THANKS ahead of time if anyone has any thoughts. Below I have the full conifgs of router and switch, respectively. Also included routing tables from the two juniper devices.
Laptop on Vlan <--->EX2200-c Switch<--->J2350 Router<- ~ ->DD-wrt flashed wireless Router (wired)<--->Cable Modem
Router can ping DD ## ping 192.168.14.1
Everything behind Router can ping everything on Router
I am using Router on a stick config with vlans on switch going over a trunk port to router, this part all works upto the 192.168.14.46 near side of link to modem, but can't get to the far side of the link on the modem, except when pinging from the router itself. THEN IT PINGs successfully.
CAN'T get though router ;; I think it might have something to do with the type of interface setup I have on link to DD
ge-0/0/3 {
description "Going to the Modem";
unit 0 {
family inet {
address 192.168.14.46/24;
Got my end devices on Vlans pinging all the way to router's interface to modem link.
All interfaces on the router that are involved, including trunk subinterfaces are added to PUBLIC zone and interface connected to modem (ge-0/0/3 on router).
robmin@JunipJ2350-R6# show security
policies {
default-policy {
permit-all;
}
}
zones {
security-zone PUBLIC {
host-inbound-traffic {
system-services {
telnet;
ssh;
http;
ping;
}
protocols {
ospf;
all;
}
}
interfaces {
ge-0/0/0.0;
t1-2/0/0.0;
lo0.0;
ge-0/0/2.25;
ge-0/0/2.50;
ge-0/0/3.0;
}
}
}
ROUTER ROUTING TABLE:
robmin@JunipJ2350-R6# run show route
inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 01:18:44
> to 192.168.14.1 via ge-0/0/3.0
6.6.6.6/32 *[Direct/0] 02:06:16
> via lo0.0
10.1.10.0/24 *[Direct/0] 01:57:00
> via ge-0/0/2.50
10.1.10.1/32 *[Local/0] 02:05:45
Local via ge-0/0/2.50
10.1.11.0/24 *[Direct/0] 01:57:00
> via ge-0/0/2.25
10.1.11.1/32 *[Local/0] 02:05:45
Local via ge-0/0/2.25
10.11.11.2/32 *[Local/0] 02:05:36
Reject
10.60.1.1/32 *[Local/0] 02:05:45
Reject
10.60.31.1/32 *[Local/0] 02:05:34
Reject
10.61.1.1/32 *[Local/0] 02:05:36
Reject
192.168.14.0/24 *[Direct/0] 01:49:07
> via ge-0/0/3.0
192.168.14.46/32 *[Local/0] 01:49:07
Local via ge-0/0/3.0
224.0.0.5/32 *[OSPF/10] 02:06:19, metric 1
MultiRecv
SWITCH ROUTING TABLE: switch is behind the router so I tried adding default route over trunk (1st entry below) but it did not help or hurt, all pinging is still exactly the same and pings got past here anyway.
