I would start with a flow traceoptions on the head office to see what happens to the packet. Most likely it is a zone mismatch or something similar that can be addressed via some config manipulation.
Original Message:
Sent: 09-20-2023 06:08
From: Koos147
Subject: Make Vlan availible on low end Router
Good day,
Today i am at the customers location.
We have made the ipsec from Teltonika to SRX.
as traffic selectors i added
192.168.20.0/24 > 192.168.10.0/24
192.168.20.0/24 > 192.168.0.0/24
I am able to ping devices in the head office location no problem
on the srx i made the following policy's
External > headoffice-lan
External > 3th party vpn zone
as expected there is no ping to 3th party
so i added an source nat
from zone external-location; to zone [ head-office-lan 3th-party-vpn ]; rule scanner { match { source-address 192.168.20.0/24; destination-address [ 192.168.10.0/24 192.168.0.0/24 ]; } then { source-nat { pool { Ip-in-head-office-lan; } } } }}
but still no ping from the wireless devices.
what am i missing?
Original Message:
Sent: 09-06-2023 00:50
From: TheDisciple
Subject: Make Vlan availible on low end Router
Hello Koos147,
This sounds like a classic Hub-&-Spoke scenario with 2 spokes (read 2 tunnels) and a Hub.
If Teltonika can't do an IPSEC tunnel, then think of it as spoke with tunnel without encryption.
GRE tunnel is possible as long as you can reach SRX device over internet.
The only challenge , I see is that GRE traffic is NOT encrypted.
If security over internet is not a concern, then this solution works. Otherwise, you might need a VPN capable device in front of Teltonika to make GRE run over IPSEC.
I would use some sort of NAT ( depending upon existing routing of the network but potentially a Static NAT) on SRX to make the traffic from Wireless device conform to the Traffic selector of your external partner.
Hope it helps.
Thanks!
Original Message:
Sent: 08-31-2023 08:16
From: Koos147
Subject: Make Vlan availible on low end Router
Hello TheDisciple,
Your right. hope the simple drawing bellow makes it easier.
so there are 2 possible solutions.
one is to extend the 192.168.10.x vlan to the Teltonika. this way the device exists in the correct vlan.
Another way is to assign the wireless device an 192.168.20.x ip. and route all its traffic to the Juniper. from here use nat to use an 192.168.10.x ip.
We have the possibility to get an static public ip on the Teltonika. so that should be no problem.
It is not possible to change the wireless device and run som sort of vpn on this device.
the wireless device uses an simple web application in the 192.168.0.x network. so speed isn't a thing here.
if there is a better device to use. options are open. but we need to run it on battery's. device will sometimes loses power. so juniper isn't the right solution here. also the budget is tight.
Original Message:
Sent: 08-30-2023 01:39
From: TheDisciple
Subject: Make Vlan availible on low end Router
Hello Koos147,
Can you convert this question into a basic network diagram of how you are planning to implement it?
I am little fuzzy about the path & subnets you are trying to access. I am sure there is a way to do this.
Thanks,
Original Message:
Sent: 08-29-2023 08:40
From: Koos147
Subject: Make Vlan availible on low end Router
Good day,
We have a customer with and srx320.
There is a ipsec tunnel to a 3th party connected to 1 vlan at the customers site. (other party simply have 1 route to that subnet)
they have an external warehouse for 2 months. and need 1 wireless device to be connected to the 3th party.
The problem is that the warehouse is really big. and running cables etc doesn't make sense for the 2 months.
So our plan is to add a battery powered router with an 4G sim. during lunch and night the battery will charge.
only problem is that the 3th party isn't really helpful. (they offered an $10K solution. and are disappointed that we don't want that)
I was thinking. to use a Teltonika (aka openwrt) or an draytek or another cheap 4/5G router. to create a tunnel to the main office.
Only problem is that we need the wireless device to comminicate trough the local vlan.
Juniper Supports Q-in-Q Teltonika Supports EoIP Both should do the trick. but as far as i can see both brands don't support the same protocol.
they both support GRE but i am not sure if that is going to help.
Is it possible to let the wireless device > Teltonika > Ipsec > srx and then nat in the local vlan?
does someone have an creative idea?