SRX

I've done more testing on my SRX configuration and have a final problem left. Recently I had experienced assigning 2 interfaces (ge-0/0/0 and ge-0/0/13) as DHCP clients and ge-0/0/13 never got an IP from a switch.

I routed an interface from my modem's LAN and I am able to get an IP but my default route changes from ge-0/0/0 to ge-0/0/13. Is there a way I can lock down my route so even if I obtain an IP from another interface using DHCP I don't mess up my default route?

Hi klui

If both interfaces are configured for DHCP client, then I am assuming that you are receiving two default routes via those two interfaces (share a "show route 0/0" to confirm).

In that case, those routes will be type "access-internal" and both routes will have a preference of 12. Because the routes are exactly the same, the SRX will choose any of them randomly and I guess this is causing your routing issue. You cant modify the access-internal route's preference but you could create a static default-route over ge-0/0/0 that will have a preference of 5 which is better than the preference of the access-internal route. This should work if the IP address of the gateway device connected to ge-0/0/0 is not changing. Please let us know if this is the case.

Thanks for your reply.

Here are the listings, both interface terse and route 0/0.

Before I connect ge-0/0/13 to my modem

Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     <WAN IP>/24
 .
 .
ge-0/0/13               up    down
ge-0/0/13.0             up    down inet

inet.0: 13 destinations, 14 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Access-internal/12] 1d 23:13:54
                    > to <WAN Broadcast> via ge-0/0/0.0
<WAN Subnet>/24    *[Direct/0] 1d 23:14:04
                    > via vlan.72
                    [Direct/0] 1d 23:13:54
                    > via ge-0/0/0.0
<WAN IP>/32  *[Local/0] 1d 23:13:54
                      Local via ge-0/0/0.0

After I connect ge-0/0/13 to my modem

Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     <WAN IP>/24
 .
 .
ge-0/0/13               up    up
ge-0/0/13.0             up    up   inet     192.168.1.67/24

inet.0: 15 destinations, 16 routes (15 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Access-internal/12] 00:00:19
                    > to 192.168.1.254 via ge-0/0/13.0
<WAN subnet>/24    *[Direct/0] 1d 23:14:47
                    > via vlan.72
                    [Direct/0] 1d 23:14:37
                    > via ge-0/0/0.0

Afterwards, when I try to ping 8.8.8.8 on the SRX I can because the route has switched to my modem.

I also noticed that my WAN subnet on ge-0/0/0 is set to vlan.72 when it shouldn't be. It's because my WAN on the SRX is connected to my user network on my SSG for my testing. Perhaps this topology is causing my issues? I will try to switch my user network on the SRX to something that won't conflict with the WAN IP.

After I changed my user subnet to something different from the WAN subnet connecting ge-0/0/13 takes over my default route, although VLANs are set correctly now.

How can I create a static route over ge-0/0/0 with preference 5? I wanted to set ge-0/0/0 as the default route but it seems the SRX only allows referencing an interface over PTP interfaces. I don't want to create a route by referencing the WAN IP because what if it changes in the future? Then my route would no longer be valid.

Before

inet.0: 14 destinations, 14 routes (14 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Access-internal/12] 00:01:00
                    > to <WAN broadcast> via ge-0/0/0.0
<User subnet>/24    *[Direct/0] 00:01:07
                    > via vlan.72
<User broadcast>/32  *[Local/0] 00:01:43
                      Local via vlan.72
<WAN subnet>/24    *[Direct/0] 00:01:00
                    > via ge-0/0/0.0
<WAN IP>/32  *[Local/0] 00:01:00
                      Local via ge-0/0/0.0

After connecting ge-0/0/13 to my modem

inet.0: 16 destinations, 16 routes (16 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Access-internal/12] 00:00:10
                    > to 192.168.1.254 via ge-0/0/13.0
<User subnet>/24    *[Direct/0] 00:02:01
                    > via vlan.72
<User broadcast>/32  *[Local/0] 00:02:37
                      Local via vlan.72
<WAN network>/24    *[Direct/0] 00:01:54
                    > via ge-0/0/0.0
<WAN IP>/32  *[Local/0] 00:01:54
                      Local via ge-0/0/0.0
192.168.1.0/24     *[Direct/0] 00:00:10
                    > via ge-0/0/13.0

 Disconnecting ge-0/0/13 shows the following (no default route)

inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

<User subnet>/24    *[Direct/0] 00:16:33
                    > via vlan.72
<User broadcast>/32  *[Local/0] 00:17:09
                      Local via vlan.72
<WAN subnet>/24    *[Direct/0] 00:16:26
                    > via ge-0/0/0.0
<WAN IP>/32  *[Local/0] 00:16:26
                      Local via ge-0/0/0.0

Klui,

I see different options.

