SRX

Expand all | Collapse all

Connecting my home ISP modem > Juniper SRX > Wireless AP router for home use

  • 1.  Connecting my home ISP modem > Juniper SRX > Wireless AP router for home use

    Posted 06-12-2020 21:07

    Hi Juniper Gurus,

     

    I'm fairly new to Juniper devices and configuration. I'm trying to setup my SRX210H connect to my home ISP and ASUS Wireless AP router (for WIFI only). I was able to use my SRX to act as a DHCP server for home lan users.

     

    My issue is i'm actually doing double natting on the SRX as I'm still using the Private IP subnet of ISP Bell modem.

    I use the Bell Home Hub 3000 and found the option for Advanced DMZ where it gave me the WAN IP assigned to my Juniper SRX 77.XX.XX.XX IP with Subnet range 127.255.255.255 but I'm unable to connect to internet or even ping to google 8.8.8.8 via my SRX.

     

    Topology right now is Bell ISP Modem 192.168.2.1 LAN port  --> SRX ge-0/0/0 192.168.2.10 (internet (untrust) zone) <NAT> acting as DHCP server (lan (trust) zone) ge-0/0/1 - 192.168.50.10 default GW for lan users --> Asus router in Wireless AP mode only. Currently this config works but I'm doing double NATting as I'm using a Private IP on SRX who is doing a NAT as well.

     

    I would like to change my SRX to be dhcp client for ISP modem and use the WAN IP I got from my Bell Home hub 3000 Advanced DMZ, but somehow I cant even ping the internet even though I'm getting a public IP via dhcp client and I'm unsure how my LAN users will work because the set static route will be incorrect because the GW is the Private IP which IP should i add? Could you direct me to what I'm missing here? Do I need to configure PPPOE directly on my SRX?

     

    How will this setting work if I have a Public IP on SRX? "set routing-options static route 0.0.0.0/0 next-hop 192.168.2.1"

     

