BT FTTP broadband (UK) with SRX - mistic.
Hello,
I recently changed home broadband to BT which they call "full-fibre" FTTP. I used SRX as an ISP router with the previous provider with the VDSL2-A interfaces, Now simply I have to plug in the ethernet to the fibre converter supplied.
BT uses a PPPoE type of connection which is simple achievable on SRX. I'm using instructions from https://blog.shiraj.com/2022/04/juniper-srx-configuring-bt-fttp-pppoe/ but this is pretty much the same as https://supportportal.juniper.net/s/article/SRX-Getting-Started-PPPoE-Configuration-Examples?language=en_US only the ppp-options with "pap" don't work need to use "chap". Also, in my case, it doesn't work if interface ge-0/0/5.0 is included in the outside (untrust) zone, need interface pp0 is in the untrust zone.
Connection initiated and traffic is flowing. BUT not all traffic. Which for me is the biggest mystery. Just some web pages are getting through. For example, facebook, Google Stack, some other random ones, and seem like just perfect, some messenger apps are OK, but most of the other traffic is not coming through. Weird enough, that ICMP reaches everything.
I Have tried different DNS servers but still the same. I have pulled out another SRX and configured it with the basic config and still the same.
I know this may have nothing to do with SRX, but maybe there is something else that I'm missing. BT itself?
My config
set security screen ids-option untrust-screen description ***INTRUSION_DETECTION_SYSTEM_OPTIONS***
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust description "//______NAT/PAT from inside to internet________//"
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule trust-to-internet match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule trust-to-internet match destination-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule trust-to-internet then source-nat interface
set security policies from-zone trust to-zone trust policy trust-to-trust description "//__________Policy for internal TRUST zone_________//"
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies from-zone trust to-zone untrust policy trust-to-untrust description "//__________Trafic policy to internet_________//"
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security zones security-zone trust description "//________Inside of the wall ZONE_______//"
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces irb.0
set security zones security-zone untrust description "//________Outside ZONE_______//"
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/5.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces pp0.0
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/5 unit 0 description "__________ ISP BT fiber_________"
set interfaces ge-0/0/5 unit 0 encapsulation ppp-over-ether
set interfaces irb unit 0 family inet address 192.168.0.190/24
set interfaces pp0 traceoptions flag all
set interfaces pp0 unit 0 description "__________Point to point interface that call the ge-0/0/5.0___________"
set interfaces pp0 unit 0 ppp-options chap default-chap-secret "$9$psIluO1REyWLNM8UHkmF30BIhrvN-w"
set interfaces pp0 unit 0 ppp-options chap local-name "btbusinesshub@business.btclick.com"
set interfaces pp0 unit 0 ppp-options chap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/5.0
set interfaces pp0 unit 0 pppoe-options idle-timeout 0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 1
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 no-keepalives
set interfaces pp0 unit 0 family inet mtu 1492
set interfaces pp0 unit 0 family inet negotiate-address
set routing-options static route 0.0.0.0/0 next-hop pp0.0
set protocols l2-learning global-mode switching
set protocols rstp interface ge-0/0/2
set protocols rstp interface all
set firewall family inet filter FW_ALLOW_SSH term ALLOW_SSH from protocol tcp
set firewall family inet filter FW_ALLOW_SSH term ALLOW_SSH from port ssh
set firewall family inet filter FW_ALLOW_SSH term ALLOW_SSH then accept
set firewall family inet filter FW_ALLOW_SSH term REJECT then reject
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface irb.0