SRX Services Gateway
Highlighted
SRX Services Gateway

Juniper SRX 110 ADSL Issue PPOEconnection (Single Site ADSL)

[ Edited ]
‎09-23-2013 05:26 AM

Hi, I am completely new to the Junos configurations and after many hours of researching

I have not been able to get a basic ADSL PPOE connection with my configuration. This is not for a branch site but a single basic adsl single site connection.

 

Would anyone be kind enough to help point out what I am doing wrong in my configuration.

 

My Router IP: 192.168.1.9

My Desired DHCP Scope: 192.168.1.10 to .254

If it makes a difference, I have a static IP: bogus eg: 222.222.222.222

 

Ideally, My ultimate goal is:

* Adsl working for 6 ports 7th port Vlan ID: 4 (no internet access but local access to other ports.)

* Port forward to 192.168.1.14 website hosted on server (DNS, DHCP, Web Server)

* NAT: if required (Not Sure)

 

Any help much appreciated:

----------------------------------------------------------------------------------------------------------

 

version 12.1R2.9;
system {
    host-name TEST;
    time-zone Australia/Sydney;
    root-authentication {
        encrypted-password "<Password>";
    }
    name-server {
        8.8.8.8;
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            pool 192.168.1.0/24 {
                address-range low 192.168.1.10 high 192.168.1.254;
                router {
                    192.168.1.9;
                }
            }
            propagate-settings fe-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    fe-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    at-1/0/0 {
        description PPOE;
        mtu 1540;
        encapsulation ethernet-over-atm;
        atm-options {
            vpi 8;
        }
        dsl-options {
            operating-mode auto;
        }
        unit 0 {
            description TPG;
            encapsulation ppp-over-ether-over-atm-llc;
            vci 8.35;
        }
    }
    pp0 {
        traceoptions {
            flag all;
        }
        unit 0 {
            point-to-point;
            ppp-options {
                chap {
                    default-chap-secret "<Password>";
                    local-name shanny;
                    passive;
                }
                pap {
                    default-password "<Password>";
                    local-name <Username>;
                    local-password "<Password>";
                    passive;
                }
            }
            pppoe-options {
                underlying-interface at-1/0/0.0;
                idle-timeout 0;
                auto-reconnect 30;
                client;
            }
            no-keepalives;
            family inet {
                negotiate-address;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.9/24;
            }
        }
    }
}
protocols {
    stp;
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

1 REPLY 1
Highlighted
SRX Services Gateway

Re: Juniper SRX 110 ADSL Issue PPOEconnection (Single Site ADSL)

‎09-25-2013 05:16 PM

@I am not sure if it is required however in your CHAP config, local-name is missing a realm. From a quick look at TPG's support pages, you need to add @l2tp.tpg.com.au for static IP plans. Unless you are sure from testing with a separate device that you can authenticate without the realm, perhaps try updating the local-name to include that and deactivate PAP config (or vice versa). Configure traceoptions to debug the ppp negotiation (multiple other threads listing steps for this) and perhaps work with your ISP to see if they can see authentication attempts reaching them.

 

If you actually do authenticate but find the session dropping prematurely, try deleting the 'no-keepalives' statement under your pp0.0 config. This theoretically should not be an issue, it's typically their BRAS/LNS/BNG that will send the keepalive for your SRX to respond, however I'm unsure of TPG's setup.

You may also like to set a MSS to avoid MTU related issues, eg if youre MTU is 1492, add: set security flow tcp-mss all-tcp mss 1452


@NedKelly wrote:

Ideally, My ultimate goal is:

* Adsl working for 6 ports 7th port Vlan ID: 4 (no internet access but local access to other ports.)

 


set vlans VLANFOUR vlan-id 4
set vlans VLANFOUR l3-interface vlan.4

set interfaces vlan unit 4 family inet address 192.168.4.9/24
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members VLANFOUR

You can either statically assign the IP for that host on the new subnet and give it gateway of the vlan.4 address, or create a new DHCP scope.

set security zones security-zone NEWZONE host-inbound-traffic system-services all
set security zones security-zone NEWZONE host-inbound-traffic protocols all
set security zones security-zone NEWZONE interfaces vlan.4
set security zones security-zone NEWZONE interfaces fe-0/0/7.0

set security policies from-zone NEWZONE to-zone TRUST policy PERMITALL match source-address any
set security policies from-zone NEWZONE to-zone TRUST policy PERMITALL match destination-address any
set security policies from-zone NEWZONE to-zone TRUST policy PERMITALL match application any
set security policies from-zone NEWZONE to-zone TRUST policy PERMITALL then permit
set security policies from-zone TRUST to-zone NEWZONE policy PERMITALL match source-address any
set security policies from-zone TRUST to-zone NEWZONE policy PERMITALL match destination-address any
set security policies from-zone TRUST to-zone NEWZONE policy PERMITALL match application any
set security policies from-zone TRUST to-zone NEWZONE policy PERMITALL then permit


@NedKelly wrote:

* Port forward to 192.168.1.14 website hosted on server (DNS, DHCP, Web Server)



 

Here's an example port forward, repeat as neccessary for other services:

set security nat destination rule-set JUNOS-PAT from zone UNTRUST
set security nat destination rule-set JUNOS-PAT rule WEB_80 match destination-address 222.222.222.222/32
set security nat destination rule-set JUNOS-PAT rule WEB_80 match destination-port 80
set security nat destination rule-set JUNOS-PAT rule WEB_80 then destination-nat pool WEBSERVER
set security nat destination pool WEBSERVER address 192.168.1.14/32

 

If you need to restrict what sources can access the ports you have forwarded, you can define a policy under edit security policies, from untrust to trust zones.



Feedback