SRX

Hi Juniper Gurus,

I'm fairly new to Juniper devices and configuration. I'm trying to setup my SRX210H connect to my home ISP and ASUS Wireless AP router (for WIFI only). I was able to use my SRX to act as a DHCP server for home lan users.

My issue is i'm actually doing double natting on the SRX as I'm still using the Private IP subnet of ISP Bell modem.

I use the Bell Home Hub 3000 and found the option for Advanced DMZ where it gave me the WAN IP assigned to my Juniper SRX 77.XX.XX.XX IP with Subnet range 127.255.255.255 but I'm unable to connect to internet or even ping to google 8.8.8.8 via my SRX.

Topology right now is Bell ISP Modem 192.168.2.1 LAN port  --> SRX ge-0/0/0 192.168.2.10 (internet (untrust) zone) <NAT> acting as DHCP server (lan (trust) zone) ge-0/0/1 - 192.168.50.10 default GW for lan users --> Asus router in Wireless AP mode only. Currently this config works but I'm doing double NATting as I'm using a Private IP on SRX who is doing a NAT as well.

I would like to change my SRX to be dhcp client for ISP modem and use the WAN IP I got from my Bell Home hub 3000 Advanced DMZ, but somehow I cant even ping the internet even though I'm getting a public IP via dhcp client and I'm unsure how my LAN users will work because the set static route will be incorrect because the GW is the Private IP which IP should i add? Could you direct me to what I'm missing here? Do I need to configure PPPOE directly on my SRX?

How will this setting work if I have a Public IP on SRX? "set routing-options static route 0.0.0.0/0 next-hop 192.168.2.1"

set system host-name SRX1
set system root-authentication encrypted-password 
set system name-server 4.2.2.1
set system name-server 8.8.8.8
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services dhcp-local-server group JunosDHCP-group interface ge-0/0/1.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services web-management https interface ge-0/0/1.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system syslog file blocked-traffic any any
set system syslog file blocked-traffic match RT_FLOW_SESSION_DENY
set system syslog file no-route-present any any
set system syslog file no-route-present match "NO ROUTE PRESENT"
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces ge-0/0/0 description Access_to_Internet
set interfaces ge-0/0/0 unit 0 family inet dhcp-client
set interfaces ge-0/0/1 description Access_to_LAN
set interfaces ge-0/0/1 unit 0 family inet address 192.168.50.10/24
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces lo0 unit 0 family inet address 11.11.11.1/24
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.2.1
set protocols stp
set security address-book global address lan 192.168.50.0/24
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set internet-nat from zone lan
set security nat source rule-set internet-nat to zone internet
set security nat source rule-set internet-nat rule lan-access match source-address 192.168.50.0/24
set security nat source rule-set internet-nat rule lan-access match destination-address 0.0.0.0/0
set security nat source rule-set internet-nat rule lan-access then source-nat interface
set security policies from-zone lan to-zone internet policy FirewallPolicy match source-address lan
set security policies from-zone lan to-zone internet policy FirewallPolicy match destination-address any
set security policies from-zone lan to-zone internet policy FirewallPolicy match application any
set security policies from-zone lan to-zone internet policy FirewallPolicy then permit
set security policies from-zone lan to-zone internet policy FirewallPolicy then log session-close
set security policies global policy global_drop match source-address any
set security policies global policy global_drop match destination-address any
set security policies global policy global_drop match application any
set security policies global policy global_drop then deny
set security policies global policy global_drop then log session-init
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust host-inbound-traffic protocols ospf
set security zones security-zone trust host-inbound-traffic protocols bgp
set security zones security-zone trust interfaces vlan.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone internet interfaces ge-0/0/0.0
set security zones security-zone lan host-inbound-traffic system-services ping
set security zones security-zone lan host-inbound-traffic system-services https
set security zones security-zone lan host-inbound-traffic system-services traceroute
set security zones security-zone lan host-inbound-traffic system-services ssh
set security zones security-zone lan host-inbound-traffic protocols bgp
set security zones security-zone lan host-inbound-traffic protocols ospf
set security zones security-zone lan interfaces ge-0/0/1.0 host-inbound-traffic system-services dhcp
set security zones security-zone lan interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone lan interfaces ge-0/0/1.0 host-inbound-traffic system-services https
set security zones security-zone lan interfaces ge-0/0/1.0 host-inbound-traffic system-services traceroute
set security zones security-zone lan interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh
set security zones security-zone lan interfaces ge-0/0/1.0 host-inbound-traffic protocols bgp
set security zones security-zone lan interfaces ge-0/0/1.0 host-inbound-traffic protocols ospf
set access address-assignment pool JunosPool family inet network 192.168.50.0/24
set access address-assignment pool JunosPool family inet range JunosRange low 192.168.50.11
set access address-assignment pool JunosPool family inet range JunosRange high 192.168.50.254
set access address-assignment pool JunosPool family inet dhcp-attributes maximum-lease-time 86400
set access address-assignment pool JunosPool family inet dhcp-attributes name-server 207.164.234.193
set access address-assignment pool JunosPool family inet dhcp-attributes name-server 207.164.234.129
set access address-assignment pool JunosPool family inet dhcp-attributes router 192.168.50.10
set poe interface all
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