    set system host-name SRX1
    set system root-authentication encrypted-password 
    set system name-server 4.2.2.1
    set system name-server 8.8.8.8
    set system services ssh
    set system services telnet
    set system services xnm-clear-text
    set system services dhcp-local-server group JunosDHCP-group interface ge-0/0/1.0
    set system services web-management https system-generated-certificate
    set system services web-management https interface vlan.0
    set system services web-management https interface ge-0/0/1.0
    set system syslog archive size 100k
    set system syslog archive files 3
    set system syslog user * any emergency
    set system syslog file messages any critical
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands error
    set system syslog file blocked-traffic any any
    set system syslog file blocked-traffic match RT_FLOW_SESSION_DENY
    set system syslog file no-route-present any any
    set system syslog file no-route-present match "NO ROUTE PRESENT"
    set system max-configurations-on-flash 5
    set system max-configuration-rollbacks 5
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set interfaces ge-0/0/0 description Access_to_Internet
    set interfaces ge-0/0/0 unit 0 family inet dhcp-client
    set interfaces ge-0/0/1 description Access_to_LAN
    set interfaces ge-0/0/1 unit 0 family inet address 192.168.50.10/24
    set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces lo0 unit 0 family inet address 11.11.11.1/24
    set interfaces vlan unit 0 family inet address 192.168.1.1/24
    set routing-options static route 0.0.0.0/0 next-hop 192.168.2.1
    set protocols stp
    set security address-book global address lan 192.168.50.0/24
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security nat source rule-set internet-nat from zone lan
    set security nat source rule-set internet-nat to zone internet
    set security nat source rule-set internet-nat rule lan-access match source-address 192.168.50.0/24
    set security nat source rule-set internet-nat rule lan-access match destination-address 0.0.0.0/0
    set security nat source rule-set internet-nat rule lan-access then source-nat interface
    set security policies from-zone lan to-zone internet policy FirewallPolicy match source-address lan
    set security policies from-zone lan to-zone internet policy FirewallPolicy match destination-address any
    set security policies from-zone lan to-zone internet policy FirewallPolicy match application any
    set security policies from-zone lan to-zone internet policy FirewallPolicy then permit
    set security policies from-zone lan to-zone internet policy FirewallPolicy then log session-close
    set security policies global policy global_drop match source-address any
    set security policies global policy global_drop match destination-address any
    set security policies global policy global_drop match application any
    set security policies global policy global_drop then deny
    set security policies global policy global_drop then log session-init
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust host-inbound-traffic protocols ospf
    set security zones security-zone trust host-inbound-traffic protocols bgp
    set security zones security-zone trust interfaces vlan.0
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone internet interfaces ge-0/0/0.0
    set security zones security-zone lan host-inbound-traffic system-services ping
    set security zones security-zone lan host-inbound-traffic system-services https
    set security zones security-zone lan host-inbound-traffic system-services traceroute
    set security zones security-zone lan host-inbound-traffic system-services ssh
    set security zones security-zone lan host-inbound-traffic protocols bgp
    set security zones security-zone lan host-inbound-traffic protocols ospf
    set security zones security-zone lan interfaces ge-0/0/1.0 host-inbound-traffic system-services dhcp
    set security zones security-zone lan interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
    set security zones security-zone lan interfaces ge-0/0/1.0 host-inbound-traffic system-services https
    set security zones security-zone lan interfaces ge-0/0/1.0 host-inbound-traffic system-services traceroute
    set security zones security-zone lan interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh
    set security zones security-zone lan interfaces ge-0/0/1.0 host-inbound-traffic protocols bgp
    set security zones security-zone lan interfaces ge-0/0/1.0 host-inbound-traffic protocols ospf
    set access address-assignment pool JunosPool family inet network 192.168.50.0/24
    set access address-assignment pool JunosPool family inet range JunosRange low 192.168.50.11
    set access address-assignment pool JunosPool family inet range JunosRange high 192.168.50.254
    set access address-assignment pool JunosPool family inet dhcp-attributes maximum-lease-time 86400
    set access address-assignment pool JunosPool family inet dhcp-attributes name-server 207.164.234.193
    set access address-assignment pool JunosPool family inet dhcp-attributes name-server 207.164.234.129
    set access address-assignment pool JunosPool family inet dhcp-attributes router 192.168.50.10
    set poe interface all
    set vlans vlan-trust vlan-id 3
    set vlans vlan-trust l3-interface vlan.0



  • 2.  RE: Connecting my home ISP modem > Juniper SRX > Wireless AP router for home use

     
    Posted 06-13-2020 01:51

    Hello , 

     

    PPOE is used when you have a point to point link with Authentication for internet access . Please let us kwow if there is anything like that . I am sure PPOE is done by your ISP modem which is between the SRX and ISP network . If we are getting a DHCP IP from the ISP directly then probebaly we have to do the same PPOE as ISP moden does . You can check the ISP moden setting or get in touch with ISP to get the authentication details and configure the PPOE in SRX . 

     

    Since you said you are getting DHCP IP from the ISP ( public IP ) I am afraid if there is any autentication . Can you reach the Default gateway  once you get the DHCP IP from ISP . 

     

     

     



  • 3.  RE: Connecting my home ISP modem > Juniper SRX > Wireless AP router for home use

     
    Posted 06-13-2020 01:55

    Hello , 

     

    Also I see that the public IP is provided by the ISP modem . So check if you are able to reach the default gateway provided by the DHCP ( modem)  . We need to understand if we get the public IP directly will the moden acts as a bridge ? 