robmin@JunipEX22cSW1# run show route
inet.0: 21 destinations, 21 routes (19 active, 0 holddown, 2 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 01:10:25
> to 10.1.10.1 via vlan.50
9.9.9.9/32 *[Direct/0] 15:40:48
> via lo0.0
10.0.0.144/32 *[Local/0] 15:40:48
Reject
10.0.0.155/32 *[Local/0] 15:40:39
Reject
10.1.10.0/24 *[Direct/0] 01:58:50
> via vlan.50
10.1.10.2/32 *[Local/0] 08:15:08
Local via vlan.50
10.1.11.0/24 *[Direct/0] 07:14:08
> via vlan.25
10.1.11.2/32 *[Local/0] 08:23:27
Local via vlan.25
10.10.100.0/23 *[Direct/0] 15:40:21
> via vlan.100
10.10.100.246/32 *[Local/0] 15:40:44
Local via vlan.100
10.20.0.0/24 *[Direct/0] 01:58:50
> via vlan.2
10.20.0.16/32 *[Local/0] 15:40:44
Local via vlan.2
10.20.1.2/32 *[Local/0] 15:40:41
Reject
10.20.1.4/32 *[Local/0] 15:40:41
Reject
10.30.0.2/32 *[Local/0] 15:40:38
Reject
10.40.1.2/32 *[Local/0] 15:40:40
Reject
10.60.1.2/32 *[Local/0] 15:40:40
Reject
10.80.1.2/32 *[Local/0] 15:40:39
Reject
224.0.0.5/32 *[OSPF/10] 15:40:51, metric 1
MultiRecv
FULL ROUTER CONFIG:
robmin@JunipJ2350-R6# show
## Last changed: 2015-06-02 18:08:30 UTC
version 12.1X44-D45.2;
system {
host-name JunipJ2350-R6;
domain-name rhcrco.int;
root-authentication {
encrypted-password "$1$0G2zpBcI$n2TbGme3166dmhTQF8GsI0"; ## SECRET-DATA
}
name-server {
8.8.8.8;
8.8.4.4;
}
login {
user robmin {
uid 2002;
class super-user;
authentication {
encrypted-password "$1$Fn4QBNvV$pH.AtrxUq2.P.uRxgVY.z/"; ## SECRET-DATA
}
}
}
services {
ssh;
telnet;
web-management {
http;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
rpf-check fail-filter DHCP-Check;
address 10.60.1.1/24;
}
}
}
ge-0/0/2 {
description "Trunk going to Switch with subinterface gateways for switch vlans";
vlan-tagging;
unit 25 {
vlan-id 25;
family inet {
address 10.1.11.1/24;
}
}
unit 50 {
vlan-id 50;
family inet {
address 10.1.10.1/24;
}
}
}
ge-0/0/3 {
description "Going to the Modem";
unit 0 {
family inet {
address 192.168.14.46/24;
}
}
}
se-1/0/0 {
encapsulation ppp;
unit 0 {
family inet {
address 10.61.1.1/24;
}
}
}
se-1/0/1 {
encapsulation ppp;
serial-options {
clocking-mode internal;
}
unit 0 {
family inet {
address 10.11.11.2/24;
}
}
}
t1-2/0/0 {
no-keepalives;
mtu 256;
clocking external;
encapsulation frame-relay;
t1-options {
timeslots 1-24;
buildout 0-132;
}
unit 0 {
dlci 200;
family inet {
address 10.60.31.1/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 6.6.6.6/32;
}
}
}
}
snmp {
community MYCOMMUNITY {
authorization read-only;
}
}
routing-options {
static {
route 9.9.9.9/32 next-hop 10.60.31.2;
route 0.0.0.0/0 {
next-hop 192.168.14.1;
resolve;
}
}
forwarding-table {
unicast-reverse-path feasible-paths;
}
}
protocols {
ospf {
area 0.0.0.0 {
interface ge-0/0/0.0;
}
}
}
security {
policies {
default-policy {
permit-all;
}
}
zones {
security-zone PUBLIC {
host-inbound-traffic {
system-services {
telnet;
ssh;
http;
ping;
}
protocols {
ospf;
all;
}
}
interfaces {
ge-0/0/0.0;
t1-2/0/0.0;
lo0.0;
ge-0/0/2.25;
ge-0/0/2.50;
ge-0/0/3.0;
}
}
}
}
firewall {
family inet {
filter DHCP-Check {
term DHCP {
from {
source-address {
0.0.0.0/32;
}
destination-address {
255.255.255.255/32;
}
}
then accept;
}
}
}
}
FULL SWITCH CONFIG:
