SRX

Hello everyone,

 

This could be a simple yes or no it cannot be done, if it's a yes then please could someone tell me the way...

 

At home this is my current setup:

 

ADSL modem ----->  Fe-0/0/0 Juniper SRX110 Fe-0/0/1 -------> Wireless AP

 

Fe-0/0/1 to 7 is configured as ethernet switching member is vlan trust and I have DHCP enabled, the router being 192.168.1.1.

 

I would like to add Sophos UTM into the mix.  I have setup the two interfaces on the Sophos UTM in bridged mode, so one needs to be connected to the internal LAN and the other as the route to external. 

 

The question is can I use the SRX as the swtich but then also use another interface for the Sopho's external interface?  Or is this not possible and I require another switch? As when anything on vlan trust hits the SRX it is routed via the default route through the SRX.

 

Maybe a silly question but thanks!

 

Ross

 

 

 

Hi Ross,

 

I can see your problem.

 

One solution might be to create another VLAN on your SRX - "SOPHOS-Trust" that has fe-0/0/1-6, but no l3-interface.  Now plug the SOPHOS "Internet" side into fe-0/0/7 (VLAN trust) and the "local" side into fe-0/0/6.  This way you should get all traffic flowing through the SOPHOS on it's way to VLAN trust and your default gateway.

Hi Ben,

Thanks that's great, it has worked perfectly 🙂

A very minor point, I cannot ping the SRX vlan-trust router IP even though that's where I am getting my IP from for the client on sophos-trust vlan. Is this expected behavior? It may be the Sophos UTM blocking it so not a big deal.

Here is the config I added (along side the default trust vlan) to be sure:

The two different interfaces below for example:

fe-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;


fe-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-Sophos-trust;

vlans {
vlan-Sophos-trust {
vlan-id 4;
interface {
Fe-0/0/2
Fe-0/0/3
Fe-0/0/4

vlan-trust {
vlan-id 3;
l3-interface vlan.0;

Many thanks for the help!
Ross

Hi Ross - thanks, glad it worked.

 

As to why the ping is being blocked - I can't think of any good reason (especially if other traffic is flowing).  Maybe check the flow table (show security flow session protocol icmp) and see if that gives any hints.  Unfortunately, that won't show any flow through the Sophos-Trust VLAN because it's all Layer 2.

 

So if you see nothing in the flow log, then it may be the Sophos box stopping the traffic.

Hi Ben,

Thanks, it was the Sophos blocking it. I had to disable a setting ICMP forwarding because I have it configured it bridge mode this traffic passes without the need to forward.

Thanks for your help.
Ross