1-) Set the static default-route over ge-0/0/0 and yes, it has to point to the IP address of the public peer. The static route has a preference of 5 by default. Usually what changes is your public IP not their public IP but to play safe you will have to ask for a static public IP for the SRX:

# set routing-options static route 0/0 next-hop [WAN IP of the ISP device]

You could try the above real quick to confirm if it will be a valid solution.

2-) Turn off the provision of a default-route on the device connected to ge-0/0/13. If you manage this device this shouldnt be a hard thing to do. Login to it and look for an option where the default-gateway to be provided to DHCP clients is set and unset it.

3-) Use static addressing on ge-0/0/13.

I believe option 2 will work better for you, unless you are looking to failover automatically to ge-0/0/13 in case the default-route over ge-0/0/0 is not available.

Thanks stwardlp.

I did try setting a preference of 5 for ge-0/0/0 and it does work. The next-hop IP needs to be the gateway and I suppose that won't change that often. Is there a way to make a typical NATed DHCP interface point-to-point?

Unfortunately I don't admin access to the device connected to ge-0/0/13 since it's managed centrally by the solar panel provider.

I am not looking for failover, just want to make sure the default route stays with ge-0/0/0 regardless if any other ports on the SRX is configured as a DHCP client.

> show configuration routing-options
static {
    route 0.0.0.0/0 {
        next-hop <WAN gateway>;
        preference 5;
    }
}

> show route 0/0

inet.0: 14 destinations, 14 routes (14 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 19:36:25
                    > to <WAN gateway> via ge-0/0/0.0

Connect ge-0/0/13

> show route 0/0

inet.0: 16 destinations, 17 routes (16 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 19:36:52
                    > to 172.20.127.254 via ge-0/0/0.0
                    [Access-internal/12] 00:00:00
                    > to 192.168.1.254 via ge-0/0/13.0

Perfect Klui, Im glad it is working as you wanted to. I believe this post can be mark as Resolved now.

Hello,

Your ultimate goal is unclear from the heaps of information You posted.

So, do You want to:

a/ use both ge-0/0/0 and ge-0/0/13 for outgoing traffic towards Internet. 0/0 route will be supplied via DHCP

b/ use ge-0/0/0 for  outgoing traffic towards Internet , and never ever use ge-0/0/13 or any other interface which might have DHCP client enabled

c/ something else

If [a] then this is possible with relatively complex config involving routing instances and filter-based forwarding.

if [b] then it is as simple as "don't enable DHCP client on wrong interfaces", period.

if [c] then we need more information.

HTH

Thx

Alex

Hi aarseniev,

It does look a little bit convoluted but here's what I'm trying to accomplish.

I have a photo-voltaic controller that I can connect to so I can access its statistics. When I do that on my SSG, its internal system has a DHCP server and the SSG gets a lease and I can access the PV controller. I want to do the same type of monitoring using the SRX's ge-0/0/13 but I find that the default route is overridden when I use have another port configured as a DHCP client. My WAN port ge-0/0/0 on the SRX is in the untrusted zone and ge-0/0/13 is trusted.

I don't want to use the PV as my internet connection because that uses backup cellular connection. Because I don't have administrative access to the PV appliance I don't know what scope is defined.

I tried creating some subnets on a non-Juniper switch but have had trouble getting one of my subnets defined in the SRX to ping addresses not associated with the SRX's port. For example, my switch has the subnet 192.168.10.0/24 with router/gateway at 192.168.10.254 and when I statically define 192.168.10.101 at ge-0/0/14, for example, my management subnet (in trust zone) can't ping 192.168.10.254. On my switch I can ping 192.168.10.101 and 192.168.10.254. I have a policy that allows all IPs in my management subnet  and application access to all any destination IP addresses.

