vSRX
vSRX

WAN IP subnet outside Gateway address subnet (Scaleway/Online.net)

‎07-12-2019 08:01 PM

So I have been pulling my hair out trying to get this to work.  From alot of reading, I gathered the following to be true 

the OVA file deployed added 3 nics

Nic1 = fxp0

Nic2 = Ge-0/0/0

Nic3 = Ge-0/0/1

 

So Online.net failover IPs ( as the primary gets installed as the esxi management ip ) does a wonderful here used this slash 32 ip and point the gatewayto this other ip address that not even in the same /8 .   

Now I used them fora long time and know this works as they white list the mac of the network interface that is getting the wan ip.

This has worked with out issues in Linux ( untangle ) and BSD with PfSense/Opnsense  as goofy as it may seem. 

 

So I have my interfaces setup as following 

 

fxp0.0 = dhcp 10.0.8.21 

Ge-0/0/0.0 10.0.10.1/24 (LAN / trusted zone ) 

Ge-0/0/1.0 212.129.44.5/32 ( Wan / untrusted ) 

config still very basic but show route will not show my static from 212.129.44.5 to 62.210.0.1  or that 62.210.0.1 to 0.0.0.0

## Last changed: 2019-07-12 23:08:15 UTC
version 20190606.224121_builder.r1033375;
system {
    host-name SiptologySRX;
    root-authentication {
        encrypted-password "$6$W80.HFlK$vtuWt7eyhfxHnqlqNh4BfmxgA0k/n.J4nnn2Ihs6HPE6PN1lAXFcCRRcJWO3VyEcNspehI4i0FrRXNcwGqXrs/";
    }
    services {
        ssh;
        xnm-clear-text;
        web-management {
            http {
                interface fxp0.0;
            }
        }
    }
    backup-router 10.0.8.1;
    time-zone UTC;
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server 178.32.220.152 prefer;
    }
}
security {
    alg {
        dns maximum-message-length 512;
        msrpc group-max-usage 80 map-entry-timeout 480;
        sunrpc group-max-usage 80 map-entry-timeout 480;
        sccp disable;
        sip disable;
        ike-esp-nat {
            esp-gate-timeout 5;
            esp-session-timeout 1800;
            state-timeout 14400;
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set Outbound {
                from interface [ ge-0/0/0.0 fxp0.0 ];
                to interface ge-0/0/1.0;
                rule Outbound {
                    match {
                        source-address 10.0.10.0/24;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
            interfaces {
                ge-0/0/0.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/1.0;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 10.0.10.1/24;
            }
        }
    }
    ge-0/0/1 {
        description WAN;
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            description wanlink;
            family inet {
                address 212.129.44.5/32 {
                    web-authentication {
                        http;
                        https;
                    }
                }
            }
        }
    }
    fxp0 {
        unit 0 {
            family inet {
                address 10.0.8.21/24;
            }
        }
    }
}
routing-options {
    static {
        route 10.3.0.0/16 next-hop 10.0.8.1;
        route 62.210.0.0/24 next-hop 212.129.44.5;
        route 0.0.0.0/0 {
            next-hop 62.210.0.1;
            resolve;
        }
    }
}
4 REPLIES 4
vSRX

Re: WAN IP subnet outside Gateway address subnet (Scaleway/Online.net)

[ Edited ]
‎07-12-2019 10:22 PM

Hello,

 


@rsnyder wrote:

 

Ge-0/0/1.0 212.129.44.5/32 ( Wan / untrusted ) 

<skip>

 

routing-options {
    static {
        route 10.3.0.0/16 next-hop 10.0.8.1;
        route 62.210.0.0/24 next-hop 212.129.44.5;
        route 0.0.0.0/0 {
            next-hop 62.210.0.1;
            resolve;
        }
    }
}

 

 

You are pointing the 62.210.0.0/24 route to VSRX itself.

And JUNOS does not support next-hop being self in the same routing-instance or logical-system.

If You could share Your previous Linux working config then perhaps we could suggest an equivalent.

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
vSRX

Re: WAN IP subnet outside Gateway address subnet (Scaleway/Online.net)

‎07-13-2019 04:38 AM

What is working in Linux (debian) is 

< /etc/network/interfaces>

auto eth1

iface eth1 inet static

address 212.83.173.8

netmask 255.255.255.255

gateway 62.210.0.1  

 

and it just works.   Same with BSD similar setup in PfSense where I specify the gateway in the config.

 

vSRX
Solution
Accepted by topic author rsnyder
‎07-13-2019 06:50 AM

Re: WAN IP subnet outside Gateway address subnet (Scaleway/Online.net)

‎07-13-2019 05:38 AM

Hello,

 


@rsnyder wrote:

What is working in Linux (debian) is 

< /etc/network/interfaces>

auto eth1

iface eth1 inet static

address 212.83.173.8

netmask 255.255.255.255

gateway 62.210.0.1  

 

and it just works.   Same with BSD similar setup in PfSense where I specify the gateway in the config.

 


 

The equivalent JUNOS feature is unnumbered Ethernet interface

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/unnumbere...

 

BUT - it is not supported on SRX, only on M/T/MX/EX series

 

If You want to keep the SRX, You have a couple of choices:

1/ change Your provider

2/ have a Linux/BSD box in front of SRX for the purposes of resolving gateway outside of interface subnet

 

HTH

Thx

Alex

 

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
vSRX

Re: WAN IP subnet outside Gateway address subnet (Scaleway/Online.net)

‎07-13-2019 07:00 AM

Alex, 

 

Thank you for your quick reply. 

 

I will say it very disappointing that this is the first virtualized firewall that has not been able to handle this.  As even the horrible sonicwall virtual appliance works with this setup as well does Cisco ASAv platform.  

 

Since this was in a "lab" environment option 1 just not going to work, while option 2 could work it defeats the purpose of the test.  This was for an evaluation purpose where I needed to put a real load on all the features of the vsrx and then move on to physical at our office.  I may just reach out to our rep for a hardware trial of the srx300 as that is what we would deploy the most for a large number of our clients.  

 

It is what it is as they say.  Thank you for your help.