SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

SRX220H pppoe, can't open some website

Jump to Best Answer
  • 1.  SRX220H pppoe, can't open some website

    Posted 12-23-2010 17:15

    I got a SRX220H device, using pppoe. My office got 2 internal networks, say like 192.168.100.0/24 and 192.168.200.0/24, after connected to pppoe server, each subnet will go out through one public IP, say like first subnet go out through public_IP1 and second subnet go out through public_IP2. This setting working fine with me.

     

    However, while accessing some websites, it doesn't work properly (some works, some doesn't work). I through it was because the DNS server issues, but after change several DNS in SRX device, it still cant solve the problem. Moreover, there is a wireless modem, which some laptops can connect to it and go out to Internet, but some laptop doesn't able to connect to it. It is so weird.

     

    In additional, I tried to use Mitokit routeros to replace the SRX device, all these problems do not appear. So I assume it is the SRX configuration issue. Some configuration shows below:

     

    Anyone have some idea what's wrong with the config?

     

    ps, merry xmas and happy new year 🙂

     

    #####################################################

    dhcp {
                router {
                    192.168.1.1;
                }
                pool 192.168.1.0/24 {
                    address-range low 192.168.1.2 high 192.168.1.254;
                }
                pool 192.168.200.0/24 {
                    address-range low 192.168.200.100 high 192.168.200.200;
                    router {
                        192.168.200.254;
                    }
                }
                pool 192.168.100.0/24 {
                    address-range low 192.168.100.100 high 192.168.100.200;
                    router {
                        192.168.100.254;
                    }
                }
                propagate-settings ge-0/0/0.0;
            }
        }

     

    #####################################################

    pp0 {
            unit 0 {
                ppp-options {
                    pap {
                        default-password "$9$4nZGiQz6t0ItuclKM-dDikqT3";
                        local-name xxxxxxx;
                        local-password "$9$8XL7NbZGim5Fmf/tuOSydbsYJD";
                        passive;
                    }
                }
                pppoe-options {
                    underlying-interface ge-0/0/0.0;
                    idle-timeout 10;
                    auto-reconnect 1;
                    client;
                }
                family inet {
                    mtu 1492;
                    address 203.213.xxx.xxx/29;
                }
            }
        }

     

    ###################################

    routing-options {
        static {
            route 0.0.0.0/0 next-hop [ pp0.0 203.213.xxx.xxx ];
        }
    }
    protocols {
        stp;
    }
    security {
        nat {
            source {
                pool ch-out-ip {
                    address {
                        "public_IP1"/32;
                    }
                }
                pool ofm-out-ip {
                    address {
                        "public_IP2"/32;
                    }
                }
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
                rule-set ch-nat {
                    from zone CH-zone;
                    to zone untrust;
                    rule ch-nat-rule {
                        match {
                            source-address 192.168.200.0/24;
                            destination-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                pool {
                                    ch-out-ip;
                                }
                            }
                        }
                    }
                }
                rule-set ofm-nat {
                    from zone OFM-zone;
                    to zone untrust;
                    rule ofm-nat-rule {
                        match {
                            source-address 192.168.100.0/24;
                            destination-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                pool {
                                    ofm-out-ip;
                                }
                            }
                        }
                    }
                }
            }
        }



  • 2.  RE: SRX220H pppoe, can't open some website
    Best Answer

    Posted 12-24-2010 01:37

    Your config looks good on first view. Try to reduce the MSS size to say 1350. That helps in many cases with your problem description:

     

     

    set security flow tcp-mss all-tcp mss 1350

     

     

    Regards,

    Dominik



  • 3.  RE: SRX220H pppoe, can't open some website

    Posted 12-28-2010 18:32
    If your pppoe interface is in your external zone it should probably be your interface to propagate-settings for dhcp. Also, I usually see the default route point to pp0.0 but I see you have two routes perhaps splitting traffic? Are the pcs using a dns server on their trust zone, or are you relying on an ISP hence propagate? You might try to manually assign 8.8.4.4 to a host for testing...


  • 4.  RE: SRX220H pppoe, can't open some website

    Posted 12-28-2010 15:29

    Can you tell me more about this wireless modem? In particular topology, IP addresses, etc. so that I can imagine your problem better?

     

    Regards,

    Dominik



  • 5.  RE: SRX220H pppoe, can't open some website

    Posted 12-28-2010 19:28

    Ah cool, I didn't see it marked as an accepted solution so I wasn't sure.  😉



  • 6.  RE: SRX220H pppoe, can't open some website

    Posted 9 days ago

    Good day,

    I am using SRX320 with the latest update as of today as gateway for my network which is connected via fiber connection. I am facing  similar issue, cannot access some websites such epson.com, iTune store, and cannot activate iPhone or detect iPhone update in my network.  


    Is this related to "tcp-mss" settings?!

    Appreciate your help.

     Thanks.
    FA 



    ------------------------------



  • 7.  RE: SRX220H pppoe, can't open some website

    Posted 12-28-2010 15:24

    I changed the MSS size to say 1350, and it seems solve the website unable to open issue,I will keep using it for a period and see if everything is fine. Thanks for the suggestions.

     

    However, the wireless network problem still there. Weird that my laptop is able to connect and access Internet, but other colleages' are able to connect to the wireless but unable to access to Internet. I still assume that it is not laptop config issue.



  • 8.  RE: SRX220H pppoe, can't open some website

    Posted 12-28-2010 17:26

    wireless modem model is CISCO WRVS4400N, only use for one subnet, with IP address 192.168.200.253, (default gateway is 192.168.200.254 which is srx ge-0/0/7.0), also the wireless modem set as DHCP relay on the default gateway too. The operatin mode for the modem is set as gateway, while all firewall, routing and security setting are disabled.

     

    Last, this issue seems only happen in some laptop with Vista business (able to obtain IP adress but can not access Internet) , cox I tried several laptops with winXP, win7 and even iphone, all of them are able to access Internet. Meanwhile I will do more testing and see if I can figure out what the problem really is. Thanks for your help, Dominik



  • 9.  RE: SRX220H pppoe, can't open some website

    Posted 12-28-2010 19:35

    ya, because there is still a weird problem, the wireless issue, thanks for your opinion colemtb 🙂



  • 10.  RE: SRX220H pppoe, can't open some website

    Posted 12-28-2010 19:14

    colemtb: I used 2 routes for 2 internal subnets, 2 companies in a office, and we want each companies go through 1 public IP address, and it works fine now.

     

    I changed several DNS servers (both public and ISP provided) in srx device and even config manually in a PC, the problem still existed. After changing the mss that Dominik suggested, the problem gone now.



  • 11.  RE: SRX220H pppoe, can't open some website

    Posted 4 days ago
    Greetings Community 

    I try it on my SRX320 and solve the issue 

    Thanks

    ------------------------------
    FA
    ------------------------------