Hello,

Thanks for sharing Your goal. Point by point:

---

@klui wrote:

 

I have a photo-voltaic controller that I can connect to so I can access its statistics. When I do that on my SSG, its internal system has a DHCP server and the SSG gets a lease and I can access the PV controller. I want to do the same type of monitoring using the SRX's ge-0/0/13 but I find that the default route is overridden

---

I cannot remember (and don't have a lab SSG to check) what SSG does in this case, but SRX does not support ignoring DHCP Option 3 if it is supplied by DHCP server. 

---

@klui wrote:

 

 

I don't want to use the PV as my internet connection because that uses backup cellular connection. Because I don't have administrative access to the PV appliance I don't know what scope is defined.

 

 

---

Ok, in this case You need to isolate the ge-0/0/13 into a routing-instance on SRX to stop PV DHCP server' 0/0 route wreaking havoc. Example code:

set routing-instances PV instance-type virtual-router
set routing-instances PV interface ge-0/0/13.0

- and add a security zone and security policy to Your liking on top of the above

The routing between PV and Your PC has to be accomplished with a combination of static routing+rib-groups+FBF (not necessarily in that order but at least 2 of those). Also, Your PV subnet and Your ge-0/0/0.0 subnet must be different.

For instance, You can use static routing in the GRT/inet.0 to reach PV:

set routing-options static route 192.168.1.254/32 next-table PV.inet.0

- and to reach back, You leak the PC subnet to PV.inet.0. Example code #2:

set routing-options rib-groups LEAK-GRT-TO-PV import-rib [ inet.0 PV.inet.0]
set routing-options interface-routes rib-group LEAK-GRT-TO-PV
set routing-options rib-groups LEAK-GRT-TO-PV import-policy ONLY-PC-SUBNET
set policy-options policy-statement ONLY-PC-SUBNET term t1 from interface <your PC L3 GW interface, IRB or routed L3 IFL>.0
set policy-options policy-statement ONLY-PC-SUBNET term t1 then accept
set policy-options policy-statement ONLY-PC-SUBNET term elese then reject

Important note: You cannot accomplist the bidirectional routing between GRT/inet.0 and PV.inet.0 with only static routes having "next-table" , such config won't commit.

HTH

Thx

Alex

Thank you for the detailed recipe!

I set routing-instances, static route, rib-groups, and policy-options. Most were verbatim from your recommendations except for the interface reference policy-statement. I used vlan.82, which is my management L3 interface.

When I connect a cable to my modem's LAN (with the default route reverted back to internal), I find ge-0/0/13 no longer obtains an IP even though it is defined as family inet dhcp-client.

show dhcp client binding no longer shows ge-0/0/13.

What am I missing?

Hello,

---

@klui wrote:

 

When I connect a cable to my modem's LAN (with the default route reverted back to internal), I find ge-0/0/13 no longer obtains an IP even though it is defined as family inet dhcp-client.

 

show dhcp client binding no longer shows ge-0/0/13.

 

What am I missing?

---

Most likely "system-services dhcp" under security zone where ge-0/0/13 resides now.

HTH

Thx

Alex

I'm using jdhcp so show system services dhcp binding/client/global/statistics all result with a dhcp subsystem not running - not needed by configuration.

If I set ge-0/0/13 unit 0 family inet dhcp I get an incompatibility with family inet dhcp-client at ge-0/0/0.

Thanks.

Hello,

---

@klui wrote:

I'm using jdhcp so show system services dhcp binding/client/global/statistics all result with a dhcp subsystem not running - not needed by configuration.

You don't need to run jdhcpd to have SRX act as a client.

---

@klui wrote:

 

 

If I set ge-0/0/13 unit 0 family inet dhcp I get an incompatibility with family inet dhcp-client at ge-0/0/0.

 

 

---

 As I said, You don't need JDHCPD for client side.

I labbed up Your setup with JUNOS 15.1X49-D160 and it works just fine for me. Proof below.

Minimal working configuration :

set security zones security-zone PV host-inbound-traffic system-services dhcp
set security zones security-zone PV interfaces ge-0/0/13.0
set routing-instances PV instance-type virtual-router
set routing-instances PV interface ge-0/0/13.0
set interfaces ge-0/0/13 unit 0 family inet dhcp-client

