SRX Services Gateway
SRX Services Gateway

Internet traffic not working when connected to Zyxell LTE 3301 in bridge mode

‎04-05-2019 12:54 PM

Internet connection trough my SRX 300 when connected to my Zyxell LTE 3301 modem doesn't work. If LTE 3301 is configured to have own NAT and DHCP then traffic works. If I connect my PC directly to LTE 3301 in bridge mode the internet traffic works. So I guess there is something wrong with my SRX 300 config. What should be fixed or checked? I can see from monitoring that SRX 300 receives the public IP address from LTE 3301.

 

Here ar the interface configs

interfaces {
    ge-0/0/0 {
        gigether-options {
            no-loopback;
            auto-negotiation;
        }
        unit 0 {
            family inet {
                dhcp-client;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan0;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan0;
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan0;
                }
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan0;
                }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan0;
                }
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan0;
                }
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family inet {
                address 10.1.0.1/16;
            }
        }
    }
    irb {
        unit 0 {
            family inet {
                address 10.0.0.1/16;
            }
        }
    }
}

Here is the NAT config

 

 

 

    nat {
        source {
            rule-set nsw_srcnat {
                from zone [ DMZ Internal ];
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 10.0.0.0/16;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }

 

 

6 REPLIES 6
SRX Services Gateway

Re: Internet traffic not working when connected to Zyxell LTE 3301 in bridge mode

‎04-05-2019 09:51 PM

Hi,

 

Could you please share the vlan and zone configuration as well?

> show configuration vlans

> show configuration security zone

 

Regards,

 

Vikas

SRX Services Gateway

Re: Internet traffic not working when connected to Zyxell LTE 3301 in bridge mode

‎04-05-2019 09:55 PM

Hi,

 

Is the SRX also configured as a DHCP server. Could you share the related config too?

 

Is this how the setup is : Client  ---- L2 ---- SRX --DHCP Client + NAT ---- L3 ---- DHCP Server -- Modem --- NAT---- Internet

 

Regards,

 

Vikas 

SRX Services Gateway

Re: Internet traffic not working when connected to Zyxell LTE 3301 in bridge mode

‎04-06-2019 02:00 AM

Hi bandog,

 

There is nothing wrong with either the LTE 3301 or the SRX300. I have debugged this exact same issue with other mobile router which can provide bridge mode.

 

The behaviour I'm seing is that when configuring bridge-mode, the mobile router still uses a RFC1918 prefix on the internal network and provides the public address as a /32 via dhcp. The default gateway is though still an IP in the RFC1918 prefix.

 

This behaviour works on Linux and Windows machines as well as Cisco IOS -  but Junos rejects a next-hop which is not within the interface prefix.

 

I found some old traceoption output from January 2017 where I tested this with a Digi WR21 mobile router. 192.168.1.0/24 was used as internal prefix and it bridges the "external" ip 10.43.129.184 into the SRX on ge-0/0/0 with a /32 mask and then combination of ip/prefix and next-hop of 192.168.1.1 is rejected. See traceoption output below.

 

In the Digi-scenario there is actually an option to emulate the public prefix received via DHCP on the internal network - but only with a /24. (in this case dynamically create 10.43.129.0/24 on the internal net and provide 10.43.129.148/24 via DHCP to the SRX).

 

Sorry - i don't think this i solveable (unless you buy a different router which can do the same as Digi's WR series with emulation of the public IP-net).

 