  • 4.  RE: Connecting my home ISP modem > Juniper SRX > Wireless AP router for home use

    Posted 06-13-2020 07:40

    Hi Joses,

     

    Thank you for your prompt response. I do have this feature on my Bell Home hub 3000 to enable Advanced DMZ. I do have the authentication parameters from my ISP, username password for PPPOE. But I dont know the Default GW of my WAN IP how would i get that? and do what do I need to update on my configuration, if i use my SRX  as  DHCP client w/ Public IP

     

    The advanced DMZ feature allows a device to use the modem's WAN IP address as its own. It also puts the device outside the modem's firewall. Your modem's WAN IP is: 7X.XX.XX.XX"

     

    Thank you,

    Chris



  • 5.  RE: Connecting my home ISP modem > Juniper SRX > Wireless AP router for home use

     
    Posted 06-13-2020 18:55

    Hello , 

     

    Thaks for the clarification . So if the DMZ fearture on the modem gives the pulbilc IP to SRX as DHCP , ideally it should also push the default gateway . You can check this by giving "show route" on SRX :

     

    > show route 4.2.2.2 

     

    It should give the default gateway ip in the route . You can try to reach that IP to see if the connectivity to the gateway is working or not . If the connectivity to the gateway works and internet is having issue , we may need to check with ISP why its blocking after default gateway . 

    If the gateway itself is not reachable , we may need to check in ISP modem why the gateway is not reachable . 

     

    If SRX receives the public IP and have a defult route with source NAT configuration , ideally it should work if there is no external issue .  Policy comes later as the internet should be reachable from the SRX itself , so that LAN users can go out . 



  • 6.  RE: Connecting my home ISP modem > Juniper SRX > Wireless AP router for home use

     
    Posted 06-13-2020 18:58

    Hello , 

     

    In addition , if you do get a default route from modem , please delete you existing default route :

     

    set routing-options static route 0.0.0.0/0 next-hop 192.168.2.1 << Delete this 

     

    As its no longer needed and may conflict with DHCP route . Since we are getting public IP , private default route is no longer needed . 

     

     

     



  • 7.  RE: Connecting my home ISP modem > Juniper SRX > Wireless AP router for home use

    Posted 06-15-2020 16:10

    Thank you Sam for looking into this,

     

    I will try this tonight when my family is not using the internet. Currently, ISP modem > SRX > Wireless router (AP mode), it is working with Private IP, but I want to have SRX do all the Natting work (Public to Private IP) so ISP modem is just a switch that passing the traffic to SRX > Wireless router. My problem is if it doesnt get a default gateway after getting a Public IP, but I will let you know what happens later. 

     

    I appreciate your help.

     

    Regards,

    Chris



  • 8.  RE: Connecting my home ISP modem > Juniper SRX > Wireless AP router for home use

     
    Posted 06-15-2020 18:31

    Hello , 

     

    Thanks for the update .. You shuld get an default route to ISP and it have to be provided by the DHCP server ( in our case its ISP) .

     

    Iff you dont get it , Check whats the IP you get as default gateway in working state in ISP modem and configure the same in SRX once we have the public IP . THis could be temporary fix ..



  • 9.  RE: Connecting my home ISP modem > Juniper SRX > Wireless AP router for home use

    Posted 06-16-2020 00:51

    Hi Sam,

     

    It seems im still not getting any luck, I even rebooted the SRX got a new Public IP, rebooted ISP modem and Wireless AP. On the show route I saw a 10 IP there 10.11.1.121 is this the default Gateway, but yes I'm unable to ping 4.2.2.2, please see logs below:

     

    0.0.0.0/0 *[Access-internal/12] 00:01:17
    > to 10.11.1.121 via ge-0/0/0.0
    0.0.0.0/1 *[Direct/0] 00:01:17

     

    delete interfaces ge-0/0/0 unit 0 family inet address 192.168.2.10/24
    set interfaces ge-0/0/0 unit 0 family inet dhcp-client
    delete routing-options static route 0.0.0.0/0 next-hop 192.168.2.1