Outputs:

regress@FW1# run show interfaces ge-0/0/13 
Physical interface: ge-0/0/13, Enabled, Physical link is Up
  Interface index: 138, SNMP ifIndex: 512
  Link-level type: Ethernet, MTU: 1514, LAN-PHY mode, Link-mode: Full-duplex, Speed: 1000mbps, BPDU Error: None,
  MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled,
  Remote fault: Online
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x4000
  Link flags     : None
  CoS queues     : 8 supported, 8 maximum usable queues
  Current address: 56:68:a5:d1:16:e8, Hardware address: 56:68:a5:d1:16:e8
  Last flapped   : 2019-08-10 21:01:27 PDT (00:30:07 ago)
  Input rate     : 0 bps (0 pps)
  Output rate    : 0 bps (0 pps)
  Active alarms  : None
  Active defects : None
  Interface transmit statistics: Disabled

  Logical interface ge-0/0/13.0 (Index 78) (SNMP ifIndex 524)
    Flags: Up SNMP-Traps 0x4004000 Encapsulation: ENET2
    Input packets : 6
    Output packets: 16
    Security: Zone: PV
    Allowed host-inbound traffic : dhcp
    Protocol inet, MTU: 1500
      Flags: Sendbcast-pkt-to-re, Is-Primary
      Addresses, Flags: Is-Default Is-Preferred Is-Primary
        Destination: 198.51.100/24, Local: 198.51.100.3, Broadcast: 198.51.100.255

[edit]
regress@FW1# run show route table PV 

PV.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Access-internal/12] 00:06:23
                    > to 198.51.100.1 via ge-0/0/13.0
198.51.100.0/24    *[Direct/0] 00:06:25
                    > via ge-0/0/13.0
198.51.100.3/32    *[Local/0] 00:06:25
                      Local via ge-0/0/13.0

HTH

Thx
Alex

Thanks for your patience.

I am able to see the route in PV but I can't ping the subnet in ge-0/0/13 even while logged into the SRX. Do I need to create an additional static route? 192.168.1.254 is the gateway and is actually my modem's LAN but it will work the same for my PV controller. Show dhcp client binding doesn't show anything for ge-0/0/13.

root@srx240poe> show interfaces ge-0/0/13
Physical interface: ge-0/0/13, Enabled, Physical link is Up
  Interface index: 147, SNMP ifIndex: 524
  Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps,
  BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
  Source filtering: Disabled, Flow control: Disabled, Auto-negotiation: Enabled,
  Remote fault: Online
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x0
  Link flags     : None
  CoS queues     : 8 supported, 8 maximum usable queues
  Current address: 64:87:88:1c:7f:0d, Hardware address: 64:87:88:1c:7f:0d
  Last flapped   : 2019-08-10 22:46:29 PDT (00:00:13 ago)
  Input rate     : 0 bps (0 pps)
  Output rate    : 0 bps (0 pps)
  Active alarms  : None
  Active defects : None
  Interface transmit statistics: Disabled

  Logical interface ge-0/0/13.0 (Index 88) (SNMP ifIndex 533)
    Flags: SNMP-Traps 0x0 Encapsulation: ENET2
    Input packets : 24
    Output packets: 8
    Security: Zone: PVzone
    Allowed host-inbound traffic : dhcp
    Protocol inet, MTU: 1500
      Flags: Sendbcast-pkt-to-re, Is-Primary
      Addresses, Flags: Is-Default Is-Preferred Is-Primary
        Destination: 192.168.1/24, Local: 192.168.1.67,
        Broadcast: 192.168.1.255

root@srx240poe> show route table PV

PV.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Access-internal/12] 00:00:32
                    > to 192.168.1.254 via ge-0/0/13.0
192.168.1.0/24     *[Direct/0] 00:00:32
                    > via ge-0/0/13.0
192.168.1.67/32    *[Local/0] 00:00:32
                      Local via ge-0/0/13.0

root@srx240poe> show dhcp client binding

IP address        Hardware address   Expires     State      Interface
<WAN IP>          64:87:88:1c:7f:00  55278       BOUND      ge-0/0/0.0

root@srx240poe> ping 192.168.1.67
PING 192.168.1.67 (192.168.1.67): 56 data bytes
^C
--- 192.168.1.67 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

root@srx240poe> ping 192.168.1.254
PING 192.168.1.254 (192.168.1.254): 56 data bytes
^C
--- 192.168.1.254 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

routing-options {
    interface-routes {
        rib-group inet LEAK-GRT-TO-MD;
    }
    static {
        route 192.168.1.254/32 next-table PV.inet.0;
    }
    rib-groups {
        LEAK-GRT-TO-PV {
            import-rib [ inet.0 PV.inet.0 ];
            import-policy ONLY-PC-SUBNET;
        }
    }
}

policy-options {
    policy-statement ONLY-PC-SUBNET {
        term t1 {
            from interface vlan.82;
            then accept;
        }
        term else {
            then reject;
        }
    }
}

I'm running the latest recommended for the my device 12.1X46-D82.

