ping as you advised. In regards to vpn tunnel it isn't my interntion to send all the traffic to VPN tunnell. Just want to be able to access our server remotely via VPN by manually establishing PPTP VPN connection while working away from the office. 

I tested the config but I am still unable to browse the internet nor ping any host on teh internet using its name.

Again - the Internet connection seems to be up but I am unable to access the internet from Laptop directly connected to eth0/1 interface.

I also tried changing DNS to 4.2.2.2 and 8.8.8.8 as joses suggested to no avail (this has been changed back to BT dns servers)

I've attached my current (full) config and troubleshooting. Please help!

Attachment(s)

GKDC-SRX100.txt   8 KB 1 version

newer.txt   3 KB 1 version

newer.txt   3 KB 1 version

Hello ,

I think the issue is that when you try to ping "www.google.com" the DNS request sents  IPV6 request before the IPv4 A records . This issue I have seen when you try to ping google servers since they are way advanced and started using IPV6 globally .

To chekc this in SRX , try :

> ping www.google.com inet 

This will only try to do DNS for IPV4 address only and hopefully this will work  . If this also does not work , please put a traceoptions or get the session information when you try to browse the internet from specific host :

> show security flow session source-prefix < client IP >

Hi Sam, the problem is not only that I can't ping these addresses from srx but I am aso unable to access any websites from the lapptop which is directly connected to eth0/1 interface on srx. I have configured laptop's network interface with 192.168.0.x address and managed to access and ping the srx however the network icon shows that connection is limited and I am unable to access any website from the laptop. If the ipv6 addressing was the problem then I would be able to access websites that use ipv4 addresses but I can't browse the internet at all. Also if it was the ipv6 issue then the network icon on my laptop would show that the connection to the internet has been established which isn't the case. I will try your troubleshooting steps anyway and will upload the results tomorrow.

You have zone "internet" associated with pp0.0, and "Internet" associated with fe-0/0/0.0. You're NATting to "Internet". But I don't think that has an IP to NAT with - the IP is associated with pp0.0.

I think if you associate zone "Internet" with pp0.0, it will work. I'd also get rid of the "internet" and "untrust" zones, since they just add confusion.

But, I may be wrong.

And I just saw Mike s answer.

Sorry, been really busy. Just had a chance to look at the config. Here is what I see so far and what should do. The ping test tells you why. The SRX has no route to the Internet. Can you use an IP address of the connected interface instead of the pp0 interface for the next-hop?
delete security-zone untrust;
delete security-zone internet
set security-zone Internet interfaces pp0.0 (and then add the desired inbound services and protocol)

What happened after you were able to ping 4.2.2.2? At that point you should have tried to access Google by its IP address to eliminate or include DNS as to problem.

I applied the settings as you advised. I have removed 'untrust' and 'internet' zones (wasn't aware that zone names are case sensitive when I was creating them and created 'Internet' and 'internet' zones but thought that this is the same zone, Thanks to Mike.S for pointing this out). I then added pp0.0 interface back to Internet zone and configured services and protocols as per lyndidon's suggestion.
I have taken srx onsite and connected, the result was the same as before so I started troubleshooting by pinging google.com and yahoo.com by their names from srx but was receiving 'No route to host' replies. I then tried by the ip addresses and ip addresses were responding ok. I then tried joses' suggestion and pinged google.com using ipv4 address and that worked but I didn't know how to resolve that anyway (ipv6 was disabled on my laptop). I also tried accessing websites using their ip addresses to no avail. I then connected rest of the network (also DNS/DHCP server) to srx and voila I am now able to browse the web.

Conlusion:
I was compination of two things:
1. when was pinging google.com and yahoo.com by their names from srx they were using ipv6 addresses thats why they weren't responding (as joses pointed out).
2. I had my laptops interface configured with DNS address pointing to srx's internal interface (192.168.0.1) and (I think) that was causing problems. After I connected main switch to srx and changed my laptop's interface to obtain the ip address from local DHCP I was able to browse the web.

Also, even now (with internet working) I am unable to ping www.google.com and www.yahoo.com from srx, not sure why.

Anyway, I will still have to add some policies but I think I'll be okay now. The Internet Connection was my biggest concern and joses was the one who helped me resolve that. I think that Internet Connection was working since joses suggested how to configure fe-0/0/0 inteface with pppoe but I had some DNS related issues on the laptop I was testing from. DOH!

Thank you all of you for replying to my questions but the final point goes to joses as he replied to my original query explaining how to add pppoe to fe0.0 interface. Thank you!