SRX

I'm trying to set up an SRX for a home ISP connection. I'm able to ping out from the SRX and can ping devices within the LAN but can't get out from devices on the LAN. I'm pretty sure it's an issue with NAT but can't figure out what's wrong. Its an SRX300 on 18.2R3-S2.9.

nat {
    source {                            
        rule-set TRUST-to-UNTRUST {
            from zone TRUST;
            to zone UNTRUST;
            rule source-nat-rule {
                match {
                    source-address 0.0.0.0/0;
                    destination-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
    }
}
policies {
    from-zone TRUST to-zone UNTRUST {
        policy TRUST-to-UNTRUST {
            match {
                source-address any;     
                destination-address any;
                application any;
            }
            then {
                permit;
                log {
                    session-init;
                    session-close;
                }
            }
        }
    }
}
zones {
    security-zone UNTRUST {
        screen SCREEN_UNTRUST;
        interfaces {
            ge-0/0/5.0 {
                host-inbound-traffic {
                    system-services {
                        dhcp;
                    }
                }                       
            }
        }
    }
    security-zone TRUST {
        interfaces {
            irb.100 {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
            }
        }
    }
}
xxx@srx-rtr1> show security nat source rule all    
Total rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0
source NAT rule: source-nat-rule        Rule-set: TRUST-to-UNTRUST
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : TRUST
  To zone                    : UNTRUST
  Match
    Source addresses         : 0.0.0.0         - 255.255.255.255
    Destination addresses    : 0.0.0.0         - 255.255.255.255
  Action                        : interface
    Persistent NAT type         : N/A              
    Persistent NAT mapping type : address-port-mapping 
    Inactivity timeout          : 0
    Max session number          : 0
  Translation hits           : 0
    Successful sessions      : 0
    Failed sessions          : 0
  Number of sessions         : 0

Hello there,

Output suggests that the NAT rule is not being hit. I would suggest you to check whether the traffic is hitting the SRX on the correct interface or not?

You may like to do a flow traceoptions to see the flow.

​# set security flow ​traceoptions file flow-trace
# set security flow traceoptions flag basic-datapath
# set security flow traceoptions packet-filter pf1 source-prefix <IP-1> destination-prefix <IP-2>
#  set security flow traceoptions packet-filter pf2 source-prefix <IP-2> destination-prefix <IP-1> 

To view the logs, use . "show log flow-trace"

Thanks!

What is the vlan configuration where irb.100 is the layer 3 interface?

Is the computer trying internet access connected to a port in this same vlan?

Is the irb.100 interface address configured as the default gateway for the computer and is it in the same subnet?

Is dns configured on the computer?

Does the irb.100 interface show up/up?

Thanks for the replies. I did some searching and found a few limitations I'm not sure if there's a better work around to. I tried switching to transparent mode to be able to have everything use irb.100 as a gateway but then found that NAT isn't supported. Then also ran into not being able to have Layer 2 and Layer 3 zones have policies between them. If I make an interface L3 and just put a switch on it with my devices on the switch everything works fine. Is there a way to have multiple interfaces as access ports with a RVI as the gateway that can NAT to a Layer 3 interface?

Here is what I wanted to do that I'm running  into the NAT issue. Everything on vlan 100 can communicate and gets proper DHCP, interface ge-0/0/5 to the modem get proper DHCP and default route, I'm able to ping out to 8.8.8.8 for example from the SRX but not from my PC. I can ping the SRX (192.168.10.1 and other devices) from my PC.