Jan  3 12:11:32.096460 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0][SID=0] JDHCPD_CLIENT_EVENT: Client(0x1a43c00) got event CLIENT_EVENT_START in state LOCAL_CLIENT_STATE_INIT
Jan  3 12:11:32.096919 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ DHCP/BOOTP   from == 0.0.0.0, port == 68 ]--
Jan  3 12:11:32.096971 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ DHCP/BOOTP   size == 268, op == 1 ]--
Jan  3 12:11:32.097006 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ DHCP/BOOTP  flags == 8000 ]--
Jan  3 12:11:32.097039 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ DHCP/BOOTP  htype == 1, hlen == 6 ]--
Jan  3 12:11:32.097072 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ DHCP/BOOTP   hops == 0, xid == 1a1c9eb1 ]--
Jan  3 12:11:32.097814 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ DHCP/BOOTP   secs == 0, flags == 8000 ]--
Jan  3 12:11:32.097854 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ DHCP/BOOTP ciaddr == 0.0.0.0 ]--
Jan  3 12:11:32.097891 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ DHCP/BOOTP yiaddr == 0.0.0.0 ]--
Jan  3 12:11:32.097926 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ DHCP/BOOTP siaddr == 0.0.0.0 ]--
Jan  3 12:11:32.097960 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ DHCP/BOOTP giaddr == 0.0.0.0 ]--
Jan  3 12:11:32.098047 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ DHCP/BOOTP chaddr == 0c 86 10 18 1e 40 00 00 00 00 00 00 00 00 00 00 ]--
Jan  3 12:11:32.098086 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ DHCP/BOOTP  sname ==  ]--
Jan  3 12:11:32.098118 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ DHCP/BOOTP   file ==  ]--
Jan  3 12:11:32.098171 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ OPTION code  55, len   9, data 03 33 01 0f 06 42 43 78 2c ]--
Jan  3 12:11:32.098295 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ OPTION code  50, len   4, data 0a 2b 81 b8 ]--
Jan  3 12:11:32.098344 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ OPTION code  53, len   1, data DHCP-REQUEST ]--
Jan  3 12:11:32.098384 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ OPTION code  51, len   4, data 00 01 51 80 ]--
Jan  3 12:11:32.098418 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ OPTION code 255, len   0 ]--
Jan  3 12:11:32.100007 [MSTR][NOTE] [default:default][N/A][INET][ge-0/0/0.0] jdhcpd_platform_iff_ppp_state_change_han: Unable to process iffm ppp rtsock add message from interface ge-0/0/0.0
Jan  3 12:11:32.100081 [MSTR][INFO]  jdhcpd_persistent_db_notify_ifl_up: Recieved:: IFL (ge-0/0/0.0) is up.
Jan  3 12:11:32.100378 [MSTR][INFO]  jdhcpd_ifdm_handler: ifd-event ge-0/0/1; oper add; state down; dev_index 137; ifm_type 0x3; ifm_link 0x1
Jan  3 12:11:32.100832 [MSTR][INFO] [ge-0/0/1.0] safd_new: Success to create safd entry: sus = 0x1bc6800; ifl-name:ge-0/0/1.0 rc = 0x1be6000; (default/default-switch/)iff = VPLS(1); iff(rc) = VPLS; rtt_index(4);
Jan  3 12:11:32.100899 [MSTR][INFO]  jdhcpd_iffm_handler_idl: RtrCtx: LS:default, RI:default-switch, AF:VPLS; is not configured
Jan  3 12:11:32.100938 [MSTR][INFO]  jdhcpd_iffm_handler_idl: No config for inteface ge-0/0/1.0
Jan  3 12:11:32.100976 [MSTR][NOTE] [default:default-switch][RLY][VPLS][ge-0/0/1.0] jdhcpd_platform_iff_ppp_state_change_han: Unable to process iffm ppp rtsock add message from interface ge-0/0/1.0
Jan  3 12:11:32.101039 [MSTR][INFO]  jdhcpd_persistent_db_notify_ifl_up: Recieved:: IFL (ge-0/0/1.0) is up.
Jan  3 12:11:32.101207 New IFBD :(0x1a14500) for LR default RI default-switch BD vlan-trust bd 3 ifl ge-0/0/1.0 ifl 73 parent ifl ge-0/0/1.0 (0x1bc6800)
Jan  3 12:11:32.101448 [MSTR][NOTE] [ge-0/0/1.0] jdhcpd_ifbdm_add_ifbd: ifbd exists 0x1a14500, no need to create for ge-0/0/1.0
Jan  3 12:11:32.101639 [MSTR][INFO]  jdhcpd_ifdm_handler: ifd-event ge-0/0/2; oper add; state down; dev_index 138; ifm_type 0x3; ifm_link 0x1
Jan  3 12:11:32.101788 [MSTR][WARN]  jdhcpd_client_io_recv_packet: Entered
Jan  3 12:11:32.101865 [MSTR][INFO]  jdhcpd_io_recv_pkt: recvmsg() l3_ifindex: 72
Jan  3 12:11:32.101935 [MSTR][NOTE] [default:default][N/A][INET][ge-0/0/0.0] jdhcpd_packet_handle: not dropping broadcast BOOTPREPLY as there is DHCP-CLIENT configured
Jan  3 12:11:32.101983 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ DHCP/BOOTP   from == 192.168.1.1, port == 67 ]--
Jan  3 12:11:32.102018 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ DHCP/BOOTP   size == 278, op == 2 ]--
Jan  3 12:11:32.102050 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ DHCP/BOOTP  flags == 8000 ]--
Jan  3 12:11:32.102082 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ DHCP/BOOTP  htype == 1, hlen == 6 ]--
Jan  3 12:11:32.102115 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ DHCP/BOOTP   hops == 0, xid == 1a1c9eb1 ]--
Jan  3 12:11:32.102148 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ DHCP/BOOTP   secs == 0, flags == 8000 ]--
Jan  3 12:11:32.102183 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ DHCP/BOOTP ciaddr == 0.0.0.0 ]--
Jan  3 12:11:32.102218 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ DHCP/BOOTP yiaddr == 10.43.129.184 ]--
Jan  3 12:11:32.102324 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ DHCP/BOOTP siaddr == 192.168.1.1 ]--
Jan  3 12:11:32.102369 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ DHCP/BOOTP giaddr == 0.0.0.0 ]--
Jan  3 12:11:32.102456 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ DHCP/BOOTP chaddr == 0c 86 10 18 1e 40 00 00 00 00 00 00 00 00 00 00 ]--
Jan  3 12:11:32.102493 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ DHCP/BOOTP  sname ==  ]--
Jan  3 12:11:32.102526 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ DHCP/BOOTP   file ==  ]--
Jan  3 12:11:32.102598 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ OPTION code  53, len   1, data DHCP-ACK ]--
Jan  3 12:11:32.102657 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ OPTION code   1, len   4, data ff ff ff ff ]--
Jan  3 12:11:32.102697 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ OPTION code   3, len   4, data c0 a8 01 01 ]--
Jan  3 12:11:32.102743 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ OPTION code   6, len   8, data c2 ef 86 53 c1 a2 99 a4 ]--
Jan  3 12:11:32.102783 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ OPTION code  51, len   4, data 00 00 00 a2 ]--
Jan  3 12:11:32.102821 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ OPTION code  54, len   4, data c0 a8 01 01 ]--
Jan  3 12:11:32.102855 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0] --[ OPTION code 255, len   0 ]--
Jan  3 12:11:32.102902 [MSTR][INFO]  jdhcpd_get_client_entry: initial rtbl index 0
Jan  3 12:11:32.103398 [MSTR][INFO]  jdhcpd_get_client_entry: new rtbl index 0
Jan  3 12:11:32.103472 [MSTR][NOTE] [default:default][N/A][INET][ge-0/0/0.0][SID=0] jdhcpd_packet_handle: RECEIVE ACK: stats_safd 0x1bc6000 ge-0/0/0.0, incoming_safd 0x1bc6000 ge-0/0/0.0, demux 0x0 , safd 0x1bc6000 ge-0/0/0.0
Jan  3 12:11:32.104371 [MSTR][INFO] [default:default][N/A][INET][ge-0/0/0.0][SID=0] JDHCPD_CLIENT_EVENT: Client(0x1a43c00) got event CLIENT_EVENT_ACK_PDU in state LOCAL_CLIENT_STATE_REBOOTING
Jan  3 12:11:32.104440 [MSTR][WARN] [default:default][N/A][INET][ge-0/0/0.0][SID=0] jdhcpd_client_process_ack_packet: Invaild ip/mask (network or broadcast address) a2b81b8/0, discard
Jan  3 12:11:32.104557 [MSTR][WARN] [default:default][N/A][INET][ge-0/0/0.0][SID=0] jdhcpd_client_state_requesting: Failed to process ACK packet, drop it ifl ge-0/0/0.0