    also performed request system reboot on SRX, ISP Modem, Wireless AP


    root@SRX1> show interfaces ge-0/0/0 de
    ^
    'de' is ambiguous.
    Possible completions:
    descriptions Display interface description strings
    detail Display detailed output
    root@SRX1> show interfaces ge-0/0/0 detail
    Physical interface: ge-0/0/0, Enabled, Physical link is Up
    Interface index: 134, SNMP ifIndex: 508, Generation: 137
    Description: Access_to_Internet
    Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps,
    BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
    Source filtering: Disabled, Flow control: Disabled, Auto-negotiation: Enabled,
    Remote fault: Online
    Device flags : Present Running
    Interface flags: SNMP-Traps Internal: 0x0
    Link flags : None
    CoS queues : 8 supported, 8 maximum usable queues
    Hold-times : Up 0 ms, Down 0 ms
    Current address: hidden MAC, Hardware address: hidden MAC
    Last flapped : 2020-06-12 08:43:55 UTC (3d 20:46 ago)
    Statistics last cleared: Never
    Traffic statistics:
    Input bytes : 132592604659 2392 bps
    Output bytes : 7591373183 1336 bps
    Input packets: 97925522 4 pps
    Output packets: 64273380 3 pps
    Egress queues: 8 supported, 4 in use
    Queue counters: Queued packets Transmitted packets Dropped packets
    0 best-effort 64267161 64267161 0
    1 expedited-fo 0 0 0
    2 assured-forw 0 0 0
    3 network-cont 6216 6216 0
    Queue number: Mapped forwarding classes
    0 best-effort
    1 expedited-forwarding
    2 assured-forwarding
    3 network-control
    Active alarms : None
    Active defects : None
    Interface transmit statistics: Disabled

    Logical interface ge-0/0/0.0 (Index 71) (SNMP ifIndex 510) (Generation 136)
    Flags: SNMP-Traps 0x0 Encapsulation: ENET2
    Traffic statistics:
    Input bytes : 132592605019
    Output bytes : 7591373003
    Input packets: 97925528
    Output packets: 64273380
    Local statistics:
    Input bytes : 10548625
    Output bytes : 369851
    Input packets: 175798
    Output packets: 8790
    Transit statistics:
    Input bytes : 132582056394 0 bps
    Output bytes : 7591003152 0 bps
    Input packets: 97749730 0 pps
    Output packets: 64264590 0 pps
    Security: Zone: internet
    Allowed host-inbound traffic : igmp dhcp ike ping
    Flow Statistics :
    Flow Input statistics :
    Self packets : 5
    ICMP packets : 34361
    VPN packets : 0
    Multicast packets : 0
    Bytes permitted by policy : 132581793647
    Connections established : 0
    Flow Output statistics:
    Multicast packets : 0
    Bytes permitted by policy : 7590810030
    Flow error statistics (Packets dropped due to):
    Address spoofing: 0
    Authentication failed: 0
    Incoming NAT errors: 0
    Invalid zone received packet: 0
    Multiple user authentications: 0
    Multiple incoming NAT: 0
    No parent for a gate: 0
    No one interested in self packets: 0
    No minor session: 0
    No more sessions: 0
    No NAT gate: 0
    No route present: 0
    No SA for incoming SPI: 0
    No tunnel found: 0
    No session for a gate: 0
    No zone or NULL zone binding 0
    Policy denied: 146
    Security association not active: 0
    TCP sequence number out of window: 283
    Syn-attack protection: 0
    User authentication errors: 0
    Protocol inet, MTU: 1500, Generation: 150, Route table: 0
    Flags: Sendbcast-pkt-to-re
    Addresses, Flags: Is-Preferred Is-Primary
    Destination: 0/1, Local: 76.XX.SS.AA Broadcast: 127.255.255.255,
    Generation: 156

     

     