Hello , 

PPOE is used when you have a point to point link with Authentication for internet access . Please let us kwow if there is anything like that . I am sure PPOE is done by your ISP modem which is between the SRX and ISP network . If we are getting a DHCP IP from the ISP directly then probebaly we have to do the same PPOE as ISP moden does . You can check the ISP moden setting or get in touch with ISP to get the authentication details and configure the PPOE in SRX . 

Since you said you are getting DHCP IP from the ISP ( public IP ) I am afraid if there is any autentication . Can you reach the Default gateway  once you get the DHCP IP from ISP . 

Hello , 

Also I see that the public IP is provided by the ISP modem . So check if you are able to reach the default gateway provided by the DHCP ( modem)  . We need to understand if we get the public IP directly will the moden acts as a bridge ? 

Hi Joses,

Thank you for your prompt response. I do have this feature on my Bell Home hub 3000 to enable Advanced DMZ. I do have the authentication parameters from my ISP, username password for PPPOE. But I dont know the Default GW of my WAN IP how would i get that? and do what do I need to update on my configuration, if i use my SRX  as  DHCP client w/ Public IP

"Advanced DMZ

Hello , 

Thaks for the clarification . So if the DMZ fearture on the modem gives the pulbilc IP to SRX as DHCP , ideally it should also push the default gateway . You can check this by giving "show route" on SRX :

> show route 4.2.2.2 

It should give the default gateway ip in the route . You can try to reach that IP to see if the connectivity to the gateway is working or not . If the connectivity to the gateway works and internet is having issue , we may need to check with ISP why its blocking after default gateway . 

If the gateway itself is not reachable , we may need to check in ISP modem why the gateway is not reachable . 

If SRX receives the public IP and have a defult route with source NAT configuration , ideally it should work if there is no external issue .  Policy comes later as the internet should be reachable from the SRX itself , so that LAN users can go out . 

Hello , 

In addition , if you do get a default route from modem , please delete you existing default route :

set routing-options static route 0.0.0.0/0 next-hop 192.168.2.1 << Delete this 

As its no longer needed and may conflict with DHCP route . Since we are getting public IP , private default route is no longer needed . 

Thank you Sam for looking into this,

I will try this tonight when my family is not using the internet. Currently, ISP modem > SRX > Wireless router (AP mode), it is working with Private IP, but I want to have SRX do all the Natting work (Public to Private IP) so ISP modem is just a switch that passing the traffic to SRX > Wireless router. My problem is if it doesnt get a default gateway after getting a Public IP, but I will let you know what happens later. 

I appreciate your help.

Regards,

Chris

Hello , 

Thanks for the update .. You shuld get an default route to ISP and it have to be provided by the DHCP server ( in our case its ISP) .

Iff you dont get it , Check whats the IP you get as default gateway in working state in ISP modem and configure the same in SRX once we have the public IP . THis could be temporary fix ..

Hi Sam,

It seems im still not getting any luck, I even rebooted the SRX got a new Public IP, rebooted ISP modem and Wireless AP. On the show route I saw a 10 IP there 10.11.1.121 is this the default Gateway, but yes I'm unable to ping 4.2.2.2, please see logs below:

0.0.0.0/0 *[Access-internal/12] 00:01:17
> to 10.11.1.121 via ge-0/0/0.0
0.0.0.0/1 *[Direct/0] 00:01:17

delete interfaces ge-0/0/0 unit 0 family inet address 192.168.2.10/24
set interfaces ge-0/0/0 unit 0 family inet dhcp-client
delete routing-options static route 0.0.0.0/0 next-hop 192.168.2.1