{master:0}[edit]
robmin@JunipEX22cSW1# show
## Last changed: 2015-02-12 20:40:31 PST
version 12.3R9.4;
groups {
MYGROUP {
interfaces {
<ge-*> {
traps;
}
}
}
ACCESS-PORT {
interfaces {
<ge-*> {
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
}
}
JUMBO {
interfaces {
"<[gx]e-*>" {
mtu 9000;
}
}
}
}
/* I am watching the system uptime to see how accuarate the internal clock is. I reset the time on 5-2-2015, 7:10pm */
system {
host-name JunipEX22cSW1;
domain-name rhcrco.int;
time-zone America/Los_Angeles;
root-authentication {
encrypted-password "$1$.Kwy3nB8$IHVTgcWgqqjRo97tjOorj1"; ## SECRET-DATA
}
name-server {
8.8.8.8;
75.75.75.75;
8.8.4.4;
10.0.0.1;
}
login {
class ExamClass {
permissions [ clear network view view-configuration ];
allow-commands "(configure)";
allow-configuration "(interfaces) | (routing-options) | (protocols)";
}
class MyCustomClass {
permissions view-configuration;
allow-commands "show configuration";
}
user MyCustomUser {
uid 2002;
class MyCustomClass;
authentication {
encrypted-password "$1$cFcLmPXI$nZC3NQZtv0WztFUTwreaa1"; ## SECRET-DATA
}
}
user robin {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$l0Uh4pQW$3VadaIK6OMZ6.eWSN4p6/."; ## SECRET-DATA
}
}
user robmin {
full-name "Robin Hood";
uid 2001;
class super-user;
authentication {
encrypted-password "$1$zES4Qia2$cw0t/MQzx.7nJu2zcnQcF0"; ## SECRET-DATA
}
}
}
static-host-mapping {
bumpkin1 inet 10.0.0.155;
host inet 10.0.0.155;
bumpkin1.rhcrco.int inet 10.0.0.155;
}
services {
ssh;
telnet;
web-management {
https {
system-generated-certificate;
interface vlan.100;
}
}
dhcp {
traceoptions {
file dhcp_logfile;
level all;
flag all;
}
}
}
/* user keyword sends syslog info to ssh or telnet session */
syslog {
user * {
any emergency;
}
user robmin {
conflict-log any;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
file AUTH-INFO {
authorization info;
}
file INTERACTIVE-COMMANDS {
interactive-commands any;
}
file CONFIG-CHANGES {
change-log info;
}
console {
any emergency;
}
}
ntp {
boot-server 216.218.254.202;
server 129.6.15.30;
}
}
chassis {
alarm {
management-ethernet {
link-down ignore;
}
}
auto-image-upgrade;
}
interfaces {
traceoptions {
file INT-TRACE size 128k files 10;
}
interface-range MYRANGE {
member-range ge-0/0/1 to ge-0/0/5;
}
ge-0/0/0 {
traps;
unit 0 {
description "Hi Robin, Is anyone going to need your skills?";
family inet {
filter {
input rate-limit-subnet;
}
address 10.20.1.4/24;
}
}
}
ge-0/0/1 {
unit 0 {
description "Connection to Cisco 3620 fa0/1 10.20.1.1";
family inet {
address 10.20.1.2/24;
}
}
}
ge-0/0/2 {
description "Trunk connection to router";
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members all;
}
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 10.40.1.2/24;
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members v25;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members v50end-devices;
}
}
}
}
ge-0/0/6 {
description "10.60.1.2 Connection to R6 JunipJ2350-R6";
unit 0 {
family inet {
filter {
input Inside-Lab;
}
address 10.60.1.2/24;
}
}
}
ge-0/0/7 {
apply-groups [ ACCESS-PORT JUMBO ];
unit 0 {
family ethernet-switching;
}
}
ge-0/0/8 {
unit 0 {
