SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Cannot use Netflix from internal zone interface vlan.0, but Youtube is working!!!

    Posted 01-28-2020 03:43

    Hello everyone

     

    My host is a smart tv. Netflix is working from ge-0/0/1.0 interface (internal zone). I am trying to use the spare switch ports on my SRX 240 to extend wired network capabilities. I have created vlan-10 and assigned interfaces ge-0/0/2 - 5 into it. Placed the vlan into internal zone. configured NAT and allowed all access. Now when I connect my TV on ge-0/0/5.0, tv get connected to internet and able to use Youtube. But it does not connect to Netflix or Primevideo. Please see my configuration below. Many thanks for looking into my post.



  • 2.  RE: Cannot use Netflix from internal zone interface vlan.0, but Youtube is working!!!

    Posted 01-28-2020 03:59

    Please see the config below:

     

    services {
    ssh;
    web-management {
    https {
    system-generated-certificate;
    interface [ ge-0/0/1.0 ge-0/0/0.0 ];
    }
    session {
    idle-timeout 60;
    }
    }
    dhcp {
    pool 10.0.10.0/24 {
    address-range low 10.0.10.20 high 10.0.10.30;
    name-server {
    8.8.8.8;
    8.8.4.4;
    }
    router {
    10.0.10.3;
    }
    }
    }
    }
    syslog {
    archive size 100k files 3;
    user * {
    any emergency;
    }
    file messages {
    any critical;
    authorization info;
    }
    file interactive-commands {
    interactive-commands error;
    }
    file policy_session {
    user info;
    match RT_FLOW;
    archive size 1000k world-readable;
    structured-data;
    }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
    autoupdate {
    url https://ae1.juniper.net/junos/key_retrieval;
    }
    }
    ntp {
    server us.ntp.pool.org;
    }
    }
    interfaces {
    interface-range interfaces-vlan10 {
    member-range ge-0/0/2 to ge-0/0/5;
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-internal;
    }
    }
    }
    }
    ge-0/0/0 {
    unit 0 {
    family inet {
    address 192.168.1.253/24;
    }
    }
    }
    ge-0/0/1 {
    unit 0 {
    family inet {
    address 10.0.10.1/24;
    }
    }
    }
    ge-0/0/2 {
    description "internal switchport";
    speed 1g;
    mtu 1500;
    link-mode full-duplex;
    gigether-options {
    auto-negotiation;
    }
    }
    ge-0/0/3 {
    description "internal switchport";
    speed 1g;
    mtu 1500;
    link-mode full-duplex;
    gigether-options {
    auto-negotiation;
    }
    }
    ge-0/0/4 {
    description "internal switchport";
    speed 1g;
    mtu 1500;
    link-mode full-duplex;
    gigether-options {
    auto-negotiation;
    }
    }
    ge-0/0/5 {
    description "internal switchport";
    speed 1g;
    mtu 1500;
    link-mode full-duplex;
    gigether-options {
    auto-negotiation;
    }
    }
    vlan {
    unit 0 {
    family inet {
    address 10.0.10.3/24;
    }
    }
    }
    }
    routing-options {
    static {
    route 0.0.0.0/0 next-hop 192.168.1.1;
    }
    }
    protocols {
    stp;
    }
    security {
    utm {
    feature-profile {
    web-filtering {
    juniper-local {
    profile junos-wf-local-default {
    default permit;
    }
    }
    juniper-enhanced {
    profile junos-wf-enhanced-default {
    category {
    Enhanced_Streaming_Media {
    action permit;
    }
    Enhanced_Internet_Radio_and_TV {
    action permit;
    }
    Enhanced_Entertainment_Video {
    action permit;
    }
    }
    site-reputation-action {
    very-safe permit;
    moderately-safe permit;
    fairly-safe permit;
    suspicious permit;
    harmful permit;
    }
    default permit;
    }
    }
    }
    }
    }
    screen {
    ids-option untrust-screen {
    icmp {
    ping-death;
    }
    ip {
    source-route-option;
    tear-drop;
    }
    tcp {
    syn-flood {
    alarm-threshold 1024;
    attack-threshold 200;
    source-threshold 1024;
    destination-threshold 2048;
    timeout 20;
    }
    land;
    }
    }
    }
    nat {
    source {
    rule-set nsw_srcnat {
    from zone Internal;
    to zone Internet;
    rule nsw-src-interface {
    match {
    source-address 0.0.0.0/0;
    destination-address 0.0.0.0/0;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    rule-set vlan_srcnat {
    from interface vlan.0;
    to zone Internet;
    rule vlan_srcnat_rule {
    match {
    source-address 0.0.0.0/0;
    destination-address 0.0.0.0/0;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    }
    }
    policies {
    from-zone Internal to-zone Internet {
    policy internet_usage {
    match {
    source-address any-ipv4;
    destination-address any-ipv4;
    application [ junos-http junos-ssh junos-smtp junos-https junos-pop3 junos-ntp junos-imap junos-imaps junos-dns-udp junos-dns-tcp junos-icmp-ping junos-bgp ];
    }
    then {
    permit;
    log {
    session-init;
    session-close;
    }
    }
    }
    policy apple_google_sync {
    match {
    source-address any;
    destination-address [ google1 google2 apple1 apple2 google3 ];
    application [ tcp-5228 tcp-5223 tcp-8443 ];
    }
    then {
    permit;
    log {
    session-init;
    session-close;
    }
    }
    }
    policy All_Internal_Internet {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    log {
    session-init;
    session-close;
    }
    }
    }
    }
    }
    zones {
    security-zone Internal {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    ge-0/0/1.0 {
    host-inbound-traffic {
    system-services {
    ping;
    https;
    ssh;
    }
    }
    }
    vlan.0 {
    host-inbound-traffic {
    system-services {
    all;
    }
    }
    }
    ge-0/0/2.0;
    ge-0/0/3.0;
    ge-0/0/4.0;
    ge-0/0/5.0;
    }
    }
    security-zone Internet {
    address-book {
    address google1 64.233.166.188/32;
    address google2 172.217.169.33/32;
    address apple1 17.57.146.148/32;
    address apple2 17.57.146.149/32;
    address google3 74.125.71.188/32;
    }
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    ge-0/0/0.0 {
    host-inbound-traffic {
    system-services {
    https;
    ssh;
    }
    }
    }
    }
    }
    }
    }
    applications {
    application tcp-5228 protocol tcp;
    application tcp-5223 {
    protocol tcp;
    destination-port 5223;
    }
    application tcp-8443 {
    protocol tcp;
    destination-port 8443;
    }
    }
    vlans {
    vlan-internal {
    vlan-id 10;
    l3-interface vlan.0;
    }
    }



