Thank you for your time replying to me.
Yes..... It could be MTU problem. I have a suggestion from someone to
delete interfaces pp0 unit 0 family inet mtu 1492
set interfaces pp0 unit 0 pppoe-options ppp-max-payload 1500
I can't confirm that it solved the problem, but I think it made noticeable more positive results. Sure I have also, upgraded SRX300 firmware as it was 15.xx, someone on Reddit mentioned that his problem was old firmware, I'm not sure if this could affect.
So, currently, I have 500mbps internet speed but seems like an "old DSL", but at the same point, very big providers like Google or Facebook pages spin like they should on this quick circuit.
I have seen in other configs the TCP-MSS clamping part but haven't tried it just yet, But for sure I will do it. The simple problem here is not knowing the values I should use.
Original Message:
Sent: 10-02-2023 05:10
From: markw
Subject: BT FTTP broadband (UK) with SRX. inproperly functionaling
Looking at the symptoms I am almost entirely certain this is an MTU issue. I see it uses PPPoE and that reinforces this suspicion, because that is essentially a sort of tunneling technology, meaning there is a PPP encapsulation of your packets and you will need to adjust your MTU size to properly fit within the tunnel.
As an anecdotal example, at my old university they also used PPPoE and I would've had to set 1492 as MTU (instead of the standard 1500) on my workstation to be able to get a working connection. On the SRX I think you might be able to achieve it with TCP-MSS clamping or equivalent technology, but not sure what the best approach is to handle this (not a huge expert on this particular side of things, but since the symptoms are basically a 100% match with a MTU size problem, I figured I'd at least share these insights).
Original Message:
Sent: 09-30-2023 17:16
From: ARENTAS BUTKUS
Subject: BT FTTP broadband (UK) with SRX. inproperly functionaling
BT FTTP broadband (UK) with SRX - mistic.
Hello,
I recently changed home broadband to BT which they call "full-fibre" FTTP. I used SRX as an ISP router with the previous provider with the VDSL2-A interfaces, Now simply I have to plug in the ethernet to the fibre converter supplied.
BT uses a PPPoE type of connection which is simple achievable on SRX. I'm using instructions from https://blog.shiraj.com/2022/04/juniper-srx-configuring-bt-fttp-pppoe/ but this is pretty much the same as https://supportportal.juniper.net/s/article/SRX-Getting-Started-PPPoE-Configuration-Examples?language=en_US only the ppp-options with "pap" don't work need to use "chap". Also, in my case, it doesn't work if interface ge-0/0/5.0 is included in the outside (untrust) zone, need interface pp0 is in the untrust zone.
Connection initiated and traffic is flowing. BUT not all traffic. Which for me is the biggest mystery. Just some web pages are getting through. For example, facebook, Google Stack, some other random ones, and seem like just perfect, some messenger apps are OK, but most of the other traffic is not coming through. Weird enough, that ICMP reaches everything.
I Have tried different DNS servers but still the same. I have pulled out another SRX and configured it with the basic config and still the same.
I know this may have nothing to do with SRX, but maybe there is something else that I'm missing. BT itself?
My config
set security screen ids-option untrust-screen description ***INTRUSION_DETECTION_SYSTEM_OPTIONS***set security screen ids-option untrust-screen icmp ping-deathset security screen ids-option untrust-screen ip source-route-optionset security screen ids-option untrust-screen ip tear-dropset security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048set security screen ids-option untrust-screen tcp syn-flood timeout 20set security screen ids-option untrust-screen tcp landset security nat source rule-set trust-to-untrust description "//______NAT/PAT from inside to internet________//"set security nat source rule-set trust-to-untrust from zone trustset security nat source rule-set trust-to-untrust to zone untrustset security nat source rule-set trust-to-untrust rule trust-to-internet match source-address 0.0.0.0/0set security nat source rule-set trust-to-untrust rule trust-to-internet match destination-address 0.0.0.0/0set security nat source rule-set trust-to-untrust rule trust-to-internet then source-nat interfaceset security policies from-zone trust to-zone trust policy trust-to-trust description "//__________Policy for internal TRUST zone_________//"set security policies from-zone trust to-zone trust policy trust-to-trust match source-address anyset security policies from-zone trust to-zone trust policy trust-to-trust match destination-address anyset security policies from-zone trust to-zone trust policy trust-to-trust match application anyset security policies from-zone trust to-zone trust policy trust-to-trust then permitset security policies from-zone trust to-zone untrust policy trust-to-untrust description "//__________Trafic policy to internet_________//"set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address anyset security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address anyset security policies from-zone trust to-zone untrust policy trust-to-untrust match application anyset security policies from-zone trust to-zone untrust policy trust-to-untrust then permitset security zones security-zone trust description "//________Inside of the wall ZONE_______//"set security zones security-zone trust host-inbound-traffic system-services allset security zones security-zone trust host-inbound-traffic protocols allset security zones security-zone trust interfaces irb.0set security zones security-zone untrust description "//________Outside ZONE_______//"set security zones security-zone untrust screen untrust-screenset security zones security-zone untrust interfaces ge-0/0/5.0 host-inbound-traffic system-services pingset security zones security-zone untrust interfaces pp0.0set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trustset interfaces ge-0/0/5 unit 0 description "__________ ISP BT fiber_________"set interfaces ge-0/0/5 unit 0 encapsulation ppp-over-etherset interfaces irb unit 0 family inet address 192.168.0.190/24set interfaces pp0 traceoptions flag allset interfaces pp0 unit 0 description "__________Point to point interface that call the ge-0/0/5.0___________"set interfaces pp0 unit 0 ppp-options chap default-chap-secret "$9$psIluO1REyWLNM8UHkmF30BIhrvN-w"set interfaces pp0 unit 0 ppp-options chap local-name "btbusinesshub@business.btclick.com"set interfaces pp0 unit 0 ppp-options chap passiveset interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/5.0set interfaces pp0 unit 0 pppoe-options idle-timeout 0set interfaces pp0 unit 0 pppoe-options auto-reconnect 1set interfaces pp0 unit 0 pppoe-options clientset interfaces pp0 unit 0 no-keepalivesset interfaces pp0 unit 0 family inet mtu 1492set interfaces pp0 unit 0 family inet negotiate-addressset routing-options static route 0.0.0.0/0 next-hop pp0.0set protocols l2-learning global-mode switchingset protocols rstp interface ge-0/0/2set protocols rstp interface allset firewall family inet filter FW_ALLOW_SSH term ALLOW_SSH from protocol tcpset firewall family inet filter FW_ALLOW_SSH term ALLOW_SSH from port sshset firewall family inet filter FW_ALLOW_SSH term ALLOW_SSH then acceptset firewall family inet filter FW_ALLOW_SSH term REJECT then rejectset vlans vlan-trust vlan-id 3set vlans vlan-trust l3-interface irb.0