family inet {
filter {
input TESTSTOP;
}
address 10.80.1.2/24;
}
}
}
ge-0/0/10 {
unit 0 {
family inet {
address 10.0.0.155/24;
}
}
}
ge-0/0/11 {
unit 0 {
description "Connection to USB-Ethernet then to MacBookAir 10.10.100.246/23";
family ethernet-switching {
port-mode access;
vlan {
members v100;
}
}
}
}
ge-0/1/0 {
unit 0 {
description "Connection to Comcast Modem 10.0.0.26/24";
family ethernet-switching {
port-mode access;
vlan {
members v50end-devices;
}
}
}
}
ge-0/1/1 {
unit 0 {
description "Connection to Cisco 3620 fa0/0 10.30.0.1";
family inet {
address 10.30.0.2/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 9.9.9.9/32;
}
}
}
me0 {
unit 0 {
family inet {
address 10.0.0.144/24;
}
}
}
vlan {
unit 0 {
family inet {
dhcp {
vendor-id Juniper-ex2200-c-12p-2g;
}
}
}
unit 2 {
family inet {
address 10.20.0.16/24 {
broadcast 10.20.0.255;
}
}
}
unit 25 {
family inet {
address 10.1.11.2/24;
}
}
unit 50 {
family inet {
address 10.1.10.2/24;
}
}
unit 100 {
family inet {
address 10.10.100.246/23;
}
}
}
}
snmp {
name "snmp MyMatrix";
description "MyMatrix switch";
location "Marci's House or My House";
contact "rhcrco@hotmail.com";
community public {
authorization read-only;
clients {
10.0.0.0/24;
10.10.100.0/23;
192.168.14.0/24;
}
}
community MYCOMMUNITY {
authorization read-only;
clients {
10.0.0.0/24;
10.10.100.0/23;
10.20.1.0/24;
10.30.0.0/24;
10.40.1.0/24;
10.50.1.0/24;
10.60.1.0/24;
10.70.1.0/24;
10.80.1.0/24;
10.90.1.0/24;
}
}
trap-group MM-traps {
version v2;
destination-port 155;
categories {
chassis;
link;
routing;
}
targets {
10.0.0.2;
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.1.10.1;
route 240.0.0.8/32 discard;
route 240.0.0.9/32 reject;
route 1.1.1.1/32 {
next-hop 10.40.1.1;
qualified-next-hop 2.2.2.2 {
preference 7;
}
}
route 7.7.7.7/32 next-hop 10.20.1.3;
route 18.18.18.18/32 next-hop 10.80.1.1;
route 6.6.6.6/32 next-hop 10.60.1.1;
route 10.60.31.0/24 next-hop 10.60.1.1;
route 10.0.0.1/32 next-hop 10.0.0.26;
}
}
protocols {
##
## Warning: requires 'ospf2' license
##
ospf {
export MYDEFAULT;
/* See if I could add this without the license upgrade */
area 0.0.0.0 {
interface ge-0/0/1.0;
interface ge-0/0/0.0;
interface ge-0/0/8.0;
interface ge-0/0/6.0;
}
}
igmp-snooping {
vlan all;
}
rstp;
lldp {
interface all;
}
lldp-med {
interface all;
}
}
policy-options {
prefix-list MyNets {
10.0.0.0/24;
10.10.100.0/23;
10.11.11.0/24;
10.20.0.0/24;
10.30.1.0/24;
10.40.1.0/24;
10.60.31.0/24;
10.61.1.1/32;
}
prefix-list MyLabNets {
1.1.1.1/32;
2.2.2.2/32;
3.3.3.3/32;
4.4.4.4/32;
5.5.5.5/32;
6.6.6.6/32;
7.7.7.7/32;
9.9.9.9/32;
10.10.100.0/23;
10.11.11.0/24;
10.20.1.0/24;
10.40.1.0/24;
10.60.1.0/24;
10.61.31.0/24;
10.70.3.0/24;
10.80.1.0/24;
18.18.18.18/32;
}
policy-statement MYDEFAULT {
term ZEROZERO {
from {
protocol static;
route-filter 0.0.0.0/0 exact;
}
then accept;
}
}
policy-statement MYPOLICY1 {
term fromR1 {
from {
protocol rip;
neighbor 10.30.1.1;
}
then {
preference subtract 1;
accept;
}
}
term FROMR2 {
from {
neighbor 1;
area 0.0.0.0;
}
then reject;
}
term MY_ROUTE_FILTER1 {
from {
family inet;
interface ge-0/0/4.0;
route-filter 10.20.1.1/32 address-mask 255.255.255.0;
}
then {
tag add 5;
