SRX

I have been trying to setup my SRX210 with a Netgear WNDR3800 N600 as a wireless access point. I need help and can not find any examples of using a Netgear wireless router setup as an access point with an SRX. I have seen some articles on the AX411 setup.

My issues is that when I plug my Netgear in to my SRX210, the SRX210 ends up closing off the ports somehow and nothing gets sent through the port to the device. No client can get a DHCP response from my SRX210 due to some kind of conflict. When I remove the Netgear and restart the SRX210 everything works a normal.

Can anyone explain how to setup the Netgear WNDR3800 N600 as a wireless access point on my SRX210 ?

I read this article http://rtoodtoo.net/srx-ax411-access-point-configuration/ so I have an understanding of the AX411 but this might not apply to my needs. I wish I had prior experience in configuring an SRX210 with a wireless access point but I do not.

Thank you for any assistance.

Looking at the Netgear support manual, it looks like this is a full wireless router not just an access point.

So when you connect the external interface to the SRX it will need to be in a port with DHCP active to give the Netgear an address.  Or you will need to configure a static address in whatever subnet is active on that SRX port.  this will also require that DNS servers are provided via the DHCP configuration to the Netgear.

Assuming you connect to the trust zone port with active dhcp the Netgear should come up normally.  Unless your SRX is using 192.168.1.0/24 as this LAN which seems to be the default that the Netgear is using.  If these are the same you will need to manually change this on one of them.

I did connect it to a port with DHCP enabled. The router does show up in the dhcp binding list. Wireless connections to the Netgear device do work and get correct ip addresses. However I still get the problem with other devices connected to other ports not being able to contact the DHCP service. The netgear device is on the trust zone port.

You are correct about:

---

@spuluka wrote:

 

Unless your SRX is using 192.168.1.0/24 as this LAN which seems to be the default that the Netgear is using.  If these are the same you will need to manually change this on one of them.

---

I am not sure what needs to be done when the device is on the default 192.168.1.0/24 LAN.

If I have to create another DHCP pool specifically for the Netgear, I am not sure how to do that.

Lets say I use J-Web (I can use console as well) would I go into the DHCP pools and add another pool with another IP range on the same subnet for the Netgear?

The Netgear is just working as a wireless access point (supposedly with no DHCP service running). The SRX is running as a DHCP server on the default 192.168.1.0/24 

You won't be able to have the same subnet 192.168.1.0/24 on both devices.  You'll need to pick one device and change the subnet to something else.

Ok thank you for that information.

I purchased the AX-411. I was reviewing the installations in the knowledge base. Would the Netgear need to be setup the same way?

J-Web

Select Configure > Wireless LAN > Settings

Then set all configuration settings for the Netgear? Or is this only for the AX-411?

Those menu options are only for the AX-411 configuration.  The SRX has no way to control other manufacturer settings.

Ok.

So should I follow this KB example then for multiple VLANs?

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21909&smlogin=true

That kb shows how to create multiple dhcp servers on the SRX.

I think the place you want to start with the AX411 is this document that outlines your various deployment options and provides setup instructions for each one.

http://www.juniper.net/us/en/local/pdf/app-notes/3500173-en.pdf

Ok, I have that document as well.

It looks like with the Netgear WNDR3800 I need L3 Management Mode so I can have it on a seperate subnet. Am I correct?

When reviewing the AX-411 (which seems very user friendly) I can use L2 Management Mode and not run in to the same conflict I was having with the Netgear (needs to be on a seperate subnet). Would that be correct? I found the J-Web setup for the AX-411 as well.

They don't show in the diagrams wired clients attached to the SRX box. They only show examples using 3 wireless AX-411's. Looking at the L2 Management Mode all 3 are working off the same subnet on vlan2. This is where I am lost and just assuming based on what you told me regarding my requirement for a different subnet using the Netgear WNDR3800.

The management modes will only apply to the AX411 which can be managed by the SRX.  