    root@SRX1> show configuration | display set
    set version 12.1X46-D82
    set system host-name SRX1
    set system time-zone toronto
    set system root-authentication encrypted-password
    set system name-server 4.2.2.1
    set system name-server 8.8.8.8
    set system services ssh
    set system services telnet
    set system services xnm-clear-text
    set system services dhcp-local-server group JunosDHCP-group interface ge-0/0/1.0
    set system services web-management https system-generated-certificate
    set system services web-management https interface vlan.0
    set system services web-management https interface ge-0/0/1.0
    set system syslog archive size 100k
    set system syslog archive files 3
    set system syslog user * any emergency
    set system syslog file messages any critical
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands error
    set system syslog file blocked-traffic any any
    set system syslog file blocked-traffic match RT_FLOW_SESSION_DENY
    set system syslog file no-route-present any any
    set system syslog file no-route-present match "NO ROUTE PRESENT"
    set system max-configurations-on-flash 5
    set system max-configuration-rollbacks 5
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set interfaces ge-0/0/0 description Access_to_Internet
    set interfaces ge-0/0/0 unit 0 family inet dhcp-client
    set interfaces ge-0/0/1 description Access_to_LAN
    set interfaces ge-0/0/1 unit 0 family inet address 192.168.50.10/24
    set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces lo0 unit 0 family inet address 11.11.11.1/24
    set interfaces vlan unit 0 family inet address 192.168.1.1/24
    set protocols stp
    set security address-book global address lan 192.168.50.0/24
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security nat source rule-set internet-nat from zone lan
    set security nat source rule-set internet-nat to zone internet
    set security nat source rule-set internet-nat rule lan-access match source-address 192.168.50.0/24
    set security nat source rule-set internet-nat rule lan-access match destination-address 0.0.0.0/0
    set security nat source rule-set internet-nat rule lan-access then source-nat interface
    set security policies from-zone lan to-zone internet policy FirewallPolicy match source-address lan
    set security policies from-zone lan to-zone internet policy FirewallPolicy match destination-address any
    set security policies from-zone lan to-zone internet policy FirewallPolicy match application any
    set security policies from-zone lan to-zone internet policy FirewallPolicy then permit
    set security policies from-zone lan to-zone internet policy FirewallPolicy then log session-close
    set security policies global policy global_drop match source-address any
    set security policies global policy global_drop match destination-address any
    set security policies global policy global_drop match application any
    set security policies global policy global_drop then deny
    set security policies global policy global_drop then log session-init
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust host-inbound-traffic protocols ospf
    set security zones security-zone trust host-inbound-traffic protocols bgp
    set security zones security-zone trust interfaces vlan.0
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone internet host-inbound-traffic system-services dhcp
    set security zones security-zone internet host-inbound-traffic system-services ping
    set security zones security-zone internet host-inbound-traffic system-services ike
    set security zones security-zone internet host-inbound-traffic protocols igmp
    set security zones security-zone internet interfaces ge-0/0/0.0
    set security zones security-zone lan host-inbound-traffic system-services ping
    set security zones security-zone lan host-inbound-traffic system-services https
    set security zones security-zone lan host-inbound-traffic system-services traceroute
    set security zones security-zone lan host-inbound-traffic system-services ssh
    set security zones security-zone lan host-inbound-traffic system-services dhcp
    set security zones security-zone lan host-inbound-traffic protocols bgp
    set security zones security-zone lan host-inbound-traffic protocols ospf
    set security zones security-zone lan interfaces ge-0/0/1.0
    set access address-assignment pool JunosPool family inet network 192.168.50.0/24
    set access address-assignment pool JunosPool family inet range JunosRange low 192.168.50.11
    set access address-assignment pool JunosPool family inet range JunosRange high 192.168.50.254
    set access address-assignment pool JunosPool family inet dhcp-attributes maximum-lease-time 86400
    set access address-assignment pool JunosPool family inet dhcp-attributes name-server 207.164.234.193
    set access address-assignment pool JunosPool family inet dhcp-attributes name-server 207.164.234.129
    set access address-assignment pool JunosPool family inet dhcp-attributes router 192.168.50.10
    set poe interface all
    set vlans vlan-trust vlan-id 3
    set vlans vlan-trust l3-interface vlan.0


    root@SRX1> show dhcp client binding

    IP address Hardware address Expires State Interface
    76.XX.SS.AA hidden MAC 86143 BOUND ge-0/0/0.0


    root@SRX1> show dhcp server binding

    IP address Session Id Hardware address Expires State Interface
    Private IP ( mac address) 621 BOUND ge-0/0/1.0

     

     