origin igp;
}
}
term MY_PREFIX-LIST {
then {
load-balance per-packet;
}
}
}
}
firewall {
family inet {
filter MedImgGuest {
term 1 {
from {
protocol udp;
destination-port [ bootpc bootps ];
}
then accept;
}
term 2 {
from {
destination-address {
8.8.8.8/32;
}
protocol udp;
destination-port domain;
}
then accept;
}
term 3 {
from {
destination-address {
8.8.4.4/32;
}
protocol udp;
destination-port domain;
}
then accept;
}
term 4 {
from {
destination-address {
192.168.0.0/16;
}
}
then {
reject;
}
}
term 5 {
from {
destination-address {
172.16.0.0/12;
}
}
then {
reject;
}
}
term 6 {
from {
destination-address {
10.0.0.0/8;
}
}
then accept;
}
term 7 {
from {
protocol tcp;
destination-port [ http https ];
}
then accept;
}
term FINAL {
then {
count accept_good_trafic_1;
log;
reject;
}
}
}
filter MedImgVendor {
term 1 {
from {
protocol udp;
destination-port [ bootpc bootps ];
}
then accept;
}
term 2 {
from {
destination-address {
10.10.100.245/32;
}
protocol udp;
destination-port domain;
}
then accept;
}
term 3 {
from {
destination-address {
192.168.0.0/16;
}
}
then {
reject;
}
}
term 4 {
from {
destination-address {
172.16.0.0/12;
}
}
then {
reject;
}
}
term 5 {
from {
destination-address {
10.0.0.0/8;
}
}
then accept;
}
term 6 {
from {
protocol tcp;
destination-port [ http https ];
}
then accept;
}
term FINAL {
then {
count Vendor_stuff_in_2;
log;
reject;
}
}
}
filter limit-ssh-access {
term ssh-accept {
from {
source-prefix-list {
MyNets;
}
protocol tcp;
destination-port ssh;
}
then accept;
}
term ssh-reject {
from {
protocol tcp;
destination-port ssh;
}
then {
discard;
}
}
term else-accept {
then accept;
}
}
filter rate-limit-subnet {
term Match-Subnet {
from {
source-address {
7.7.7.7/32;
10.80.1.0/24;
10.20.1.0/24;
10.40.1.0/24;
10.70.3.0/24;
10.60.1.0/24;
10.61.31.0/24;
}
}
then {
policer Pol1;
log;
accept;
}
}
term Match-Destination-Address {
from {
destination-address {
9.9.9.9/32;
}
}
then {
policer Pol1;
log;
accept;
}
}
term else-accept {
then accept;
}
}
filter TESTSTOP {
term 1 {
then {
log;
accept;
}
}
}
filter Inside-Lab {
term NoSpoof {
from {
source-prefix-list {
MyLabNets;
}
}
then {
log;
accept;
}
}
term Spoof {
then {
log;
discard;
}
}
}
filter Protect-Lab {
term ICMP {
from {
destination-prefix-list {
MyLabNets;
}
protocol icmp;
icmp-type [ echo-reply echo-request ];
}
then accept;
}
term Established {
from {
destination-prefix-list {
MyLabNets;
}
protocol tcp;
tcp-established;
}
then accept;
}
term OtherBadStuff {
then {
log;
discard;
}
}
term SSH {
from {
source-address {
10.10.100.245/32;
}
source-port ssh;
}
then {
log;
accept;
}
}
}
}
policer Pol1 {
if-exceeding {
bandwidth-limit 50k;
burst-size-limit 1500;
}
then discard;
}
}
ethernet-switching-options {
storm-control {
interface all;
}
}
vlans {
default {
l3-interface vlan.0;
}
v100 {
vlan-id 100;
l3-interface vlan.100;
}
v2 {
vlan-id 2;
l3-interface vlan.2;
}
v25 {
vlan-id 25;
interface {
ge-0/0/4.0;
}
l3-interface vlan.25;
}
v50end-devices {
vlan-id 50;
interface {
ge-0/0/5.0;
}
l3-interface vlan.50;
}
}
poe {
interface all;
}
{master:0}[edit]
robmin@JunipEX22cSW1#
THANKS THANKS THANKS, I really appreciate any help!
robin hood