also performed request system reboot on SRX, ISP Modem, Wireless AP

root@SRX1> show interfaces ge-0/0/0 de
^
'de' is ambiguous.
Possible completions:
descriptions Display interface description strings
detail Display detailed output
root@SRX1> show interfaces ge-0/0/0 detail
Physical interface: ge-0/0/0, Enabled, Physical link is Up
Interface index: 134, SNMP ifIndex: 508, Generation: 137
Description: Access_to_Internet
Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps,
BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
Source filtering: Disabled, Flow control: Disabled, Auto-negotiation: Enabled,
Remote fault: Online
Device flags : Present Running
Interface flags: SNMP-Traps Internal: 0x0
Link flags : None
CoS queues : 8 supported, 8 maximum usable queues
Hold-times : Up 0 ms, Down 0 ms
Current address: hidden MAC, Hardware address: hidden MAC
Last flapped : 2020-06-12 08:43:55 UTC (3d 20:46 ago)
Statistics last cleared: Never
Traffic statistics:
Input bytes : 132592604659 2392 bps
Output bytes : 7591373183 1336 bps
Input packets: 97925522 4 pps
Output packets: 64273380 3 pps
Egress queues: 8 supported, 4 in use
Queue counters: Queued packets Transmitted packets Dropped packets
0 best-effort 64267161 64267161 0
1 expedited-fo 0 0 0
2 assured-forw 0 0 0
3 network-cont 6216 6216 0
Queue number: Mapped forwarding classes
0 best-effort
1 expedited-forwarding
2 assured-forwarding
3 network-control
Active alarms : None
Active defects : None
Interface transmit statistics: Disabled

Logical interface ge-0/0/0.0 (Index 71) (SNMP ifIndex 510) (Generation 136)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Traffic statistics:
Input bytes : 132592605019
Output bytes : 7591373003
Input packets: 97925528
Output packets: 64273380
Local statistics:
Input bytes : 10548625
Output bytes : 369851
Input packets: 175798
Output packets: 8790
Transit statistics:
Input bytes : 132582056394 0 bps
Output bytes : 7591003152 0 bps
Input packets: 97749730 0 pps
Output packets: 64264590 0 pps
Security: Zone: internet
Allowed host-inbound traffic : igmp dhcp ike ping
Flow Statistics :
Flow Input statistics :
Self packets : 5
ICMP packets : 34361
VPN packets : 0
Multicast packets : 0
Bytes permitted by policy : 132581793647
Connections established : 0
Flow Output statistics:
Multicast packets : 0
Bytes permitted by policy : 7590810030
Flow error statistics (Packets dropped due to):
Address spoofing: 0
Authentication failed: 0
Incoming NAT errors: 0
Invalid zone received packet: 0
Multiple user authentications: 0
Multiple incoming NAT: 0
No parent for a gate: 0
No one interested in self packets: 0
No minor session: 0
No more sessions: 0
No NAT gate: 0
No route present: 0
No SA for incoming SPI: 0
No tunnel found: 0
No session for a gate: 0
No zone or NULL zone binding 0
Policy denied: 146
Security association not active: 0
TCP sequence number out of window: 283
Syn-attack protection: 0
User authentication errors: 0
Protocol inet, MTU: 1500, Generation: 150, Route table: 0
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Is-Preferred Is-Primary
Destination: 0/1, Local: 76.XX.SS.AA Broadcast: 127.255.255.255,
Generation: 156

