Routing
Highlighted
Routing

Routing internal vlans on SRX320

[ Edited ]
‎05-15-2020 12:05 AM

I'm configuring SRX320 for my customer, but routing between internal vlans does not work.
I would like to make environment like the below.
            DMZ
                |
Internal-----Internet (PPPoE)

I set ge 0/0/0 is for internet zone, ge 0/0/1-ge 0/0/3 (vlan10 irb.1) is for DMZ zone, ge 0/0/04 - ge 0/0/5 (vlan20 irb.2) is for Internal zone.
Rules is set as all any.

Ping from DMZ interface to Internal interface, from Internal interface to DMZ interface are both reachable.
I don't have any idea more.
Please help me.

 

## Last changed: 2020-05-15 15:37:32 JST
version 15.1X49-D170.4;
system {
    host-name SDSFW;
    time-zone Asia/Tokyo;
    root-authentication {
        encrypted-password "$5$gBA/bSWo$XVAy9F92SfSm4Peu0vSswxsvjCGB/ntPjFPNTiprseC";
    }
    name-server {
        8.8.8.8;
    }
    services {
        ssh;
        web-management {
            http {
                interface [ irb.10 irb.20 ];
            }
            session {
                idle-timeout 30;
                session-limit 5;
            }
        }
    }
}
security {
    nat {
        source {
            rule-set srcNAT {
                from zone [ DMZ Internal ];
                to zone Internet;
            }
        }
    }
    policies {
        from-zone DMZ to-zone DMZ {
            policy Internal_to_DMZ {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internet to-zone DMZ {
            policy Internet_to_DMZ {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internal to-zone DMZ {
            policy Internal_to_DMZ {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone DMZ to-zone Internal {
            policy DMZ_to_Internal {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone DMZ {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                irb.10;
            }
        }
        security-zone Internal {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                irb.20;
            }
        }
        security-zone Internet {
            interfaces {
                pp0.0;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            encapsulation ppp-over-ether;
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members vlan10;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members vlan10;
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members vlan10;
                }
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members vlan20;
                }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members vlan20;
                }
            }
        }
    }
    irb {
        unit 10 {
            family inet {
                address 10.10.23.254/24;
            }
        }
        unit 20 {
            family inet {
                address 150.253.25.239/16;
            }
        }
    }
    pp0 {
        unit 0 {
            ppp-options {
                pap {
                    local-name "w32wssog@bizf.ocn.ne.jp";
                    local-password "$9$Yt4UHP5FAu1.P5F3nu0BIESeW";
                    passive;
                }
            }
            pppoe-options {
                underlying-interface ge-0/0/0.0;
                auto-reconnect 10;
                client;
            }
            family inet {
                mtu 1454;
                negotiate-address;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop pp0.0;
        route 150.1.0.0/16 next-hop 150.253.25.254;
    }
}
vlans {
    vlan10 {
        vlan-id 10;
        l3-interface irb.10;
    }
    vlan20 {
        vlan-id 20;
        l3-interface irb.20;
    }
}

 

And this is show route result.

 

root@SDSFW# run show route

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:13:16
                    > via pp0.0
10.10.23.0/24      *[Direct/0] 00:13:32
                    > via irb.10
10.10.23.254/32    *[Local/0] 00:13:51
                      Local via irb.10
118.22.46.13/32    *[Direct/0] 00:13:16
                    > via pp0.0
150.1.0.0/16       *[Static/5] 00:13:31
                    > to 150.253.25.254 via irb.20
150.253.0.0/16     *[Direct/0] 00:13:31
                    > via irb.20
150.253.25.239/32  *[Local/0] 00:13:51
                      Local via irb.20
180.42.54.8/32     *[Local/0] 00:13:16
                      Local via pp0.0

 

5 REPLIES 5
Highlighted
Routing

Re: Routing internal vlans on SRX320

‎05-15-2020 02:59 AM

It looks like you don't have a policy from Internal to internal to permit traffic.  The default action is to deny even intra zone traffic.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Routing