     

    root@SRX1> show security nat source summary
    Total port number usage for port translation pool: 0
    Maximum port number for port translation pool: 16777216
    Total pools: 0

    Total rules: 1
    Rule name Rule set From To Action
    lan-access internet-nat lan internet interface


    root@SRX1> show route 4.2.2.2

    inet.0: 30 destinations, 30 routes (30 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    0.0.0.0/1 *[Direct/0] 00:05:32
    > via ge-0/0/0.0

     

    After rebooting the ISP modem i got a different public IP

    root@SRX1> show interfaces ge-0/0/0 de
    ^
    'de' is ambiguous.
    Possible completions:
    descriptions Display interface description strings
    detail Display detailed output
    root@SRX1> show interfaces ge-0/0/0 detail
    Physical interface: ge-0/0/0, Enabled, Physical link is Up
    Interface index: 134, SNMP ifIndex: 508, Generation: 137
    Description: Access_to_Internet
    Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps,
    BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
    Source filtering: Disabled, Flow control: Disabled, Auto-negotiation: Enabled,
    Remote fault: Online
    Device flags : Present Running
    Interface flags: SNMP-Traps Internal: 0x0
    Link flags : None
    CoS queues : 8 supported, 8 maximum usable queues
    Hold-times : Up 0 ms, Down 0 ms
    Current address: hidden, Hardware address: hidden
    Last flapped : 2020-06-16 05:43:34 UTC (00:00:31 ago)
    Statistics last cleared: Never
    Traffic statistics:
    Input bytes : 3060 2016 bps
    Output bytes : 2417 1408 bps
    Input packets: 36 4 pps
    Output packets: 20 4 pps
    Egress queues: 8 supported, 4 in use
    Queue counters: Queued packets Transmitted packets Dropped packets
    0 best-effort 20 20 0
    1 expedited-fo 0 0 0
    2 assured-forw 0 0 0
    3 network-cont 0 0 0
    Queue number: Mapped forwarding classes
    0 best-effort
    1 expedited-forwarding
    2 assured-forwarding
    3 network-control
    Active alarms : None
    Active defects : None
    Interface transmit statistics: Disabled

    Logical interface ge-0/0/0.0 (Index 71) (SNMP ifIndex 510) (Generation 136)
    Flags: SNMP-Traps 0x0 Encapsulation: ENET2
    Traffic statistics:
    Input bytes : 3240
    Output bytes : 2321
    Input packets: 39
    Output packets: 22
    Local statistics:
    Input bytes : 2844
    Output bytes : 2321
    Input packets: 34
    Output packets: 22
    Transit statistics:
    Input bytes : 396 0 bps
    Output bytes : 0 0 bps
    Input packets: 5 0 pps
    Output packets: 0 0 pps
    Security: Zone: internet
    Allowed host-inbound traffic : igmp dhcp ike ping
    Flow Statistics :
    Flow Input statistics :
    Self packets : 3
    ICMP packets : 0
    VPN packets : 0
    Multicast packets : 0
    Bytes permitted by policy : 0
    Connections established : 0
    Flow Output statistics:
    Multicast packets : 0
    Bytes permitted by policy : 1678
    Flow error statistics (Packets dropped due to):
    Address spoofing: 0
    Authentication failed: 0
    Incoming NAT errors: 0
    Invalid zone received packet: 0
    Multiple user authentications: 0
    Multiple incoming NAT: 0
    No parent for a gate: 0
    No one interested in self packets: 0
    No minor session: 0
    No more sessions: 0
    No NAT gate: 0
    No route present: 2
    No SA for incoming SPI: 0
    No tunnel found: 0
    No session for a gate: 0
    No zone or NULL zone binding 0
    Policy denied: 0
    Security association not active: 0
    TCP sequence number out of window: 0
    Syn-attack protection: 0
    User authentication errors: 0
    Protocol inet, MTU: 1500, Generation: 150, Route table: 0
    Flags: Sendbcast-pkt-to-re
    Addresses, Flags: Is-Preferred Is-Primary
    Destination: 0/1, Local: 70.XX.SS.AA Broadcast: 127.255.255.255,
    Generation: 154