Your wired clients can attach directly to other availalbe ports on the trust vlan or to a switch connected to the trust vlan.

The issue with the Netgear subnet is that both Netgear interfaces the LAN and the WAN were being assigned to the same subnet when you connect this to trust.  This will not work for the layer 3 routing.  These two interfaces have to be different.

I was able to get the AX-411 setup but I am not able to get anything on the internet. All clients are getting dhcp information through it.

DNS:

192.168.1.0/24

192.168.2.0/24

Here is my configuration file:

## Last changed: 2015-05-30 04:51:41 EDT
version 12.1X44.3;
system {
    host-name JuniperSRX;
    time-zone EST;
    root-authentication {
        encrypted-password "lkjelfjalfjkasdlfjsldfjsdkl.";
    }
    name-server {
        123.44.125.456;
        123.44.123.456;
    }
    name-resolution {
        no-resolve-on-input;
    }
    login {
        user Supadeuser {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "dlkjfdklsjfalsdjfsdkljfsd.";
            }
        }
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface vlan.1;
            }
            https {
                system-generated-certificate;
                interface vlan.1;
            }
            session {
                idle-timeout 60;
            }
        }
        dhcp {
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
                router {
                    192.168.1.1;
                }
            }
            pool 192.168.2.0/24 {
                address-range low 192.168.2.2 high 192.168.2.254;
                router {
                    192.168.2.1;
                }
            }
            static-binding 00:1d:60:00:19:05 {
                fixed-address {
                    192.168.1.200;
                }
                router {
                    192.168.1.1;
                }
            }
            propagate-settings ge-0/0/0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server us.ntp.pool.org;
        server 0.openwrt.pool.ntp.org prefer;
        server 1.openwrt.pool.ntp.org;
        server 2.openwrt.pool.ntp.org;
        server 3.openwrt.pool.ntp.org;
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family inet {
                address 192.168.2.1/24;
            }
        }
    }
    vlan {
        unit 1 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
protocols {
    stp;
}
security {
    ike {
        policy ike_pol_wizard_dyn_vpn {
            mode aggressive;
            proposal-set compatible;
            pre-shared-key ascii-text "sldkjfklsdajflksdjflksdjflksdjflsdjkf";
        }
        gateway gw_wizard_dyn_vpn {
            ike-policy ike_pol_wizard_dyn_vpn;
            dynamic {
                hostname JuniperSRX;
                connections-limit 50;
                ike-user-type group-ike-id;
            }
            external-interface ge-0/0/0.0;
            xauth access-profile remote_access_profile;
        }
    }
    ipsec {
        policy ipsec_pol_wizard_dyn_vpn {
            proposal-set compatible;
        }
        vpn wizard_dyn_vpn {
            ike {
                gateway gw_wizard_dyn_vpn;
                ipsec-policy ipsec_pol_wizard_dyn_vpn;
            }
        }
    }
    dynamic-vpn {
        access-profile remote_access_profile;
        clients {
            wizard-dyn-group {
                remote-protected-resources {
                    192.168.1.0/24;
                }
                ipsec-vpn wizard_dyn_vpn;
                user {
                    vpnusernamehere;
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set nsw_srcnat {
                from zone Internal;
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone Internal to-zone Internet {
            policy All_Internal_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internet to-zone Internal {
            policy policy_in_wizard_dyn_vpn {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn wizard_dyn_vpn;
                        }
                    }
                }
            }
        }
        from-zone WifiNet to-zone WifiNet {
            policy permit-egress-traffic {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone WifiNet to-zone Internet {
            policy allow-internet-access {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Internal {
            interfaces {
                vlan.1 {
                    host-inbound-traffic {
                        system-services {
                            all;
                            http;
                            https;
                            ssh;
                            telnet;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone Internet {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            ike;
                            https;
                            ping;
                        }
                    }
                }
            }
        }
        security-zone WifiNet {
            interfaces {
                fe-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            http;
                            https;
                            ping;
                        }
                    }
                }
            }
        }
    }
}
access {
    profile remote_access_profile {
        client remoteaccessuser {
            firewall-user {
                password "sdlkjfsdklfjaklsdfjsdklfjsdklfjsd";
            }
        }
        address-assignment {
            pool dyn-vpn-address-pool;
        }
    }
    address-assignment {
        pool dyn-vpn-address-pool {
            family inet {
                network 10.10.10.0/24;
            }
        }
    }
    firewall-authentication {
        web-authentication {
            default-profile remote_access_profile;
        }
    }
}
wlan {
    access-point AP-1 {
        mac-address 2c:6b:f5:11:87:80;
        access-point-options {
            country {
                US;
            }
        }
        radio 1 {
            virtual-access-point 0 {
                ssid WifiNet;
                security {
                    none;
                }
            }
        }
        radio 2 {
            virtual-access-point 0 {
                ssid WifiNet;
                security {
                    none;
                }
            }
        }
    }
}
vlans {
    vlan1 {
        vlan-id 3;
        l3-interface vlan.1;
    }
}

