SRX

Expand all | Collapse all

No idea on how to route my LAN traffic to Internet using SRX220 cluster

Jump to Best Answer
  • 1.  No idea on how to route my LAN traffic to Internet using SRX220 cluster

    Posted 05-17-2017 13:29

    Hello,

     

    I started by deleting everything:
    delete vlans, interfaces vlan, security zones security-zone trust interfaces, etc. (figured I start from scratch).

     

    I successfully setup my cluster:

     

    Cluster ID: 1
    Node                  Priority          Status         Preempt  Manual failover
    
    Redundancy group: 0 , Failover count: 1
        node0                   100         primary          no       no  
        node1                   99          secondary        no       no  
    
    Redundancy group: 1 , Failover count: 2
        node0                   100         secondary        no       no  
        node1                   99           primary         no       no

     

    My swfab interfaces:

     

    swfab0:
    
        Name               Status      
        ge-0/0/4           up
    swfab1: Name Status ge-3/0/4 up

     

    Assigned physical interfaces (reth):

    set interfaces ge-0/0/2 gigether-options redundant-parent reth2
    set interfaces ge-3/0/2 gigether-options redundant-parent reth2

     reth2 unit 0 gets static IP assigned by my ISP xxx.xx.xxx.xxx/29

     cables from ge-0/0/2 and ge-3/0/2 connect to the back of ISP's modem.

     

    After that I did:

     

    set security zones security-zone Untrust interfaces reth2.0 host-inbound-traffic system-services ssh
    set security zones security-zone Untrust interfaces reth2.0 host-inbound-traffic system-services https
    set security zones security-zone Untrust interfaces reth2.0 host-inbound-traffic system-services ping

    Default route points to my ISP's GW:

     

    set routing-options static route 0.0.0.0/0 next-hop xxx.xx.xxx.xxx

    Next:

     

    set security zones security-zone Trust description "LAN"
    set security zones security-zone Untrust description "Outside"
    set security zones security-zone Trust host-inbound-traffic protocols all
    set security zones security-zone Trust host-inbound-traffic system-services all

    Added all the necessary system services, added myself as a 'super-user'.

    I'm able to SSH into SRX and I also have access to J-Web.

     

    I want to be able to plug my Linux boxes into: ge-0/0/0 and ge-3/0/0 and get access to Internet, so I do this:

     

    set interfaces ge-0/0/0 unit 0 family inet address 10.1.0.10/24
    set interfaces ge-3/0/0 unit 0 family inet address 10.2.0.20/24
    set security zones security-zone Trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
    set security zones security-zone Trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
    set security zones security-zone Trust interfaces ge-0/0/0.0
    set security zones security-zone Trust interfaces ge-3/0/0.0 host-inbound-traffic system-services ping
    set security zones security-zone Trust interfaces ge-3/0/0.0 host-inbound-traffic system-services ssh
    set security zones security-zone Trust interfaces ge-3/0/0.0
    
    et security zones security-zone Trust address-book address network_101 10.1.0.0/24
    set security zones security-zone Trust address-book address network_102 10.2.0.0/24
    
    et security policies from-zone Trust to-zone Untrust policy allow-Internal-Clients match source-address network_101
    set security policies from-zone Trust to-zone Untrust policy allow-Internal-Clients match source-address network_102
    set security policies from-zone Trust to-zone Untrust policy allow-Internal-Clients match destination-address any
    set security policies from-zone Trust to-zone Untrust policy allow-Internal-Clients match application any
    set security policies from-zone Trust to-zone Untrust policy allow-Internal-Clients then permit
    
    set security policies from-zone Trust to-zone Trust policy allow-Internal-Clients match source-address network_101
    set security policies from-zone Trust to-zone Trust policy allow-Internal-Clients match source-address network_102
    set security policies from-zone Trust to-zone Trust policy allow-Internal-Clients match destination-address any
    set security policies from-zone Trust to-zone Trust policy allow-Internal-Clients match application any
    set security policies from-zone Trust to-zone Trust policy allow-Internal-Clients then permit

    source NAT:

     

    set security nat source rule-set Internal-to-Internet from zone Trust
    set security nat source rule-set Internal-to-Internet to zone Untrust
    set security nat source rule-set Internal-to-Internet rule Internet-Access match source-address 10.1.0.0/24
    set security nat source rule-set Internal-to-Internet rule Internet-Access match source-address 10.2.0.0/24
    set security nat source rule-set Internal-to-Internet rule Internet-Access match destination-address 0.0.0.0/0
    set security nat source rule-set Internal-to-Internet rule Internet-Access then source-nat interface

    Since I deleted entries (vlans, etc.) from my config, I think this is why I have trouble accessing Internet from LAN.

    I try to ping from one of my Linux boxes (ping 8.8.8.8) connected to ge-0/0/0 and I get: Network is unreachable.
    Now I have no clue on how to fix it and make it work. What steps did I miss?

     

    Any help would be greatly appreciated!

    Thank you.

     



  • 2.  RE: No idea on how to route my LAN traffic to Internet using SRX220 cluster

    Posted 05-18-2017 11:14

    Hi,

     

    Please provide the following trace files for further investigation :-

     

    • set security flow traceoptions file test1 size 2m
    • set security flow traceoptions flag basic-datapath
    • set security flow traceoptions packet-filter pf1 source-prefix <Source_IP>
    • set security flow traceoptions packet-filter pf1 destination-prefix 8.8.8.8
    • set security flow traceoptions packet-filter pf2 source-prefix 8.8.8.8
    • set security flow traceoptions packet-filter pf2 destination-prefix <Source_IP.

    Initiate pings to 8.8.8.8 from the Source and collect these trace files.

     

    Regards,

    Sahil Sharma



  • 3.  RE: No idea on how to route my LAN traffic to Internet using SRX220 cluster

    Posted 05-25-2017 08:25

    sahilsha,

    Thank you for the suggestions!
    I will try to run these commands and get back to you.

    When you say "Initiate pings to 8.8.8.8 from the Source", by the Source you mean 10.1.0.0/24 my "network_101"?
    Or just the private IP of that Linux box connected to ge-0/0/0?

    Thank you!



  • 4.  RE: No idea on how to route my LAN traffic to Internet using SRX220 cluster

    Posted 05-20-2017 04:23

    set chassis cluster reth-count 3



  • 5.  RE: No idea on how to route my LAN traffic to Internet using SRX220 cluster

    Posted 05-25-2017 08:29

    lyndidon,
    Thank you for the reply!


    I already had this in my configuration:

    set chassis cluster reth-count 3


    And after that I applied this:

     

    set interfaces ge-0/0/2 gigether-options redundant-parent reth2
    set interfaces ge-3/0/2 gigether-options redundant-parent reth2

     

    Smiley Sad no idea what went wrong.

     

     



  • 6.  RE: No idea on how to route my LAN traffic to Internet using SRX220 cluster

     
    Posted 05-29-2017 09:49

    I couldn't find any issue with your configuration so I copy pasted it to may lab boxes  I connected a host to ge-0/0/0 gave it an address form 10.1.0.0/24, gateway 10.1.0.10 and it works.

     

     



  • 7.  RE: No idea on how to route my LAN traffic to Internet using SRX220 cluster
    Best Answer

    Posted 05-31-2017 08:05

    My eth0 interface (on my Linux box) did not retain proper settings, so I fixed it and now I have access to Internet from my LAN.
    Other than that, my config was correct.

    Thank you, everyone!