SRX

 View Only
last person joined: 23 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

Make Vlan availible on low end Router

  • 1.  Make Vlan availible on low end Router

    Posted 08-29-2023 11:20

    Good day,

    We have a customer with and srx320.
    There is a ipsec tunnel to a 3th party connected to 1 vlan at the customers site. (other party simply have 1 route to that subnet)

    they have an external warehouse for 2 months. and need 1 wireless device to be connected to the 3th party.
    The problem is that the warehouse is really big. and running cables etc doesn't make sense for the 2 months.

    So our plan is to add a battery powered router with an 4G sim.  during lunch and night the battery will charge. 

    only problem is that the 3th party isn't really helpful. (they offered an $10K solution. and are disappointed that we don't want that)

    I was thinking. to use a Teltonika (aka openwrt) or an draytek or another cheap 4/5G router. to create a tunnel to the main office. 

    Only problem is that we need the wireless device to comminicate trough the local vlan.

    Juniper Supports Q-in-Q  Teltonika Supports EoIP Both should do the trick. but as far as i can see both brands don't support the same protocol.

    they both support GRE but i am not sure if that is going to help.

    Is it possible to let the wireless device > Teltonika > Ipsec > srx and then nat in the local vlan?

    does someone have an creative idea?



  • 2.  RE: Make Vlan availible on low end Router

    Posted 08-30-2023 01:40

    Hello Koos147,

    Can you convert this question into a basic network diagram of how you are planning to implement it?

    I am little fuzzy about the path & subnets you are trying to access. I am sure there is a way to do this.

    Thanks,




  • 3.  RE: Make Vlan availible on low end Router

    Posted 08-31-2023 08:16
    Hello TheDisciple,
    Your right. hope the simple drawing bellow makes it easier. 
    so there are 2 possible solutions.
    one is to extend the 192.168.10.x vlan to the Teltonika. this way the device exists in the correct vlan. 
    Another way is to assign the wireless device an 192.168.20.x ip. and route all its traffic to the Juniper. from here use nat to use an 192.168.10.x ip.
    We have the possibility to get an static public ip on the Teltonika. so that should be no problem.
    It is not possible to change the wireless device and run som sort of vpn on this device. 
    the wireless device uses an simple web application in the 192.168.0.x network. so speed isn't a thing here.
    if there is a better device to use. options are open. but we need to run it on battery's. device will sometimes loses power. so juniper isn't the right solution here. also the budget is tight. 



  • 4.  RE: Make Vlan availible on low end Router

    Posted 09-06-2023 00:50

    Hello Koos147,

    This sounds like a classic Hub-&-Spoke scenario with 2 spokes (read 2 tunnels) and a Hub.   

    If Teltonika can't do an IPSEC tunnel, then think of it as spoke with tunnel without encryption.

    GRE tunnel  is possible as long as you can reach SRX device over internet.

    The only challenge , I see is that GRE traffic is NOT encrypted.

    If security over internet is not a concern, then this solution works. Otherwise, you might need a VPN capable device in front of Teltonika to make GRE run over IPSEC.

    I would use some sort of NAT ( depending upon existing routing of the network but potentially a Static NAT) on SRX to make the traffic from Wireless device conform to the Traffic selector of your external partner.

    Hope it helps.

    Thanks! 




  • 5.  RE: Make Vlan availible on low end Router

    Posted 09-20-2023 06:09

    Good day,

    Today i am at the customers location.

    We have made the ipsec from Teltonika to SRX.
    as traffic selectors i added 
    192.168.20.0/24 > 192.168.10.0/24
    192.168.20.0/24 > 192.168.0.0/24

    I am able to ping devices in the head office location no problem
    on the srx i made the following policy's
    External > headoffice-lan
    External > 3th party vpn zone

    as expected there is no ping to 3th party
    so i added an source nat

        from zone external-location;
        to zone [ head-office-lan 3th-party-vpn ];
        rule scanner {
            match {
                source-address 192.168.20.0/24;
                destination-address [ 192.168.10.0/24 192.168.0.0/24 ];
            }
            then {
                source-nat {
                    pool {
                        Ip-in-head-office-lan;
                    }
                }
            }
        }
    } 

    but still no ping from the wireless devices.

    what am i missing?




  • 6.  RE: Make Vlan availible on low end Router

    Posted 09-22-2023 02:12

    Hello Koos147,

    There could be a few reasons for the Pings to fail :

    1. It may be that the traffic is not making into the tunnel between head-office-lan and 3rd-party vpn.
    2. There could be certain security policy mismatch etc. 

    I would start with a flow traceoptions on the head office to see what happens to the packet. Most likely it is a zone mismatch or something similar that can be addressed via some config manipulation.

    Hope this helps!




  • 7.  RE: Make Vlan availible on low end Router