I can't figure out why I would not have internet access but I get all the dhcp settings.

I followed this guide : http://www.juniper.net/us/en/local/pdf/app-notes/3500173-en.pdf

From the configuration it looks like you are missing source NAT for the WIFI zone.  You need to add this rule:

 nat {
        source {
            rule-set WifiNet {
                from zone WifiNet;
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }

That you so much for your help. I spent some time making sure everything was working correctly and it is.

I have begun setting up IDP. The attack objects and policy templates are installed. Here is the security policy:

--- JUNOS 12.1X44-D20.3 built 2013-07-19 03:52:31 UTC

from-zone Internet to-zone Internal {
    policy policy_in_wizard_dyn_vpn {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn wizard_dyn_vpn;
                }
                application-services {
                    idp;
                }
            }
            log {
                session-close;
            }
        }
    }
}


@JuniperSRX>

My hope is that the incoming traffic from the internet can have the vpn and the idp working on the same security policy. Is this ok or I am missing traffic?

I am using the default template called "Recommended" and it is active.

JuniperSRX> show security idp status
State of IDP: Default,  Up since: 2015-05-31 18:34:20 EDT (6d 06:58 ago)

Packets/second: 1               Peak: 559 @ 2015-06-06 22:54:20 EDT
KBits/second  : 1               Peak: 265 @ 2015-06-06 22:50:35 EDT
Latency (microseconds): [min: 0] [max: 0] [avg: 0]

Packet Statistics:
 [ICMP: 0] [TCP: 2359] [UDP: 85] [Other: 0]

Flow Statistics:
  ICMP: [Current: 0] [Max: 0 @ 2015-06-06 20:27:16 EDT]
  TCP: [Current: 0] [Max: 36 @ 2015-06-06 22:47:22 EDT]
  UDP: [Current: 0] [Max: 10 @ 2015-06-06 22:44:37 EDT]
  Other: [Current: 0] [Max: 0 @ 2015-06-06 20:27:16 EDT]

Session Statistics:
 [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]
  Policy Name : Recommended
  Running Detector Version : 12.6.160140822

JuniperSRX>

I don't understand why I am not catching anything. Maybe I should make another Internet to Internal policy just for IDP?

Also, I need to block a range of ip addresses and I am not sure how to do that. I was trying the address book as an option then a firewall setting. The range is 183.0.0.0 - 183.63.255.255 and 180.152.0.0 - 180.159.255.255.

Thank you spuluka !!

I found that using CIDR seems to work for ranges. Here is the calculator I use:

IP to CIDR

Am I doing the right thing here to block those IP ranges using this meathod?

Glad things are coming together for you.

Yes, you can add IDP to any security policy you need to do deep inspection on as you are doing.

For the external blocks of known bad ip addresses you can also use firewall filters on the internet facing interface.  This is a common solution for blocking this type of threat.  Your other option is to create security policies for these addresses.