root@SRX1> show configuration | display set
set version 12.1X46-D82
set system host-name SRX1
set system time-zone toronto
set system root-authentication encrypted-password
set system name-server 4.2.2.1
set system name-server 8.8.8.8
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services dhcp-local-server group JunosDHCP-group interface ge-0/0/1.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services web-management https interface ge-0/0/1.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system syslog file blocked-traffic any any
set system syslog file blocked-traffic match RT_FLOW_SESSION_DENY
set system syslog file no-route-present any any
set system syslog file no-route-present match "NO ROUTE PRESENT"
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces ge-0/0/0 description Access_to_Internet
set interfaces ge-0/0/0 unit 0 family inet dhcp-client
set interfaces ge-0/0/1 description Access_to_LAN
set interfaces ge-0/0/1 unit 0 family inet address 192.168.50.10/24
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces lo0 unit 0 family inet address 11.11.11.1/24
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set protocols stp
set security address-book global address lan 192.168.50.0/24
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set internet-nat from zone lan
set security nat source rule-set internet-nat to zone internet
set security nat source rule-set internet-nat rule lan-access match source-address 192.168.50.0/24
set security nat source rule-set internet-nat rule lan-access match destination-address 0.0.0.0/0
set security nat source rule-set internet-nat rule lan-access then source-nat interface
set security policies from-zone lan to-zone internet policy FirewallPolicy match source-address lan
set security policies from-zone lan to-zone internet policy FirewallPolicy match destination-address any
set security policies from-zone lan to-zone internet policy FirewallPolicy match application any
set security policies from-zone lan to-zone internet policy FirewallPolicy then permit
set security policies from-zone lan to-zone internet policy FirewallPolicy then log session-close
set security policies global policy global_drop match source-address any
set security policies global policy global_drop match destination-address any
set security policies global policy global_drop match application any
set security policies global policy global_drop then deny
set security policies global policy global_drop then log session-init
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust host-inbound-traffic protocols ospf
set security zones security-zone trust host-inbound-traffic protocols bgp
set security zones security-zone trust interfaces vlan.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone internet host-inbound-traffic system-services dhcp
set security zones security-zone internet host-inbound-traffic system-services ping
set security zones security-zone internet host-inbound-traffic system-services ike
set security zones security-zone internet host-inbound-traffic protocols igmp
set security zones security-zone internet interfaces ge-0/0/0.0
set security zones security-zone lan host-inbound-traffic system-services ping
set security zones security-zone lan host-inbound-traffic system-services https
set security zones security-zone lan host-inbound-traffic system-services traceroute
set security zones security-zone lan host-inbound-traffic system-services ssh
set security zones security-zone lan host-inbound-traffic system-services dhcp
set security zones security-zone lan host-inbound-traffic protocols bgp
set security zones security-zone lan host-inbound-traffic protocols ospf
set security zones security-zone lan interfaces ge-0/0/1.0
set access address-assignment pool JunosPool family inet network 192.168.50.0/24
set access address-assignment pool JunosPool family inet range JunosRange low 192.168.50.11
set access address-assignment pool JunosPool family inet range JunosRange high 192.168.50.254
set access address-assignment pool JunosPool family inet dhcp-attributes maximum-lease-time 86400
set access address-assignment pool JunosPool family inet dhcp-attributes name-server 207.164.234.193
set access address-assignment pool JunosPool family inet dhcp-attributes name-server 207.164.234.129
set access address-assignment pool JunosPool family inet dhcp-attributes router 192.168.50.10
set poe interface all
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

root@SRX1> show dhcp client binding

IP address Hardware address Expires State Interface
76.XX.SS.AA hidden MAC 86143 BOUND ge-0/0/0.0

root@SRX1> show dhcp server binding

IP address Session Id Hardware address Expires State Interface
Private IP ( mac address) 621 BOUND ge-0/0/1.0

root@SRX1> show security nat source summary
Total port number usage for port translation pool: 0
Maximum port number for port translation pool: 16777216
Total pools: 0

Total rules: 1
Rule name Rule set From To Action
lan-access internet-nat lan internet interface

root@SRX1> show route 4.2.2.2

inet.0: 30 destinations, 30 routes (30 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/1 *[Direct/0] 00:05:32
> via ge-0/0/0.0

After rebooting the ISP modem i got a different public IP

root@SRX1> show interfaces ge-0/0/0 de
^
'de' is ambiguous.
Possible completions:
descriptions Display interface description strings
detail Display detailed output
root@SRX1> show interfaces ge-0/0/0 detail
Physical interface: ge-0/0/0, Enabled, Physical link is Up
Interface index: 134, SNMP ifIndex: 508, Generation: 137
Description: Access_to_Internet
Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps,
BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
Source filtering: Disabled, Flow control: Disabled, Auto-negotiation: Enabled,
Remote fault: Online
Device flags : Present Running
Interface flags: SNMP-Traps Internal: 0x0
Link flags : None
CoS queues : 8 supported, 8 maximum usable queues
Hold-times : Up 0 ms, Down 0 ms
Current address: hidden, Hardware address: hidden
Last flapped : 2020-06-16 05:43:34 UTC (00:00:31 ago)
Statistics last cleared: Never
Traffic statistics:
Input bytes : 3060 2016 bps
Output bytes : 2417 1408 bps
Input packets: 36 4 pps
Output packets: 20 4 pps
Egress queues: 8 supported, 4 in use
Queue counters: Queued packets Transmitted packets Dropped packets
0 best-effort 20 20 0
1 expedited-fo 0 0 0
2 assured-forw 0 0 0
3 network-cont 0 0 0
Queue number: Mapped forwarding classes
0 best-effort
1 expedited-forwarding
2 assured-forwarding
3 network-control
Active alarms : None
Active defects : None
Interface transmit statistics: Disabled

