SRX

Hi All,

Tried everything I can to get this working. Should be simple enough. I want two DHCP scopes for two interfaces. My hosts are not getting addresses assigned.

Relevant config:

dhcp {

maximum-lease-time 10800;
default-lease-time 10800;
domain-name webf;
traceoptions {
    file dhcp.dbg world-readable;
    level verbose;
    flag all;
}
pool 192.168.44.0/24 {
    address-range low 192.168.44.40 high 192.168.44.60;
    name-server {
        8.8.8.8;
    }
    router {
        192.168.44.10;
    }
}
pool 172.17.1.0/24 {
    address-range low 172.17.1.100 high 172.17.1.110;
    name-server {
        8.8.8.8;
    }
    router {
        172.17.1.1;
    }
}

ge-0/0/0 {
    description LAN;
    unit 0 {
        family inet {
            address 172.17.1.1/24;
        }
    }
}
fe-0/0/2 {
    unit 0 {
        description wifi;
        family inet {
            address 192.168.0.1/24;
            address 192.168.44.10/24 {
                preferred;
            }
        }
    }
}

security-zone trusted {
    address-book {
        address 172.17.1.1/32 172.17.1.0/24;
        address 172.17.1.101/32 172.17.1.101/32;
        address 172.17.1.102/32 172.17.1.102/32;
        address trusted-wired-lan 172.17.1.0/24;
    }
    host-inbound-traffic {
        system-services {
            ping;
            ssh;
            reverse-ssh;
            https;
            all;
        }
    }
    interfaces {
        ge-0/0/0.0 {
            host-inbound-traffic {
                system-services {
                    dhcp;
                    ssh;
                    https;
                    ping;
                }
            }
        }
    }
}


security-zone wireless {
    tcp-rst;
    address-book {
        address wireless_net 192.168.0.0/24;
        address wireless_ipv6_net 2001:470:d:c1::/64;
        address mbp 192.168.44.104/32;
        address wifi_net 192.168.44.0/24;
    }
    host-inbound-traffic {
        system-services {
            ssh;
            all;
            ping;
        }
        protocols {
            all;
        }
    }
    interfaces {
        fe-0/0/2.0 {
            host-inbound-traffic {
                system-services {
                    dhcp;
                    ssh;
                    bootp;
                    all;
                }
            }
        }
    }
}

user@SRX210> restart dhcp-service
warning: dhcp-service subsystem not running - not needed by configuration.

user@SRX210> restart dhcp
Dynamic Host Configuration Protocol process started, pid 1455

user@SRX210> show version
Hostname: SRX210
Model: srx210h
JUNOS Software Release [11.4R10.3]

Doesn't it work on both interfaces?

Regards

Andrea

Hello you can try a few things, first i would upgrade to 12 code, and use the new DHCP deamon and set your DHCP server under Access, if you want to do this let me know i can give you a config.

If not try adding under each pool

set system services dhcp pool 192.168.44.0/24 propagate-settings fe-0/0/2.0

set system services dhcp pool 172.17.1.0/24 propagate-settings ge-0/0/0.0

Let me know if you have any other questions.

James Brunk

Network Engineer

JNCIS-WLAN, JNCIS-SEC, JNCIS-ENT

Hi James, 

Adding propagate-settings did not help.

Niether did upgrading to JUNOS Software Release [12.1X46-D15.3] unfortunately. 

I'll have a look at the settings under Access as you suggest and see if I can get that going. 

kbb,

No worries on it not working, i will provide you a config for access DHCP, we have tested here in our Lab and it seems to be working better then the old DHCP daemon, below would be your config per your posted setup,

too things to remember once you setup access you have to completely delete your system services dhcp config they will not work together. also if you SRX210 is pulling dhcp from your internet provider change your family inet dhcp to family inet dhcp-client this will put that config on the new dhcp daemon also.

set access address-assignment pool lan family inet network 172.17.1.0/24
set access address-assignment pool lan family inet range inside low 172.17.1.100
set access address-assignment pool lan family inet range inside high 172.17.1.110
set access address-assignment pool lan family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool lan family inet dhcp-attributes router 172.17.1.1


set access address-assignment pool wireless family inet network 192.168.44.0/24
set access address-assignment pool wireless family inet range inside low 192.168.44.40
set access address-assignment pool wireless family inet range inside high 192.168.44.60
set access address-assignment pool wireless family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool wireless family inet dhcp-attributes router 192.168.44.10

set system services dhcp-local-server group wireless interface fe-0/0/2.0
set system services dhcp-local-server group lan interface ge-0/0/0.0

Let me know if this works i have tested it in our lab many times and know it works.

