SRX

 View Only
last person joined: 23 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  How to mitigate c pointer, comcast

    Posted 07-05-2019 14:46
    I have an srx240b2. I use a Comcast/Xfinity approved modem with the srx but it isn't on the Xfinity network in terms of the pointer record in the DNS suffix setting in Windows machines. To others it's a no brainier but I need help. The arpa c pointer is c-xx-xx-xx-xx.hsd1.ca.comcast.net . So fine we can't do arpa I'm thinking. My workaround of course was to use hsd1.ca.comcast.net in the domain-name statement then assign other boxes and hosts a hostname appended to the primary domain name.

    Myhost.hsd1.ca.comcast.net
    In the DNS suffix setting in adapter
    properties.

    My assumption has always been that this is the best way to do this anyway. Without anything else in terms of srx programming.

    Am I correct or not. All seems fine but I have dynamic ip's and that's the culprit, so my destination ip in my primary zone is 0.0.0.0/0 .

    Am I missing something. I must be.

    How do I assign a destination ip in the source zone? Can I?

    Moving to a static IP is obvious but I still run into the destination ip problem. Or is that the best answer?


  • 2.  RE: How to mitigate c pointer, comcast

    Posted 07-05-2019 16:43

    I am not sure I follow the questions so forgive me if this is not the right answers.

     

    For pointer records in DNS, you will need to have a static ip assignment for a carrier to adjust pointer records on your behalf.  But the reverse record is generally only needed when you host email on prem so it is not an issue in most cases.  You seem to be wanting some kind of forward dns or host record on a dhcp account.  For this you can use services like noip for that purpose.

    https://www.noip.com/free

     

    the destination nat issue on a dynamic interface is not supported on the SRX.  So if you need to do destination nat to internal resources you will need to get a static assignment.

     



  • 3.  RE: How to mitigate c pointer, comcast
    Best Answer

    Posted 07-06-2019 02:17
    The obvious answer to increase DNS resolution by using a static IP address is a doable solution. Another thought is the type of Mac address resolution, I think. Running traffic that resolves cluster type Mac addresses such as Windows nlb might improve performance.

    I wonder if any SRX's will manipulate Mac's that are lower in value? Thus forcing better performance.


  • 4.  RE: How to mitigate c pointer, comcast

     
    Posted 07-07-2019 21:22

    Ok you have two options,

     

    1) Configure DDNS (Dynamic DNS) so that when your non- statically assigned IP address is update the SRX will update the public DNS server which your new IP address assigned to your SRX from your ISP. With this approach you will have a DNS name like mySRX.myddns.com = 1.1.1.1, you will then load this DNS address into comcast or xfinity as your personal IP address, I believe they do support this approach.

     

    SRX Dynamic DNS Configruation

     

    2) Get a statically assigned IP address from your ISP.

     

    With regards to your destination NAT, as long as you specify 0.0.0.0/0 as the destination NAT address it will not matter if your public IP address changes, you will also need to ensure you are not limiting the public IP address in a security policy.

     

    Either solution will work well.



  • 5.  RE: How to mitigate c pointer, comcast

     
    Posted 07-07-2019 21:25

    Actually ... I dont believe you would need any destination NAT configuration to make this work, so not sure why you would reference the 0.0.0.0/0 IP in any zone/policy/nat? Dont understand that part.



  • 6.  RE: How to mitigate c pointer, comcast

    Posted 07-09-2019 20:01
    With dynamic ip's I have to use 0.0.0.0/0 as my SOURCE/destination. I am not using a DESTINATION in the zones. I.e. "source", "destination", "static". But if you are talking static IP then yes. Maybe I don't need to use 0.0.0.0/0 .

    It's my opinion that appending the hostnames at the host(PC's) themselves would be proper. Adding the actual binding is something I forgot about. That's a DDNS thing.


  • 7.  RE: How to mitigate c pointer, comcast

     
    Posted 07-09-2019 21:54

    Correct, if you need to configure NAT with a dynamic address you need to use 0.0.0.0/0.

     

    You also need a policy from untrust to trust configured correctly.



  • 8.  RE: How to mitigate c pointer, comcast

    Posted 07-11-2019 18:49
    In my area the network must be able to have total value on both ends. I.e... the ISP as well as my net. This is because the transformations must match each other for traffic to flow. I cannot get almost perfect performance through loose routing. I live in a single phase environment. Routing to external sources must have final value. No dangling ip's etc. DNS kills me here. Matched traffic is vital.

    Adrian Aguinaga
    B.S.C.M. ITT Tech.
    A.A.S. ITT Tech.
    Engineering Drafting and Design


  • 9.  RE: How to mitigate c pointer, comcast

     
    Posted 07-11-2019 20:29

    Thanks for the Kudo's, not sure what you were trying to say in that last post?