Router - Juniper SRX: Difference between revisions
(Changed to next-hop) |
(Added IPv6) |
||
| Line 35: | Line 35: | ||
|} |
|} |
||
== |
== Dual-stack Example Config == |
||
* Statically configured IPv4 and IPv6 for a single AAISP line |
|||
* Trust VLAN on Ethernet Port 0-6 |
|||
* PPPoE configured on Ethernet Port 7 |
|||
<source> |
<source> |
||
## Last changed: 2015-03-29 17:42:36 BST |
|||
version 12.1X46-D30.2; |
|||
system { |
system { |
||
host-name dsl-router; |
host-name dsl-router; |
||
| Line 93: | Line 99: | ||
url https://ae1.juniper.net/junos/key_retrieval; |
url https://ae1.juniper.net/junos/key_retrieval; |
||
} |
} |
||
| ⚫ | |||
ntp { |
|||
server 90.155.53.94; |
|||
server 90.155.53.93; |
|||
} |
} |
||
} |
} |
||
| Line 118: | Line 128: | ||
} |
} |
||
} |
} |
||
lo0 { |
|||
unit 0 { |
|||
family inet6 { |
|||
address 2001:8b0:XXXX::1/128; |
|||
} |
|||
} |
} |
||
} |
|||
pp0 { |
|||
unit 0 { |
unit 0 { |
||
description AAISP; |
description AAISP; |
||
| Line 142: | Line 156: | ||
mtu 1492; |
mtu 1492; |
||
negotiate-address; |
negotiate-address; |
||
} |
|||
family inet6 { |
|||
mtu 1492; |
|||
} |
} |
||
} |
} |
||
| Line 149: | Line 166: | ||
family inet { |
family inet { |
||
address 192.168.1.1/24; |
address 192.168.1.1/24; |
||
} |
|||
family inet6 { |
|||
address 2001:8b0:XXXX:3::1/64; |
|||
} |
} |
||
} |
} |
||
| Line 154: | Line 174: | ||
} |
} |
||
routing-options { |
routing-options { |
||
rib inet6.0 { |
|||
| ⚫ | |||
static { |
|||
route 0::0/0 next-hop pp0.0; |
|||
} |
|||
} |
|||
static { |
|||
route 0.0.0.0/0 next-hop pp0.0; |
|||
} |
|||
} |
} |
||
protocols { |
protocols { |
||
router-advertisement { |
|||
| ⚫ | |||
interface vlan.3 { |
|||
prefix 2001:8b0:XXXX:3::/64; |
|||
} |
|||
} |
|||
} |
} |
||
security { |
security { |
||
forwarding-options { |
|||
family { |
|||
inet6 { |
|||
mode flow-based; |
|||
} |
|||
} |
|||
} |
|||
screen { |
screen { |
||
ids-option untrust-screen { |
ids-option untrust-screen { |
||
| Line 213: | Line 249: | ||
} |
} |
||
} |
} |
||
} |
|||
from-zone untrust to-zone trust { |
|||
policy ping6-to-trust { |
|||
match { |
|||
source-address any-ipv6; |
|||
destination-address any-ipv6; |
|||
application junos-pingv6; |
|||
} |
|||
then { |
|||
permit; |
|||
} |
|||
} |
|||
policy reject-untrust-to-trust { |
|||
match { |
|||
source-address any; |
|||
destination-address any; |
|||
application any; |
|||
} |
|||
then { |
|||
reject; |
|||
} |
|||
} |
|||
} |
|||
default-policy { |
|||
deny-all; |
|||
} |
} |
||
} |
} |
||
| Line 227: | Line 288: | ||
interfaces { |
interfaces { |
||
vlan.3; |
vlan.3; |
||
lo0.0; |
|||
} |
} |
||
} |
} |
||
security-zone untrust { |
security-zone untrust { |
||
screen untrust-screen; |
screen untrust-screen; |
||
host-inbound-traffic { |
|||
system-services { |
|||
| ⚫ | |||
} |
|||
} |
|||
interfaces { |
interfaces { |
||
pp0.0; |
pp0.0; |
||
Revision as of 17:09, 29 March 2015
The Juniper SRX range of routers are high-performance routers, intended for small business and branch networks. The can often be bought cheaply on eBay.
Known working setups
| Router | JunOS Version | Modem | Who | IPv6 | Status |
|---|---|---|---|---|---|
| SRX100B | 12.1X44-D40.2 | ZyXEL P660R in bridge mode | Nhumfrey | ✗ | ✗ PADI sent but no PADO response |
| SRX100B | 12.1X44-D40.2 | BT Provided Huawei HG612 FTTC Modem | Nhumfrey | ✗ | ✓ Working 2015-01-13 |
| SRX100B | 12.1X46-D30.2 | BT Provided Huawei HG612 FTTC Modem | Nhumfrey | ✓ | ✓ Working 2015-03-22 |
Dual-stack Example Config
- Statically configured IPv4 and IPv6 for a single AAISP line
- Trust VLAN on Ethernet Port 0-6
- PPPoE configured on Ethernet Port 7
## Last changed: 2015-03-29 17:42:36 BST
version 12.1X46-D30.2;
system {
host-name dsl-router;
domain-name aa.net.uk;
time-zone Europe/London;
root-authentication {
encrypted-password "XXXX";
}
name-server {
217.169.20.20;
217.169.20.21;
}
services {
ssh;
xnm-clear-text;
web-management {
http {
interface vlan.3;
}
https {
system-generated-certificate;
interface vlan.3;
}
}
dhcp {
name-server {
217.169.20.20;
217.169.20.21;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.100 high 192.168.1.250;
router {
192.168.1.1;
}
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 90.155.53.94;
server 90.155.53.93;
}
}
interfaces {
interface-range interfaces-trust {
member fe-0/0/0;
member fe-0/0/1;
member fe-0/0/2;
member fe-0/0/3;
member fe-0/0/4;
member fe-0/0/5;
member fe-0/0/6;
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/7 {
description "PPPoE Port";
unit 0 {
encapsulation ppp-over-ether;
}
}
lo0 {
unit 0 {
family inet6 {
address 2001:8b0:XXXX::1/128;
}
}
}
pp0 {
unit 0 {
description AAISP;
point-to-point;
ppp-options {
chap {
default-chap-secret "XXXX";
local-name "XXXX@a";
no-rfc2486;
passive;
}
}
pppoe-options {
underlying-interface fe-0/0/7.0;
idle-timeout 0;
auto-reconnect 5;
client;
}
family inet {
mtu 1492;
negotiate-address;
}
family inet6 {
mtu 1492;
}
}
}
vlan {
unit 3 {
family inet {
address 192.168.1.1/24;
}
family inet6 {
address 2001:8b0:XXXX:3::1/64;
}
}
}
}
routing-options {
rib inet6.0 {
static {
route 0::0/0 next-hop pp0.0;
}
}
static {
route 0.0.0.0/0 next-hop pp0.0;
}
}
protocols {
router-advertisement {
interface vlan.3 {
prefix 2001:8b0:XXXX:3::/64;
}
}
}
security {
forwarding-options {
family {
inet6 {
mode flow-based;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy ping6-to-trust {
match {
source-address any-ipv6;
destination-address any-ipv6;
application junos-pingv6;
}
then {
permit;
}
}
policy reject-untrust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
reject;
}
}
}
default-policy {
deny-all;
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.3;
lo0.0;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
pp0.0;
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.3;
}
}