[edit]
version 18.2R3-S2.9;
system {
    login {
        user user {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "$6$tMMHKT.R$OTP"; ## SECRET-DATA
            }
        }
    }
    root-authentication {
        encrypted-password "$6$e549kGC"; ## SECRET-DATA
    }
    host-name srx-rtr1;
    auto-snapshot;
    domain-name home.net;
    time-zone America/New_York;
    name-server {
        75.75.75.75;
        75.75.76.76;
    }
    services {
        ssh {
            root-login deny;
        }
        netconf {
            ssh;
        }
        dhcp-local-server {
            group DHCP_Group {
                interface irb.100;
            }
        }
    }
    syslog {
        archive size 100k files 5;
        user * {
            any emergency;
        }
        file messages {
            any notice;
            security none;
        }
        file security {
            authorization any;
            firewall any;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
security {
    address-book {
        HOME {
            address Home_net 192.168.10.0/24;
        }
    }
    flow {
        traceoptions {
            file flow-trace;
            flag basic-datapath;
        }
    }
    screen {
        ids-option SCREEN_UNTRUST {
            icmp {
                ip-sweep;
                ping-death;
            }
            tcp {
                port-scan;
                winnuke;
                tcp-sweep;
            }
            udp {
                udp-sweep;
                port-scan;
            }
        }
    }
    nat {
        source {
            rule-set TRUST-to-UNTRUST {
                from zone TRUST;
                to zone UNTRUST;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone TRUST to-zone UNTRUST {
            policy TRUST-to-UNTRUST {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                    count;
                }
            }
        }
    }
    zones {
        security-zone UNTRUST {
            screen SCREEN_UNTRUST;
            interfaces {
                ge-0/0/5.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                        }
                    }
                }
            }
        }
        security-zone TRUST {
            interfaces {
                irb.100 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
}
interfaces {
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 100;
                }
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 100;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 100;
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 100;
                }
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 100;
                }
            }
        }
    }
    ge-0/0/5 {
        description "Connection to modem";
        unit 0 {
            family inet {
                dhcp {
                    no-dns-install;
                }
            }
        }
    }
    irb {
        unit 100 {
            family inet {
                address 192.168.10.1/24;
            }
        }
    }
}
policy-options {
    prefix-list ntp-servers {
        apply-path "system ntp server <*>";
    }
    prefix-list localhost {
        127.0.0.0/8;
    }
    prefix-list DNS-Servers {
        apply-path "system name-server <*>";
    }
    prefix-list router-ipv4 {
        apply-path "interfaces <*> unit <*> family inet address <*>";
    }
    prefix-list Mgmt-net {
        192.168.10.0/24;
    }
    prefix-list snmp-community-clients {
        apply-path "snmp community <*> clients <*>";
    }
    prefix-list router-ipv4-routing-instances {
        apply-path "routing-instances <*> interface <*> unit <*> family inet address <*>";
    }
}
access {
    address-assignment {
        pool DHCP_Pool {
            family inet {
                network 192.168.10.0/24;
                range DHCP_Range {
                    low 192.168.10.20;
                    high 192.168.10.100;
                }
                dhcp-attributes {
                    server-identifier 192.168.10.1;
                    domain-name jupiter.home.net;
                    name-server {
                        75.75.75.75;
                        75.75.76.76;
                        8.8.8.8;
                    }
                }
            }
        }
    }
}
vlans {
    home_mgmt {
        vlan-id 100;
        l3-interface irb.100;
    }
}

If I change ge-0/0/0 to inet and put irb.100 address on it and connect a switch with my devices on it and add ge-0/0/0 to the TRUST zone everything works fine with the same NAT config. I'm  not sure if there's a proper way to configure it to do what I wanted or if that's just not supported anymore. I thought that was supported on the older code.

Hi Ajohnson,

If replacing irb with ge-0/0/0 works fine, I suspect that the switching mode might not have kicked in.

Please run the following command and look for switching mode. It should be set to "Switching" .  

> show ethernet-switching global-information

Global Configuration:

MAC aging interval : 300

MAC learning : Enabled

MAC statistics : Disabled

MAC limit Count : 16383

MAC limit hit : Disabled

MAC packet action drop : Disabled

LE aging time : 1200

LE VLAN aging time : 1200

Global Mode : Switching 

If this setting looks correct, please reboot the device once. 

If this setting does not look correct , set it manually and then reboot it.

set protocols l2-learning global-mode switching

Thanks!

Thanks for all the replies it turned out I used the wrong DHCP attribute for default gateway. I should have used "router" instead of "server-identifier" I was getting DHCP setting but never looked closer to check for default gateway.