James Brunk

Network Engineer

JNCIS-WLAN, JNCIS-SEC, JNCIS-ENT

Thanks for the config James. Sad to say I cannot report success. I mirrored the port connected to ge-0/0/0 and could see the DHCP request in a capture on the interface.
But a capture on the SRX could not see the DHCP request. Could something else in Junos be stopping the requests??

Thanks. 

root@SRX210> show configuration access
address-assignment {
pool trusted {
family inet {
network 172.17.1.0/24;
range trusted-pool {
low 172.17.1.100;
high 172.17.1.110;
}
dhcp-attributes {
maximum-lease-time 172800;
name-server {
8.8.8.8;
}
router {
172.17.1.1;
}
}
}
}
}

root@SRX210> show configuration system services dhcp-local-server
group trusted {
interface ge-0/0/0.0;
}

root@SRX210> show configuration security zones security-zone trusted interfaces
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
ssh;
https;
ping;
}
}
}

root@SRX210> show configuration interfaces at-1/0/0 unit 0
encapsulation atm-ppp-vc-mux;
vci 0.100;
ppp-options {
pap {
default-password <snip>
local-name <snip>
local-password <snip>
passive;
}
}
family inet {
rpf-check;
negotiate-address;
dhcp-client;
}

root@SRX210% ps -aux | grep dhcp
root 4194 0.0 1.2 50216 12136 ?? S 8:18PM 0:05.30 /usr/sbin/jdhcpd -N
root 4460 0.0 0.1 3148 1272 p0 S+ 9:02PM 0:00.03 grep dhcp
root@SRX210%

kbb,

ANy chance you can send me the whole config, this would help to see if anythign else is blocking dhcp,

try doing a commit full on the srx210 this will restart all services,

James

Hi James. Config sent as private message.

Can't so a commit full, but I have restared dhcp-service.

root@SRX210# commit ?
Possible completions:
  <[Enter]>            Execute this command
  and-quit             Quit configuration mode if commit succeeds
  at                   Time at which to activate configuration changes
  check                Check correctness of syntax; do not apply changes
  comment              Message to write to commit log
  confirmed            Automatically rollback if not confirmed
  |                    Pipe through a command
[edit]
root@SRX210#

You have to type the whole comand out. Hidden command. Not so sure what is happening at this point. I am assuming the srx has ben rebooted already. I will take a deeper look at the config later and see if there is a missing config option. What does the debug log show?

post this output:

#show system services dhcp | display set

That is all you should have. If you have the dhcp-local-server statement configured, delete it.

While you are at it, verify that the client does not already have a static IP assigned that was overlooked.

Can you run a monitor traffic interface in order to see if you are receving the DHCP messages?

Okay, looking at the config more closely, after setting the options uder this heirarchy, you need to add these lines;

set system services dhcp pool 192.168.44.0/24 propagate-settings fe-0/0/2.0
set system services dhcp pool 172.17.1.0/24 propagate-settings ge-0/0/0.0

Ok! Issue is resolved! Thanks James for the solution.

...

I had a firewall filter configured on the loopback interface to restict SSH access to the SRX. This was dropping the dhcp requests without logging them and so they never appeared in my packet captures.

I added a term to the filter :

    term allow_dhcp {
        from {
            destination-port dhcp;
        }
    }
And now DHCP works! Thanks James.

And thanks Lyndidon for the assistance you provided too.

I feel like quite the n00b now.

kbb,

No worries 

Just remember since you have the Firewall filter on your lo0 interface you still might be dropping things you don't even know all you have to do is just do the term 3 or 4 then accept this will allow all other services cause as of right now you are blocking everything that hits your RE except SSH, DHCP so if you start having other issues you will either need to add another term or just add that final term then accept.

Again glad i was able to help you on your issue please if you haven't already give me a star 🙂

james 

Do you already have your polices to permit traffic from security zone trusted to trusted and from wireless to wireless?

One other thing, is the interface that ge-0/0/0 and fe-x/x/x connect on the switch with the clients, are these interfaces trunk ports? If not, do you have the ports set to dhcp-trusted if they are access ports? Do you have the switch also enable for DHCP relay?

Hi Lyndidon,

I connected a Win7 host directly to ge-0/0/0, bypassing the switch. I also added:

from-zone trusted to-zone trusted {
            policy trusted {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                    }
                }
            }
        }

Still does not work. I really can't see what could be the problem.