SRX

 View Only
last person joined: 13 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

SRX VDSL Configuration help / assistance

  • 1.  SRX VDSL Configuration help / assistance

    Posted 02-22-2024 08:52

    Greetings to everyone, and I hoping someone can provide some assistance with this issue I'm having.

    Note - This is a UK based question with regard to DSL connectivity.

    So  the problem relates to trying to get an SRX110 to 'connect' to a telco and then provide internet access to users connected to the SRX.

    Image of connection types.
    So looking at the above options, we can see that there are four 'access' types, these are -
    (A) standard at home user, users route has username/password - sent to Telco - authenticates to SQL or the like - and then allocates WAN IP address.
    (B) Is the same as (A) but the end users have public routable IP addresses for hosting etc.
    (C) and (D) were new to me (recently), may be an old thing - but hey - it is what it is, so (C) and (D) are the same as (B) but the WAN IP address is allocated from the end users public subnet.
    In each of the above cases I've been able to configuration a Cisco 897 to perform the access and I can connect a device to the users network and make a connection to the internet.
    Here's where I need the assistance, with the above settings I've also been able to configuration a SRX with the same settings and been able to connect to the internet.
    This is was done over an ADSL line.
    The problem now is that I need to configure the last option (D) on a VDSL (FTTC) link, so using this link - 
    I 'tried' to transpose the Juniper ADSL configuration to be a VDSL configuration - and I'm failing.
    Here's the ADSL version -
    root@Stephen-SRX> show configuration | display set
    set version 12.1X46-D60.4
    set system host-name Stephen-SRX
    set system root-authentication encrypted-password "$xxxxxx"
    set system name-server 1.1.1.1
    set system name-server 8.8.8.8
    set system services ssh
    set system services telnet
    set system services xnm-clear-text
    set system services web-management http interface vlan.0
    set system services web-management https system-generated-certificate
    set system services web-management https interface vlan.0
    set system syslog archive size 100k
    set system syslog archive files 3
    set system syslog user * any emergency
    set system syslog file messages any critical
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands error
    set system max-configurations-on-flash 5
    set system max-configuration-rollbacks 5
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set system ntp server 80.86.38.193
    set system ntp server 217.114.59.3
    set system ntp server 178.79.162.34
    set system ntp server 79.135.97.79
    set interfaces interface-range interfaces-trust member fe-0/0/1
    set interfaces interface-range interfaces-trust member fe-0/0/2
    set interfaces interface-range interfaces-trust member fe-0/0/3
    set interfaces interface-range interfaces-trust member fe-0/0/4
    set interfaces interface-range interfaces-trust member fe-0/0/5
    set interfaces interface-range interfaces-trust member fe-0/0/6
    set interfaces interface-range interfaces-trust member fe-0/0/7
    set interfaces interface-range interfaces-trust member fe-0/0/0
    set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces at-1/0/0 encapsulation atm-pvc
    set interfaces at-1/0/0 atm-options vpi 0
    set interfaces at-1/0/0 dsl-options operating-mode auto
    set interfaces at-1/0/0 unit 0 encapsulation atm-ppp-vc-mux
    set interfaces at-1/0/0 unit 0 vci 0.38
    set interfaces at-1/0/0 unit 0 ppp-options chap default-chap-secret "$9$PQucyK"
    set interfaces at-1/0/0 unit 0 ppp-options chap local-name "xxxxx@xxxxxxx"
    set interfaces at-1/0/0 unit 0 ppp-options chap passive
    set interfaces at-1/0/0 unit 0 family inet negotiate-address
    set interfaces vlan unit 0 family inet address 12.12.12.1/29
    set routing-options static route 0.0.0.0/0 next-hop at-1/0/0.0
    set protocols stp
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