I have not found other mobile router vendors providing this option.

 


--
Best regards,

Jonas Hauge Klingenberg
Systems Engineer, SEC DATACOM A/S (Denmark)
SRX Services Gateway

Re: Internet traffic not working when connected to Zyxell LTE 3301 in bridge mode

‎04-06-2019 07:27 AM

I really hope this is solveable. I did not imagine that Juniper firewall would not work with certain routers.

 

Here are more information

 

root@juniper> show configuration vlans
vlan0 {
    vlan-id 2;
    l3-interface irb.0;
}

root@juniper> show configuration security zones
security-zone Internal {
    interfaces {
        irb.0 {
            host-inbound-traffic {
                system-services {
                    ping;
                    dhcp;
                    http;
                    https;
                    ssh;
                    telnet;
                }
            }
        }
    }
}
security-zone DMZ {
    interfaces {
        ge-0/0/7.0;
    }
}
security-zone Internet {
    interfaces {
        ge-0/0/0.0 {
            host-inbound-traffic {
                system-services {
                    dhcp;
                }
            }
        }
    }
}

Dhcp configs:

 

    services {
        ssh;
        telnet;
        xnm-clear-text;
        dhcp-local-server {
            group jweb-default-group {
                interface irb.0;
            }
        }
        web-management {
            http;
            https {
                system-generated-certificate;
            }
            session {
                idle-timeout 60;
            }
        }
    }   


 address-assignment {
        pool jweb-default-pool {
            family inet {
                network 10.0.0.0/16;
                range jweb-default-range {
                    low 10.0.0.33;
                    high 10.0.255.254;
                }
                dhcp-attributes {
                    name-server {
                        8.8.8.8;
                        8.8.4.4;
                    }
                    router {
                        10.0.0.1;
                    }
                }
                host canon_printer {
                    hardware-address 2c:9e:fc:52:0f:1c;
                    ip-address 10.0.0.17;
                }
                host synology {
                    hardware-address 00:11:32:27:c9:a6;
                    ip-address 10.0.0.14;
                }
            }
        }
    }
SRX Services Gateway

Re: Internet traffic not working when connected to Zyxell LTE 3301 in bridge mode

‎04-06-2019 07:46 AM

Here is also more information how the IP address comes from LTE 3301. This is example how I see it in Windows machine

IPv4 Address. . . . . . . . . . . : 84.230.163.24
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 84.230.163.25

 

Here is one example how I see the IP address in SRX web console when checking address for the interface. (IP is different than above because I get new public IP everytime I restart LTE 3301). The addresss is not /32

 

Local 80.186.193.188
Destination 80.186.193.184/29
Broadcast 80.186.193.191

 

SRX Services Gateway

Re: Internet traffic not working when connected to Zyxell LTE 3301 in bridge mode

‎04-06-2019 08:44 AM

I think the problem might be is that Juniper uses automatically multiple IPs for NAT because the public IP it gets is not /32. But only the first IP address should be used. I wasn't able to find out configuration to use only one IP when dynamic IP contains subnet.
Is this somehow doable?