Logical interface ge-0/0/0.0 (Index 71) (SNMP ifIndex 510) (Generation 136)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Traffic statistics:
Input bytes : 3240
Output bytes : 2321
Input packets: 39
Output packets: 22
Local statistics:
Input bytes : 2844
Output bytes : 2321
Input packets: 34
Output packets: 22
Transit statistics:
Input bytes : 396 0 bps
Output bytes : 0 0 bps
Input packets: 5 0 pps
Output packets: 0 0 pps
Security: Zone: internet
Allowed host-inbound traffic : igmp dhcp ike ping
Flow Statistics :
Flow Input statistics :
Self packets : 3
ICMP packets : 0
VPN packets : 0
Multicast packets : 0
Bytes permitted by policy : 0
Connections established : 0
Flow Output statistics:
Multicast packets : 0
Bytes permitted by policy : 1678
Flow error statistics (Packets dropped due to):
Address spoofing: 0
Authentication failed: 0
Incoming NAT errors: 0
Invalid zone received packet: 0
Multiple user authentications: 0
Multiple incoming NAT: 0
No parent for a gate: 0
No one interested in self packets: 0
No minor session: 0
No more sessions: 0
No NAT gate: 0
No route present: 2
No SA for incoming SPI: 0
No tunnel found: 0
No session for a gate: 0
No zone or NULL zone binding 0
Policy denied: 0
Security association not active: 0
TCP sequence number out of window: 0
Syn-attack protection: 0
User authentication errors: 0
Protocol inet, MTU: 1500, Generation: 150, Route table: 0
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Is-Preferred Is-Primary
Destination: 0/1, Local: 70.XX.SS.AA Broadcast: 127.255.255.255,
Generation: 154

0.0.0.0/0 *[Access-internal/12] 00:01:17
> to 10.11.1.121 via ge-0/0/0.0
0.0.0.0/1 *[Direct/0] 00:01:17
> via ge-0/0/0.0
{deleted other routes}

root@SRX1> ping 10.11.1.121
PING 10.11.1.121 (10.11.1.121): 56 data bytes
^C
--- 10.11.1.121 ping statistics ---
12 packets transmitted, 0 packets received, 100% packet loss

root@SRX1> show route 4.2.2.2

inet.0: 18 destinations, 18 routes (18 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/1 *[Direct/0] 00:02:47
> via ge-0/0/0.0

root@SRX1> show route 4.2.2.2 extensive

inet.0: 18 destinations, 18 routes (18 active, 0 holddown, 0 hidden)
0.0.0.0/1 (1 entry, 1 announced)
*Direct Preference: 0
Next hop type: Interface
Address: 0x15bc438
Next-hop reference count: 2
Next hop: via ge-0/0/0.0, selected
State: <Active Int>
Age: 2:54
Task: IF
Announcement bits (1): 1-Resolve tree 1
AS path: I

Hello , 

Thanks for the detailed update . I still see something wrong here . Initially you got an IP on ge-0/0/0 using DHCP is : 76.XX.SS.AA and the route its pointing is 10.11.1.121 , which seems very odd . Normally you should get the default gateway as same subnet as that of the public IP , if the ISP modem is acting like a bridge and not an L3 device . 

On top of that in the second  instance you shared , you are not even able to reach the default gateway :

root@SRX1> ping 10.11.1.121
PING 10.11.1.121 (10.11.1.121): 56 data bytes
^C
--- 10.11.1.121 ping statistics ---
12 packets transmitted, 0 packets received, 100% packet loss

So I suspect there is something wrong with DHCP setting in the modem , as its not giving the correct default gateway . Or its could be a routing issue after 10.11.1.121 . Since you said the ISP moden acts like a bridge and not as L3 device anymore , i suspect its a DHCP issue .  I don't see any issue on SRX end here .  

One thing you can check is is that are you getting any ARP on ge-0/0/0  ? ( show arp no-resolve | match ge-0/0/0 )  If you get any , try configuring that IP as manual static default route and check if that works . 

You received a public IP yet DHCP installed a private IP as a gateway (and on a different subnet)

0.0.0.0/0 *[Access-internal/12] 00:01:17
> to 10.11.1.121 via ge-0/0/0.0
0.0.0.0/1 *[Direct/0] 00:01:17
> via ge-0/0/0.0

Looks like the DHCP configuration on your ISP is wrong. And where did the Direct 0.0.0.0/1 route come from? It says "Direct" but I looked at your config and it's nowhere to be found.

And this is some messed up subnet by your ISP

Addresses, Flags: Is-Preferred Is-Primary
Destination: 0/1, Local: 70.XX.SS.AA Broadcast: 127.255.255.255,
Generation: 154

Hello , 

That right , we should not get Private IP as next hop for public DHCP IP . It seems the ISP router is messing things here .