Re: Routing internal vlans on SRX320

[ Edited ]
‎05-15-2020 03:12 AM
I set from Internal to Internal rule and from DMZ to DMZ rule, but it doesn't establish connection between same vlans and between another vlan.
This is the configuraion at now. (there are little bit changes in other configurations)
## Last changed: 2020-05-15 21:08:42 JST
version 15.1X49-D170.4;
system {
host-name SDSFW;
time-zone Asia/Tokyo;
arp {
aging-timer 120;
}
root-authentication {
encrypted-password "$5$gBA/bSWo$XVAy9F92SfSm4Peu0vSswxsvjCGB/ntPjFPNTiprseC";
}
name-server {
8.8.8.8;
210.145.254.170;
125.170.93.234;
}
services {
ssh;
web-management {
http {
interface [ irb.10 irb.20 ];
}
session {
idle-timeout 30;
session-limit 5;
}
}
}
}
security {
log {
mode stream;
report;
}
alg {
h323 disable;
}
nat {
source {
rule-set srcNAT {
from zone [ DMZ Internal ];
to zone Internet;
}
}
}
policies {
from-zone Internet to-zone DMZ {
policy Internet_to_DMZ {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internal to-zone DMZ {
policy Internal_to_DMZ {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone DMZ to-zone Internal {
policy DMZ_to_Internal {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone DMZ to-zone DMZ {
policy DMZ_to_DMZ {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internal to-zone Internal {
policy Internal_to_Internal {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone DMZ {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.10;
}
}
security-zone Internal {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.20;
}
}
security-zone Internet {
interfaces {
pp0.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
encapsulation ppp-over-ether;
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members vlan20;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members vlan20;
}
}
}
}
irb {
unit 0 {
proxy-arp;
}
unit 10 {
proxy-arp unrestricted;
family inet {
address 10.10.23.254/24;
}
}
unit 20 {
proxy-arp unrestricted;
family inet {
address 150.253.25.239/16;
}
}
}
pp0 {
unit 0 {
ppp-options {
pap {
local-name "w32wssog@bizf.ocn.ne.jp";
local-password "$9$Yt4UHP5FAu1.P5F3nu0BIESeW";
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/0.0;
auto-reconnect 10;
client;
}
family inet {
mtu 1454;
negotiate-address;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop pp0.0;
route 150.1.0.0/16 next-hop 150.253.25.254;
}
}
vlans {
vlan10 {
vlan-id 10;
l3-interface irb.10;
}
vlan20 {
vlan-id 20;
l3-interface irb.20;
}
Highlighted
Routing

Re: Routing internal vlans on SRX320

‎05-17-2020 09:54 AM

Your policies to look like they cover all possible directions wide open.

 

So the next check is to see what is happening in the session table when you make the connection attempt between two connected devices.

 

show security flow session source-prefix x.x.x.x/32 destination-prefix y.y.y.y/32

 

This should show the attempt, the policy that permitted this and the packet counts and any nat in play for both directions.

 

I do wonder about your config why you have two /16 public subnets.  One directly on an interface and the other as a route to a host on that first one.  Do you really control these subnets and is that routing path legitimate?

 

And if you are legitimate to have public address /16 in the dms then why are you applying nat to that outbound traffic instead of letting it go to the internet with the native public address?

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Routing

Re: Routing internal vlans on SRX320

[ Edited ]
‎05-17-2020 07:45 PM

Thank you so much for your reply!

 

First, I try show security flow session command.

The below result is that from 10.10.23.23.11/32 (in DMZ) to 150.253.24.100/32 (in Internal).

It looks like no problem only see the result, but 150.253.24.100's web page is not able to see.

root@SDSFW> ...prefix 10.10.23.11/32 destination-prefix 150.253.25.100/32
Session ID: 3769, Policy name: DMZ_to_Internal/6, Timeout: 16, Valid
In: 10.10.23.11/55287 --> 150.253.25.100/443;tcp, Conn Tag: 0x0, If: irb.10, Pkts: 2, Bytes: 104,
Out: 150.253.25.100/443 --> 10.10.23.11/55287;tcp, Conn Tag: 0x0, If: irb.20, Pkts: 0, Bytes: 0,
Total sessions: 1

Then I check arp table. The result is the below.

root@SDSFW> show arp
MAC Address       Address         Name                      Interface               Flags
00:15:5d:01:15:16 10.10.23.11     10.10.23.11               irb.10                  none
e8:6a:64:27:1a:5b 10.10.23.90     10.10.23.90               irb.10                  none
00:24:3f:01:45:79 118.22.46.13    118.22.46.13              pp0.0
Total entries: 3

As you can see, there is no arp tabeles of 15.253.0.0/16.

This is strange. The subnet 150.253.0.0/16 has 3 hosts, 150.253.25.100, 150.253.25.140 and 150.253.25.142.

They are all alive.

I should set congifuration related to arp?

 

 

>I do wonder about your config why you have two /16 public subnets. 

>One directly on an interface and the other as a route to a host on that first one.  Do you really control these subnets and is that routing path legitimate?

This setting is for another internal subnet. Please check the below.

 

                                                                                                           DMZ zone (10.10.25.0.24)

                                                                                                                                  |

another internal NW(150.1.0.0/16) ------Internal zone(150.253.0.0/16)------------- Internet zone(PPPoE)

 

The another internal NW is just routed from/to Internal zone and don't use SRX320, so I don't add zone for the subnet.

I beleave work well, but if you have any idea, could you give me inforamtion?

 

>And if you are legitimate to have public address /16 in the dms then why are you applying nat to that outbound traffic instead of letting it go to the internet with the native public address?

Do you mean Source NAT configration?

   nat {
        source {
            rule-set srcNAT {
                from zone [ DMZ Internal ];
                to zone Internet;
            }

This setting is the default one.

When go out Internet from DMZ, this source NAT settings is no need, right?

 

Time limit is Thursday.

 

Thank you for your cooporation.

Highlighted
Routing

Re: Routing internal vlans on SRX320

‎05-18-2020 02:42 AM

The session flow shows zero packets coming back from the host and the lack of arp also confirms this lack of communication.  Is the SRX configured as the default gateway for the 150.253.0.0/16 subnet?

 

Or do you have a different gateway and we need to work out how you are going to configure the return route path?

 

Return routing will also be an issue with the other subnet as well.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Feedback