     

    0.0.0.0/0 *[Access-internal/12] 00:01:17
    > to 10.11.1.121 via ge-0/0/0.0
    0.0.0.0/1 *[Direct/0] 00:01:17
    > via ge-0/0/0.0
    {deleted other routes}

     


    root@SRX1> ping 10.11.1.121
    PING 10.11.1.121 (10.11.1.121): 56 data bytes
    ^C
    --- 10.11.1.121 ping statistics ---
    12 packets transmitted, 0 packets received, 100% packet loss

     

     

    root@SRX1> show route 4.2.2.2

    inet.0: 18 destinations, 18 routes (18 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    0.0.0.0/1 *[Direct/0] 00:02:47
    > via ge-0/0/0.0

    root@SRX1> show route 4.2.2.2 extensive

    inet.0: 18 destinations, 18 routes (18 active, 0 holddown, 0 hidden)
    0.0.0.0/1 (1 entry, 1 announced)
    *Direct Preference: 0
    Next hop type: Interface
    Address: 0x15bc438
    Next-hop reference count: 2
    Next hop: via ge-0/0/0.0, selected
    State: <Active Int>
    Age: 2:54
    Task: IF
    Announcement bits (1): 1-Resolve tree 1
    AS path: I



  • 10.  RE: Connecting my home ISP modem > Juniper SRX > Wireless AP router for home use

     
    Posted 06-16-2020 06:39

    Hello , 

     

    Thanks for the detailed update . I still see something wrong here . Initially you got an IP on ge-0/0/0 using DHCP is : 76.XX.SS.AA and the route its pointing is 10.11.1.121 , which seems very odd . Normally you should get the default gateway as same subnet as that of the public IP , if the ISP modem is acting like a bridge and not an L3 device . 

    On top of that in the second  instance you shared , you are not even able to reach the default gateway :

     

    root@SRX1> ping 10.11.1.121
    PING 10.11.1.121 (10.11.1.121): 56 data bytes
    ^C
    --- 10.11.1.121 ping statistics ---
    12 packets transmitted, 0 packets received, 100% packet loss

     

    So I suspect there is something wrong with DHCP setting in the modem , as its not giving the correct default gateway . Or its could be a routing issue after 10.11.1.121 . Since you said the ISP moden acts like a bridge and not as L3 device anymore , i suspect its a DHCP issue .  I don't see any issue on SRX end here .  

     

    One thing you can check is is that are you getting any ARP on ge-0/0/0  ? ( show arp no-resolve | match ge-0/0/0 )  If you get any , try configuring that IP as manual static default route and check if that works . 

     

     



  • 11.  RE: Connecting my home ISP modem > Juniper SRX > Wireless AP router for home use

    Posted 06-23-2020 12:51

    You received a public IP yet DHCP installed a private IP as a gateway (and on a different subnet)

     

    0.0.0.0/0 *[Access-internal/12] 00:01:17
    > to 10.11.1.121 via ge-0/0/0.0
    0.0.0.0/1 *[Direct/0] 00:01:17
    > via ge-0/0/0.0

     

    Looks like the DHCP configuration on your ISP is wrong. And where did the Direct 0.0.0.0/1 route come from? It says "Direct" but I looked at your config and it's nowhere to be found.



  • 12.  RE: Connecting my home ISP modem > Juniper SRX > Wireless AP router for home use

    Posted 06-23-2020 12:55

    And this is some messed up subnet by your ISP

     

    Addresses, Flags: Is-Preferred Is-Primary
    Destination: 0/1, Local: 70.XX.SS.AA Broadcast: 127.255.255.255,
    Generation: 154



  • 13.  RE: Connecting my home ISP modem > Juniper SRX > Wireless AP router for home use

     
    Posted 06-23-2020 21:41

    Hello , 

     

    That right , we should not get Private IP as next hop for public DHCP IP . It seems the ISP router is messing things here .