SRX Services Gateway
Reply
Visitor
bartek@stawoz.pl
Posts: 3
Registered: ‎01-20-2012
0

SRX210H - dhcp for public pool



Hi

I need to configure SRX210H (soft 10.3) and I have a few huge problems:


1.My provider prepared following net conf for me:
network: 193.13.175.64/26
gw: 193.13.175.65

there is no DHCP server.

So as net is delivered through fiber i configured my ip on interface ge-1/0/0 as 193.13.175.66

Then on interfaces ge-0/0/1, fe-0/0/2 to fe 0/0/7 i configured vlan, and dhcp server for private network (office)
192.168.2.1

Until this point everything is working properly.
Then I need to create DHCP server for rest of public addreses (193.13.175.67 to 193.13.175.126).

This should be avaible on interface ge-0/0/0 and IPs should be fully accessible from internet .I tried to done in few ways

A. create common vlan (193.13.175.66) for ge-0/0/0 and ge-1/0/0 and add dhcp pool - no succes - I dont see GW from any subnet (zone untrust)

B. create inet addres  (193.13.175.67) for ge-0/0/0 dhcp pool, new zone "public" - no succes - I dont see GW from any subnet

 Today is third day of my figth with SRX and I very close to surrender :/

Can anyone help me to configure it?

2. For All network clients (mostly windows7 ) gathering IP address form srx DHCP takes ages ( at least 30 seconds).
Is there any way to speed it up?

 

Bartek

Juniper Employee
wandererjs
Posts: 34
Registered: ‎08-27-2009
0

Re: SRX210H - dhcp for public pool

Hi Bartek,

 

For the goals you provided, your first approach was sound:  place ge-1/0/0 (ISP) and ge-0/0/0 (office public Internet) into a common vlan.  This allows the SRX to have network connectivity, provides a dirty Internet connection to ge-0/0/0, and provides a DHCP server for those hosts.

 

Some items to look at:

 

1) Did you add the 'l3-interface' statement to your vlan configuraton to identify the RVI (Routed Virtual Interface) for that vlan?

 

2) In your security zone configuration, did you allow host-inbound-traffic system-services for bootp, dhcp, and (optionally) ping?  Note that for bootp/dhcp services, these must be listed at the interface level, not the zone level, as the SRX needs to know the originating interface.

 

3) In your DHCP configuration for the public internet side, what are you setting as the 'router'?  Did you set it to the SRX's address, or the ISP's address?  As they're all on the same subnet, you will probably want to set this to be the ISP upstream router, as the SRX is just being a DHCP server for the subnet.  If you set this to be the SRX, clients will try to reach the Internet by routing in and out of SRX, which will by default be denied by policy, as even intra-zone traffic (untrust to untrust) needs a policy.

 

Here is a partial configuration  I put together with the addresses you provided.  I did not add the NAT for the users, or any security policy for the users, but this ties together the vlans, interfaces, routing, and dhcp server.

 

Hope it helps,

 

Joel

 

joel@chilis220# show 
system {
    services {
        dhcp {
            pool 193.13.175.64/26 {
                address-range low 192.13.175.67 high 192.13.175.126;
                /* Add other name servers here if wanted */
                name-server {
                    4.2.2.2;
                }
                /* Note that gateway is ISP router, not us */
                router {
                    193.13.175.65;
                }
            }
            pool 192.168.2.0/24 {
                address-range low 192.168.2.32 high 192.168.2.254;
                /* You may need to use your real, internal DNS/WINS servers here */
                name-server {
                    4.2.2.2;
                }
                router {
                    192.168.2.1;
                }
            }
        }
    }
}
interfaces {
    vlan {
        unit 5 {
            description "untrusted to ISP";
            family inet {
                address 193.13.175.66/26;
            }
        }
        unit 10 {
            description "Trusted Office segment";
            family inet {
                address 192.168.2.1/24;
            }
        }                               
    }
    ge-1/0/0 {
        description "Physical port to ISP";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members untrust;
                }
            }
        }
    }
    ge-0/0/0 {
        description "Completely dirty Internet connection.";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members untrust;
                }
            }
        }
    }
    fe-0/0/2 {
        description "Office internal";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members trust;
                }
            }
        }
    }
    ge-0/0/1 {
        description "Office internal";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members trust;
                }
            }
        }                               
    }
    fe-0/0/3 {
        description "Office internal";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members trust;
                }
            }
        }
    }
    fe-0/0/4 {
        description "Office internal";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members trust;
                }
            }
        }
    }
    fe-0/0/5 {
        description "Office internal";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members trust;
                }
            }
        }
    }
    fe-0/0/6 {
        description "Office internal";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members trust;
                }
            }
        }                               
    }
    fe-0/0/7 {
        description "Office internal";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members trust;
                }
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 193.13.175.65;
    }
}
security {
    zones {
        security-zone trust {
            interfaces {
                vlan.10 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            dhcp;
                            bootp;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            interfaces {
                vlan.5 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            bootp;
                            ping;       
                        }
                    }
                }
            }
        }
    }
}
vlans {
    trust {
        vlan-id 10;
        l3-interface vlan.10;
    }
    untrust {
        vlan-id 5;
        l3-interface vlan.5;
    }
}