  • 3.  RE: Cannot use Netflix from internal zone interface vlan.0, but Youtube is working!!!

     
    Posted 01-28-2020 04:20

    You can remove ge-0/0/2-ge-0/0/5 from security-zone Internal, these are layer 2 interfaces. Your layer 3 interface vlan.0 is already specified.

     

    Is there a reason you've set MTU on those interfaces? Those settings drop MTU from 1514 down to 1500 and are likely blocking large inbound packets.

     

    For that matter you can delete speed 1g, link-mode full-duplex, and gigether-options auto-negotiation since auto-negotiation is on by default and these are all conflicting settings.



  • 4.  RE: Cannot use Netflix from internal zone interface vlan.0, but Youtube is working!!!
    Best Answer

    Posted 01-28-2020 11:58

    Thanks for your reply. I have commited the change as per your recommendation.  The settings are as below now. Still no luck.

     

    services {
    ssh;
    web-management {
    https {
    system-generated-certificate;
    interface [ ge-0/0/1.0 ge-0/0/0.0 ];
    }
    session {
    idle-timeout 60;
    }
    }
    dhcp {
    pool 10.0.10.0/24 {
    address-range low 10.0.10.20 high 10.0.10.30;
    name-server {
    8.8.8.8;
    8.8.4.4;
    }
    router {
    10.0.10.3;
    }
    }
    }
    }
    syslog {
    archive size 100k files 3;
    user * {
    any emergency;
    }
    file messages {
    any critical;
    authorization info;
    }
    file interactive-commands {
    interactive-commands error;
    }
    file policy_session {
    user info;
    match RT_FLOW;
    archive size 1000k world-readable;
    structured-data;
    }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
    autoupdate {
    url https://ae1.juniper.net/junos/key_retrieval;
    }
    }
    ntp {
    server us.ntp.pool.org;
    }
    }
    interfaces {
    interface-range interfaces-vlan10 {
    member-range ge-0/0/2 to ge-0/0/5;
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-internal;
    }
    }
    }
    }
    ge-0/0/0 {
    unit 0 {
    family inet {
    address 192.168.1.253/24;
    }
    }
    }
    ge-0/0/1 {
    unit 0 {
    family inet {
    address 10.0.10.1/24;
    }
    }
    }
    ge-0/0/2 {
    description "internal switchport";
    speed 1g;
    mtu 1500;
    link-mode full-duplex;
    gigether-options {
    auto-negotiation;
    }
    }
    ge-0/0/3 {
    description "internal switchport";
    speed 1g;
    mtu 1500;
    link-mode full-duplex;
    gigether-options {
    auto-negotiation;
    }
    }
    ge-0/0/4 {
    description "internal switchport";
    speed 1g;
    mtu 1500;
    link-mode full-duplex;
    gigether-options {
    auto-negotiation;
    }
    }
    ge-0/0/5 {
    description "internal switchport";
    gigether-options {
    auto-negotiation;
    }
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan-internal;
    }
    }
    }
    }
    vlan {
    unit 0 {
    family inet {
    address 10.0.10.3/24;
    }
    }
    }
    }
    routing-options {
    static {
    route 0.0.0.0/0 next-hop 192.168.1.1;
    }
    }
    protocols {
    stp;
    }
    security {
    utm {
    feature-profile {
    web-filtering {
    juniper-local {
    profile junos-wf-local-default {
    default permit;
    }
    }
    juniper-enhanced {
    profile junos-wf-enhanced-default {
    category {
    Enhanced_Streaming_Media {
    action permit;
    }
    Enhanced_Internet_Radio_and_TV {
    action permit;
    }
    Enhanced_Entertainment_Video {