Hello,

---

@klui wrote:

Thanks for your patience.

 

I am able to see the route in PV but I can't ping the subnet in ge-0/0/13 even while logged into the SRX.

---

When pinging form GRT/inet.0, You won't be able to without:

- leaking the route for Your ping' source IP into PV.inet.0

- making sure the PV device knows the return route to Your ping' source IP

You should be able to ping Your PV device with "routing-instance PV" option:

ping 192.168.1.254 routing-instance PV

---

@klui wrote:

 

 

root@srx240poe> show route table PV

PV.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Access-internal/12] 00:00:32
                    > to 192.168.1.254 via ge-0/0/13.0
192.168.1.0/24     *[Direct/0] 00:00:32
                    > via ge-0/0/13.0
192.168.1.67/32    *[Local/0] 00:00:32
                      Local via ge-0/0/13.0

---

The above printout is concerning since it does not show the VLAN.82 route leaked from GRT. What is the VLAN.82 subnet, please, and did You take the above printout AFTER You applied rib-group+import-policy?

---

@klui wrote:

root@srx240poe> ping 192.168.1.67
PING 192.168.1.67 (192.168.1.67): 56 data bytes
^C
--- 192.168.1.67 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

---

You are pinging self here, do it from routing-instance, please:

ping 192.168.1.67 routing-instance PV

HTH

Thx

Alex

Hello,

Also, You made a mistake in rib-group names .

You applied wrong rib-group to "rouTing-options interface-routes" and hence VLAN.82 subnet is not making it to PV.inet.0:

---

@klui wrote:

routing-options {
    interface-routes {
        rib-group inet LEAK-GRT-TO-MD; # must be LEAK-GRT-TO-PV!
    }
    static {
        route 192.168.1.254/32 next-table PV.inet.0;
    }
    rib-groups {
        LEAK-GRT-TO-PV {
            import-rib [ inet.0 PV.inet.0 ];
            import-policy ONLY-PC-SUBNET;
        }
    }
}

policy-options {
    policy-statement ONLY-PC-SUBNET {
        term t1 {
            from interface vlan.82;
            then accept;
        }
        term else {
            then reject;
        }
    }
}

 

---

HTH

Thx
Alex

Thank you Alex for noting my error. I didn't realize I can only put one rib-group.

Here is the current route and configuration

routing-options {
    interface-routes {
        rib-group inet LEAK-GRT-TO-PV;
    }
    static {
        route 192.168.1.254/32 next-table PV.inet.0;
    }
    rib-groups {
        LEAK-GRT-TO-PV {
            import-rib [ inet.0 PV.inet.0 ];
            import-policy ONLY-PC-SUBNET;
        }
    }
}

Interfaces {
 .
 .
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-Management;
                }
            }
        }
    }
 .
 .
    vlan {
        unit 0 {
            family inet {
                address 192.168.3.254/24;
            }
        }
        unit 72 {
            family inet {
                address 172.20.126.254/24;
            }
        }
        unit 82 {
            family inet {
                address 172.20.128.254/24;
            }
        }
        unit 99 {
            family inet {
                address 192.168.99.254/24;
            }
        }
    }
}

policy-options {
    policy-statement ONLY-PC-SUBNET {
        term t1 {
            from interface vlan.82;
            then accept;
        }
        term else {
            then reject;
        }
    }
}

vlans {
    vlan-Guest {
        vlan-id 99;
        l3-interface vlan.99;
    }
    vlan-Management {
        vlan-id 82;
        l3-interface vlan.82;
    }
    vlan-User {
        vlan-id 72;
        l3-interface vlan.72;
    }
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

root@srx240poe> show dhcp server binding

IP address        Session Id  Hardware address   Expires     State      Interface
172.20.128.101    42          00:1b:38:bf:f5:58  86012       BOUND      vlan.82

root@srx240poe# run show route table PV

PV.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Access-internal/12] 10:41:37
                    > to 192.168.1.254 via ge-0/0/13.0
172.20.128.0/24    *[Direct/0] 00:01:16
                    > via vlan.82
192.168.1.0/24     *[Direct/0] 10:41:37
                    > via ge-0/0/13.0
192.168.1.67/32    *[Local/0] 10:41:37
                      Local via ge-0/0/13.0