 

 

Visitor
bartek@stawoz.pl
Posts: 3
Registered: ‎01-20-2012
0

Re: SRX210H - dhcp for public pool

[ Edited ]

Thank You for such professional respond. Now I see where I made errors :smileyhappy:.

Anyway, I tried to commit configure file and i have following error:

 

 root# commit and-quit
[edit interfaces ge-1/0/0 unit 0]
  'family'
    Ethernet-switching family not allowed on srx210:MPIM Gig-E
error: configuration check-out failed


How to make workaround of that?

 

Juniper Employee
wandererjs
Posts: 34
Registered: ‎08-27-2009
0

Re: SRX210H - dhcp for public pool

Hmmm.

 

That error unfortunately means exactly what it says.   The GigE mini-PIM for the SRX210/220/240 does not support ethernet switching; it's a routed port only.

 

A quick check of the docs confirm this:  ethernet switching is supported only on the on-board ports of the SRX110/210/220/240.  http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/security/soft...

 

There are a few options available depending on what your goals are.  Can you elaborate on what your goals are for this?

 

Also, does your ISP provide any options for how they allocate your public IP address space?   Usually, ISPs provide a /30 (or /31) point-to-point for their connection to you, and a /26 or /27 (or something small) of public space routed for your use.  This is what I see for branch office deployments, but if you're in a SOHO package, they may provide only the option that you described: they provide a /26 subnet which includes their P2P subnet to you.  A /26 assignment can work fine with a firewall, as the extra public addresses can be used for DMZ hosts or static NATs where needed, but not as flexible in your scenario

 

Do you want:

  • A) Users completely on the Internet with no firewall between them at all?  This is what we tried to configure (SRX was just an ethernet switch on those two ports), but that card doesn't support it.  This would still be possible with an external switch  (like the EX2200-C: small, fanless, line-rate gig ports, and supports SFPs.  I personally want one :smileyhappy:  ), but if you don't need the extra ports, it would be an unnecessary item.
  • B) Users with unrestricted access to the Internet but technically a firewall inbetween them (any any any policy outbound, and any/any/any policy inbound).  Users are assigned a private RFC1918 address by the DHCP server and thepublic /26 is statically NAT'ted to the private range.  While the user has unrestricted access to the Internet, and the Internet has unrestricted access to the user (if inbound policy is also any any any), the user would not know what their 'public' IP address is without you telling them or use of a website that tells them.  Also, it would be a NAT.  Just about everything works through a NAT these days, but I can think of some dumb SIP phones that do not.
  • C) Users with unrestricted access to the Internet, technically a firewall between them, where the user is assigned their public address, and by some configuration with routing-instances, your public /26 seems to exist in two places simultaneously.  This is possible, and I'm thinking of several ways to do it, but it would be a more complex configuration.

IMHO, if I was handed the assignment of "provide a dirty Internet connection to users at a branch office", I would go with a variant of option B:  provide a vlan that assigns private address space, has an any-any-any permit policy outbound, and save my public addresses for other uses (DMZ hosts, a public IP for the PBX if needed), etc.

 

Before I would implement option C, I would want to know the technical level of the engineer who supports it when someone calls.  Is this a seasoned engineer who is comfortable with routing-instances and NATs?  A tier1/tier2 NOC who is familiar with networking but focuses on simple and repeatable across hundreds/ thousands of sites?  A local resource whose focus is actually sales/Windows admin and is the network person as an additional duty?

 

 

Visitor
bartek@stawoz.pl
Posts: 3
Registered: ‎01-20-2012
0

Re: SRX210H - dhcp for public pool

I knew  that won't be easy :smileyhappy:. For our situation best is scenario A or B. We have small office (no others sites), where is about 10 clients, who need simple access to internet (via RFC1918). Then we have couple of servers  that need to have assigned public IP via DHCP, (10 pcs physical units + dozens of virtual on it). Simple schematic attached. As everything is already setup, simplest for me would be make proper config on  SRX only. 