    action permit;
    }
    }
    site-reputation-action {
    very-safe permit;
    moderately-safe permit;
    fairly-safe permit;
    suspicious permit;
    harmful permit;
    }
    default permit;
    }
    }
    }
    }
    }
    screen {
    ids-option untrust-screen {
    icmp {
    ping-death;
    }
    ip {
    source-route-option;
    tear-drop;
    }
    tcp {
    syn-flood {
    alarm-threshold 1024;
    attack-threshold 200;
    source-threshold 1024;
    destination-threshold 2048;
    timeout 20;
    }
    land;
    }
    }
    }
    nat {
    source {
    rule-set nsw_srcnat {
    from zone Internal;
    to zone Internet;
    rule nsw-src-interface {
    match {
    source-address 0.0.0.0/0;
    destination-address 0.0.0.0/0;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    rule-set vlan_srcnat {
    from interface vlan.0;
    to zone Internet;
    rule vlan_srcnat_rule {
    match {
    source-address 0.0.0.0/0;
    destination-address 0.0.0.0/0;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    }
    }
    policies {
    from-zone Internal to-zone Internet {
    policy internet_usage {
    match {
    source-address any-ipv4;
    destination-address any-ipv4;
    application [ junos-http junos-ssh junos-smtp junos-https junos-pop3 junos-ntp junos-imap junos-imaps junos-dns-udp junos-dns-tcp junos-icmp-ping junos-bgp ];
    }
    then {
    permit;
    log {
    session-init;
    session-close;
    }
    }
    }
    policy apple_google_sync {
    match {
    source-address any;
    destination-address [ google1 google2 apple1 apple2 google3 ];
    application [ tcp-5228 tcp-5223 tcp-8443 ];
    }
    then {
    permit;
    log {
    session-init;
    session-close;
    }
    }
    }
    policy All_Internal_Internet {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    log {
    session-init;
    session-close;
    }
    }
    }
    }
    }
    zones {
    security-zone Internal {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    ge-0/0/1.0 {
    host-inbound-traffic {
    system-services {
    ping;
    https;
    ssh;
    }
    }
    }
    vlan.0 {
    host-inbound-traffic {
    system-services {
    all;
    }
    }
    }
    }
    }
    security-zone Internet {
    address-book {
    address google1 64.233.166.188/32;
    address google2 172.217.169.33/32;
    address apple1 17.57.146.148/32;
    address apple2 17.57.146.149/32;
    address google3 74.125.71.188/32;
    }
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    ge-0/0/0.0 {
    host-inbound-traffic {
    system-services {
    https;
    ssh;
    }
    }
    }
    }
    }
    }
    }
    applications {
    application tcp-5228 protocol tcp;
    application tcp-5223 {
    protocol tcp;
    destination-port 5223;
    }
    application tcp-8443 {
    protocol tcp;
    destination-port 8443;
    }
    }
    vlans {
    vlan-internal {
    vlan-id 10;
    l3-interface vlan.0;
    }
    }



  • 5.  RE: Cannot use Netflix from internal zone interface vlan.0, but Youtube is working!!!

     
    Posted 01-28-2020 12:29

    You still have MTU settings on your switching interfaces.



  • 6.  RE: Cannot use Netflix from internal zone interface vlan.0, but Youtube is working!!!

    Posted 01-28-2020 12:40

    It is working after removing all MTU settings. Many thanks. : D



  • 7.  RE: Cannot use Netflix from internal zone interface vlan.0, but Youtube is working!!!

     
    Posted 01-28-2020 13:00

    Excellent!