I have gotten my hands on an older Juniper SRX 300. Lacking a better use case, I determined this could be a reasonable home router for my VDSL2 connection.

First, let’s start with the requirements – what are we even trying to configure?

  • WAN side terminating a PPPoE session, dialing a connection through a modem in a transparent bridge mode
  • LAN VLAN with a DHCP server, contains all the remaining device Ethernet ports
  • SNAT between LAN <> WAN
  • MSS clamping towards WAN – unfortunately baby jumbo is not supported on the access network at all

The VDSL2 modem used here is called CETIN Terminator, a rebranded Zyxel VMG4005-B50B device capable of running in a VDSL2 profile 35b, as well as bonding two DSL lines.

As the modem is supplied by CETIN (the access network owner), it does contain a special customized firmware that locks it into a transparent bridge mode. Additionally, any and all user facing management is stripped out, therefore nothing to configure there.

WAN side configuration

All DSL providers in here use the same interface configuration:

VLAN ID: 848
PPP Username: cetin <anything will work>
PPP Password: cetin <anything will work>
MTU 1492

As the access network provider relies on other authentication mechanisms instead of PPPoE PAP to identify individual subscribers, the Username/Password combination can be completely arbitrary in my case.

The configuration above translates to the following JunOS config:

interfaces {
# Transparent DSL bridge modem will be connected
# to interface ge-0/0/0. The interface is a VLAN
# trunk, internet is served inside VLAN 848
    ge-0/0/0 {
        vlan-tagging;
        unit 0 {
            encapsulation ppp-over-ether;
            vlan-id 848;
        }
    }

    pp0 {
        unit 848 {
            ppp-options {
                pap {
                    local-name cetin;
                    local-password cetin;
                    passive;
                }
            }

            pppoe-options {
                underlying-interface ge-0/0/0.0;
                idle-timeout 0;
                auto-reconnect 10;
                client;
            }
            family inet {
                mtu 1492;

# Automatically obtain an IP address
                negotiate-address;
            }
        }
    }
}

# Point a default route over PPPoE
routing-options {
    static {
        route 0.0.0.0/0 next-hop pp0.848;
    }
}

At this stage, the connection should establish and the device should receive an IP address. This can take a small bit of time, but we should ultimately gain internet access on the SRX itself.

LAN side configuration

I would like the LAN to use the 192.168.1.0/24 subnet, with 192.168.1.1 being the router itself and Google DNS handed over DHCP.

# Define "vlan-trust" as our LAN VLAN
# Linked to IRB interface irb.0 to provide
# a gateway for LAN devices
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface irb.0;
    }
}

interfaces {
# LAN interfaces in "vlan-trust", repeated for every remaining interface
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/2 { ... }
    ge-0/0/3 { ... }

# IRB interface with IP 192.168.1.1
    irb {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
     }
}

# Definition of the DHCP pool, configuration of what to hand out
access {
    address-assignment {
        pool pool4 {
            family inet {
                network 192.168.1.0/24;

                range range {
                    low 192.168.1.100;
                    high 192.168.1.254;
                }

                dhcp-attributes {
                    name-server {
                        8.8.8.8;
                        8.8.4.4;
                    }
                    router {
                        192.168.1.1;
                    }
                }
            }
        }
    }
}

# Enable the DHCP service on irb.0
system {
    services {
        dhcp-local-server {
            group jdhcp-group {
                interface irb.0;
            }
        }
    }
}

The in-between – NAT

Now that the WAN and LAN section are configured, it is time to make sure we can route, NAT and ultimately exchange data in between the two.

security {
# Configure MSS clamping to 1452 bytes
# (1500b - 8b PPPoE - 20b IPv4 - 20b TCP)
    flow {
        tcp-mss {
            all-tcp {
                mss 1452;
            }
        }
    }

# Define security zones and assign WAN/LAN
# interfaces to the correct ones
    zones {
# LAN zone "trust"
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                irb.0;
            }
        }

# WAN zone "untrust"
        security-zone untrust {
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                        }
                    }
                }
                pp0.848;
            }
        }
    }

# SNAT between zones
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
# Just match everything
                    match {
                        source-address 0.0.0.0/0;
                    }

                    then {
                        source-nat {
# Set the egress IP address to the interface address
                            interface;
                        }
                    }
                }
            }
        }
    }
}

With this configuration, the SRX should assign an IP address to connected devices, allow packets from the LAN to reach the internet and in turn, allow us to read this blog at last 🙂

We can monitor the NAT performance using the show security nat source rule source-nat-rule command in the CLI:

root> show security nat source rule source-nat-rule
source NAT rule: source-nat-rule Rule-set: trust-to-untrust
  Rule-Id : 1
  Rule position : 1
  From zone : trust
  To zone : untrust
  Match
    Source addresses : 0.0.0.0 - 255.255.255.255
  Action : interface
    Persistent NAT type : N/A
    Persistent NAT mapping type : address-port-mapping
    Inactivity timeout : 0
    Max session number : 0
  Translation hits : 3444936
    Successful sessions : 3254413
  Number of sessions : 106

Finally, among the other useful things, the PPPoE session state can be monitored with the following command:

root> show ppp interface pp0 extensive
Sessions for interface pp0
  Session pp0.848, Type: PPP, Phase: Network
    LCP
      State: Opened
      Last started: 2023-08-07 23:56:16 UTC
      Last completed: 2023-08-07 23:56:17 UTC
      Negotiated options:
        Authentication protocol: PAP, Magic number: xxxxx, Local MRU: 1492
      Authentication: PAP
        State: Success
        Last started: 2023-08-07 23:56:17 UTC
        Last completed: 2023-08-07 23:56:17 UTC
      IPCP
        State: Opened
        Last started: 2023-08-07 23:56:20 UTC
        Last completed: 2023-08-07 23:56:20 UTC
        Negotiated options:
          Local address: x.x.x.x, Remote address: x.x.x.x, Primary DNS: x.x.x.x, Secondary DNS: x.x.x.x