 

But I have one switch dell power connect 5548 (as I remember). I think there is one or two SFP ports avaiable.

If yes,  simplest would be scenario A.

I

What do you think?

 

Juniper Employee
wandererjs
Posts: 34
Registered: ‎08-27-2009
0

Re: SRX210H - dhcp for public pool

Here is how I would do it:  give the server (DMZ) segment a DHCP range that matches the size of the public range, and do a static NAT.  For convenience, I kept the last two octets of the DMZ segement the same as the public.

 

This keeps addressing simple, easy to translate, and provides whatever firewall protection I want to provide to the servers.

 

A few details that I chose to do:

 

1) interface to public-dmz switch is routed, not switched.  As there's only a single interface, using a routed interface avoids any spanning-tree arguments over who is root.  We could have put it into a vlan and created an RVI, but if I'm connecting to a switch that I don't manage, I keep the interface routed.

 

2)  The static nat is done in one statement encompassing the entire /26.  After I typed the config, I decided that I (personally) may break it out to exclude the SRX's IP address on it.  It wouldn't hurt anything, but if your ISP tries to ping you, that ping will get statically natted to the inside address, and you'll need a policy to permit that (if you want).

 

3) If you haven't written policy to/from NAT'ted addresses before ,the simple rule is:  security policy is written to the "real" addresses of the hosts.  (difference from ScreenOS). 

 

4) A keen observer will notice that you could squeeze one more address out of the pool... but I decided against it.

 

Hope this helps,

 

Joel

 

system {
    services {
        dhcp {
            pool 10.0.175.64/26 {
                address-range low 10.0.175.67 high 10.0.175.126;
                /* Add other name servers here if wanted */
                name-server {
                    4.2.2.2;
                }
                router {
                    10.0.175.66;
                }
            }
            pool 10.0.2.0/24 {
                address-range low 10.0.2.32 high 10.0.2.254;
                /* You may need to use your real, internal DNS/WINS servers here */
                name-server {
                    4.2.2.2;
                }
                router {
                    10.0.2.1;
                }
            }
        }
    }
}
interfaces {
    vlan {
        unit 10 {
            description "Trusted Office segment";
            family inet {               
                address 10.0.2.1/24;
            }
        }
    }
    ge-1/0/0 {
        description "Physical port to ISP";
        unit 0 {
            family inet {
                address 193.13.175.66/26;
            }
        }
    }
    fe-0/0/2 {
        description "Office internal";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members trust;
                }
            }
        }
    }
    ge-0/0/1 {
        description "Office internal";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members trust;
                }
            }                           
        }
    }
    fe-0/0/3 {
        description "Office internal";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members trust;
                }
            }
        }
    }
    fe-0/0/4 {
        description "Office internal";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members trust;
                }
            }
        }
    }
    fe-0/0/5 {
        description "Office internal";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members trust;
                }
            }                           
        }
    }
    fe-0/0/6 {
        description "Office internal";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members trust;
                }
            }
        }
    }
    fe-0/0/7 {
        description "Office internal";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members trust;
                }
            }
        }
    }
    ge-0/0/0 {
        description DMZ;
        unit 0 {
            family inet {
                /* We're keeping the subnet size and last two octets the same.  We don't *have* to do this, but it'll be easier for server/network teams to map the public IP address to the NAT'ted */
                address 10.0.175.66/26;
            }                           
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 193.13.175.65;
    }
}
security {
    nat {
        static {
            rule-set public-dmz {
                from zone untrust;
                rule one {
                    match {
                        destination-address 193.13.175.64/26;
                    }
                    then {
                        static-nat prefix 10.0.175.64/26;
                    }
                }
            }
        }
        proxy-arp {
            interface ge-1/0/0.0 {
                address {
                    193.13.175.67/32 to 193.13.175.126/32;
                }
            }
        }                               
    }
    policies {
        from-zone untrust to-zone dmz {
            policy dmz-services {
                match {
                    source-address any;
                    destination-address servers;
                    application [ junos-http junos-https ];
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            interfaces {
                vlan.10 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            dhcp;
                            bootp;
                        }
                    }
                }
            }
        }
        security-zone untrust {         
            interfaces {
                ge-1/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                        }
                    }
                }
            }
        }
        security-zone dmz {
            address-book {
                address servers 10.0.175.64/26;
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            dhcp;
                            bootp;
                        }
                    }
                }
            }
        }
    }
}
vlans {
    trust {                             
        vlan-id 10;
        l3-interface vlan.10;
    }
}

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.