    set security policies from-zone untrust to-zone trust policy untrust-to-trust match source-address any
    set security policies from-zone untrust to-zone trust policy untrust-to-trust match destination-address any
    set security policies from-zone untrust to-zone trust policy untrust-to-trust match application any
    set security policies from-zone untrust to-zone trust policy untrust-to-trust then permit
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust interfaces vlan.0
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone untrust interfaces at-1/0/0.0 host-inbound-traffic system-services ping
    set security zones security-zone untrust interfaces at-1/0/0.0 host-inbound-traffic system-services ike
    set security zones security-zone untrust interfaces at-1/0/0.0 host-inbound-traffic system-services all
    set vlans vlan-trust vlan-id 3
    set vlans vlan-trust l3-interface vlan.0
    And here's the botched VDSL config (note - this is on a different SRX) - 
    set version 12.1X44-D40.2
    set system host-name WAN-Router
    set system root-authentication encrypted-password "$1$gjm503MOl0"
    set system name-server 8.8.8.8
    set system login user tim uid 2000
    set system login user tim class super-user
    set system login user tim authentication encrypted-password "$1$xrLzEOkjJ0/"
    set interfaces fe-0/0/0 unit 0 family ethernet-switching vlan members VLAN-1
    set interfaces pt-1/0/0 vlan-tagging
    set interfaces pt-1/0/0 mtu 1492
    set interfaces pt-1/0/0 unit 0 encapsulation ppp-over-ether
    set interfaces pt-1/0/0 unit 0 vlan-id 101
    set interfaces pp0 unit 0 ppp-options chap default-chap-secret "$9$dYsKMWx"
    set interfaces pp0 unit 0 ppp-options chap local-name "xxxxxx@xxxxxxxxxxx"
    set interfaces pp0 unit 0 ppp-options chap passive
    set interfaces pp0 unit 0 pppoe-options underlying-interface pt-1/0/0.0
    set interfaces pp0 unit 0 pppoe-options idle-timeout 0
    set interfaces pp0 unit 0 pppoe-options auto-reconnect 10
    set interfaces pp0 unit 0 pppoe-options client
    set interfaces pp0 unit 0 family inet negotiate-address
    set interfaces vlan unit 1 family inet address 12.12.12.33/27
    set routing-options static route 0.0.0.0/0 next-hop pp0.0
    set security policies from-zone trust to-zone untrust policy tr-un match source-address any
    set security policies from-zone trust to-zone untrust policy tr-un match destination-address any
    set security policies from-zone trust to-zone untrust policy tr-un match application any
    set security policies from-zone trust to-zone untrust policy tr-un then permit
    set security policies from-zone untrust to-zone trust policy un-tr match source-address any
    set security policies from-zone untrust to-zone trust policy un-tr match destination-address any
    set security policies from-zone untrust to-zone trust policy un-tr match application any
    set security policies from-zone untrust to-zone trust policy un-tr then permit
    set security policies from-zone trust to-zone trust policy tr-un match source-address any
    set security policies from-zone trust to-zone trust policy tr-un match destination-address any
    set security policies from-zone trust to-zone trust policy tr-un match application any
    set security policies from-zone trust to-zone trust policy tr-un then permit
    set security zones security-zone trust interfaces fe-0/0/0.0 host-inbound-traffic system-services all
    set security zones security-zone trust interfaces vlan.1 host-inbound-traffic system-services all
    set security zones security-zone untrust interfaces pp0.0 host-inbound-traffic system-services all
    set vlans VLAN-1 description dsl-link
    set vlans VLAN-1 vlan-id 2
    set vlans VLAN-1 l3-interface vlan.1
    In the VDSL config, when applied I can see the IP address being allocated to the 'WAN' interface, but when I connect a device to the back end I can't ping the default gateway, yet when doing a 'Show ARP' I can see the IP address of the device and it's MAC address.
    If anyone has any suggestions as to what it is I'm doing wrong then please post as this is driving me mad.


    ------------------------------
    STEPHEN CARTER
    ------------------------------