root@srx240poe> ping 192.168.1.254 routing-instance PV
PING 192.168.1.254 (192.168.1.254): 56 data bytes
64 bytes from 192.168.1.254: icmp_seq=0 ttl=64 time=2.390 ms
64 bytes from 192.168.1.254: icmp_seq=1 ttl=64 time=2.528 ms
^C
--- 192.168.1.254 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.390/2.459/2.528/0.069 ms

root@srx240poe> ping 192.168.1.67 routing-instance PV
PING 192.168.1.67 (192.168.1.67): 56 data bytes
64 bytes from 192.168.1.67: icmp_seq=0 ttl=64 time=0.498 ms
64 bytes from 192.168.1.67: icmp_seq=1 ttl=64 time=0.237 ms
^C
--- 192.168.1.67 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.237/0.367/0.498/0.131 ms

I'm able to ping 192.168.1.254 using the routing-instance PV option, but I can't ping it from a host in vlan.82. I've connected my notebook to interface ge-0/0/6.

I'm not sure how to "making sure the PV device knows the return route to Your ping' source IP."

C:\Users\Administrator\Desktop>ipconfig

Windows IP Configuration


Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::e9f7:d78f:da71:3b43%16
   IPv4 Address. . . . . . . . . . . : 172.20.128.101
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.20.128.254

C:\Users\Administrator\Desktop>ping 192.168.1.254

Pinging 192.168.1.254 with 32 bytes of data:
Request timed out.
Request timed out.

Ping statistics for 192.168.1.254:
    Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
Control-C
^C

I enabled traffic monitoring on ge-0/0/13 and got the following entries when I attempt to ping 192.168.1.254 from my PC. It seems I don't get any entries when the ping occurs. Last night/this morning I did the same thing when I had ge-0/0/14 configured with a static IP and pings showed up in the monitored traffic, but there was no reply.

root@srx240poe> monitor traffic interface ge-0/0/13
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/13, capture size 96 bytes

Reverse lookup for 192.168.1.254 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.

13:24:52.331950  In arp who-has 192.168.1.254 tell 192.168.1.64
13:24:53.510936  In arp who-has 192.168.1.2 tell 192.168.1.254
13:24:53.517855  In arp who-has 192.168.1.71 tell 192.168.1.254
13:24:53.518178  In arp who-has 192.168.1.68 tell 192.168.1.254
13:24:53.520122  In arp who-has 192.168.1.65 tell 192.168.1.254
13:24:53.520222  In arp who-has 192.168.1.66 tell 192.168.1.254
13:24:53.520676  In arp who-has 192.168.1.70 tell 192.168.1.254
13:24:53.521353  In arp who-has 192.168.1.69 tell 192.168.1.254
13:24:53.522148  In arp who-has 192.168.1.64 tell 192.168.1.254
13:24:53.523180  In arp who-has 192.168.1.67 tell 192.168.1.254
13:24:53.523224 Out arp reply 192.168.1.67 is-at 64:87:88:1c:7f:0d
13:24:53.523899  In arp who-has 192.168.1.13 tell 192.168.1.254
13:24:58.831057 Out LLDP, name srx240poe, length 60
        [|LLDP]
^C
14 packets received by filter
0 packets dropped by kernel

Hello,

Point-by-point:

---

@klui wrote:

 

 

I'm not sure how to "making sure the PV device knows the return route to Your ping' source IP."

Well, here is another algorithm for You:

A/ can You login to the PV device (via CLI or GUI ) and examine its route table?

if yes go to B, If no go to D

B/ can You add a static 172.20.128.0/24 route to PV device ? if yes go to C if not go to D

C/ add static 172.20.128.0/24 route to PV device pointing back to ge-0/0/13.0 DHCP address 192.168.1.67 as a gateway.

D/ add source NAT to SRX configuration so that all packets from PC LAN with source address 172.20.128.0/24 are xlated to DHCP address 192.168.1.67 on ge-0/0/13.

---

@klui wrote:

I enabled traffic monitoring on ge-0/0/13 and got the following entries when I attempt to ping 192.168.1.254 from my PC. It seems I don't get any entries when the ping occurs. Last night/this morning I did the same thing when I had ge-0/0/14 configured with a static IP and pings showed up in the monitored traffic, but there was no reply.

root@srx240poe> monitor traffic interface ge-0/0/13
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/13, capture size 96 bytes

Reverse lookup for 192.168.1.254 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.

13:24:52.331950  In arp who-has 192.168.1.254 tell 192.168.1.64
13:24:53.510936  In arp who-has 192.168.1.2 tell 192.168.1.254
13:24:53.517855  In arp who-has 192.168.1.71 tell 192.168.1.254
13:24:53.518178  In arp who-has 192.168.1.68 tell 192.168.1.254
13:24:53.520122  In arp who-has 192.168.1.65 tell 192.168.1.254
13:24:53.520222  In arp who-has 192.168.1.66 tell 192.168.1.254
13:24:53.520676  In arp who-has 192.168.1.70 tell 192.168.1.254
13:24:53.521353  In arp who-has 192.168.1.69 tell 192.168.1.254
13:24:53.522148  In arp who-has 192.168.1.64 tell 192.168.1.254
13:24:53.523180  In arp who-has 192.168.1.67 tell 192.168.1.254
13:24:53.523224 Out arp reply 192.168.1.67 is-at 64:87:88:1c:7f:0d
13:24:53.523899  In arp who-has 192.168.1.13 tell 192.168.1.254
13:24:58.831057 Out LLDP, name srx240poe, length 60
        [|LLDP]
^C
14 packets received by filter
0 packets dropped by kernel

---

What do You call "traffic monitoring" is useless for transit traffic (transit meaning the src.IP nor dst.IP do NOT belong to SRX) - transit packets are NOT shown.

Anyway, to spare Your time here is my complete lab config with src NAT included:

set security nat source rule-set PV-NAPT44 from zone trust
set security nat source rule-set PV-NAPT44 to interface ge-0/0/13.0
set security nat source rule-set PV-NAPT44 rule r1 match source-address 0.0.0.0/0
set security nat source rule-set PV-NAPT44 rule r1 match destination-address 192.168.1.254/32
set security nat source rule-set PV-NAPT44 rule r1 then source-nat interface
set security policies from-zone trust to-zone PV policy T-2-PV match source-address any
set security policies from-zone trust to-zone PV policy T-2-PV match destination-address any
set security policies from-zone trust to-zone PV policy T-2-PV match application any
set security policies from-zone trust to-zone PV policy T-2-PV then permit
set security zones security-zone PV host-inbound-traffic system-services dhcp
set security zones security-zone PV interfaces ge-0/0/13.0
set routing-options interface-routes rib-group inet LEAK-GRT-TO-PV
set routing-options static route 192.168.1.254/32 next-table PV.inet.0
set routing-options rib-groups LEAK-GRT-TO-PV import-rib inet.0
set routing-options rib-groups LEAK-GRT-TO-PV import-rib PV.inet.0
set routing-options rib-groups LEAK-GRT-TO-PV import-policy ONLY-PC-SUBNET
set routing-instances PV instance-type virtual-router
set routing-instances PV interface ge-0/0/13.0
set interfaces ge-0/0/13 unit 0 family inet dhcp-client

HTH

Thx

Alex

Again, thanks for taking the time to provide me the guidance.

Your solution works and with a very small adjustment I can ping the entire subnet!! I'm dishardened it took this much effort to accomplish this in the SRX where the SSG took just one setting. I don't have any VLANs on the SSG and maybe that's the reason. I don't plan on giving up on the SRX platform and will continue working with it.

Much appreciated for your patience and sharing your expertise.

Hello,

---

@klui wrote:

I'm dishardened it took this much effort to accomplish this in the SRX where the SSG took just one setting.

---

Please don't be. Two key differences betwen SSG and SRX come to mind which  necessitated a fairly complex SRX config:

1/ SSG interface default mode is "nat" whereas SRX interface does not have "modes". It takes an explicit NAT config in SRX to accomplish SSG "interface mode nat" functionality.

2/ It seems SSG is able to ignore DHCP Option 3 but SRX cannot hence a routing-instance is necessary in SRX to isolate the unnecessary 0/0 route received via DHCP Option 3 from Your PV device.

---

@klui wrote:

I don't plan on giving up on the SRX platform and will continue working with it.

 

 

---

Good, once You learn SRX flexibility powered by JUNOS You'll become to love it. Trust me 

HTh

Thx

Alex