I have gotten my hands on an older Juniper SRX 300. Lacking a better use case, I determined this could be a reasonable home router for my VDSL2 connection.
First, let’s start with the requirements – what are we even trying to configure?
- WAN side terminating a PPPoE session, dialing a connection through a modem in a transparent bridge mode
- LAN VLAN with a DHCP server, contains all the remaining device Ethernet ports
- SNAT between LAN <> WAN
- MSS clamping towards WAN – unfortunately baby jumbo is not supported on the access network at all
The VDSL2 modem used here is called CETIN Terminator, a rebranded Zyxel VMG4005-B50B device capable of running in a VDSL2 profile 35b, as well as bonding two DSL lines.
As the modem is supplied by CETIN (the access network owner), it does contain a special customized firmware that locks it into a transparent bridge mode. Additionally, any and all user facing management is stripped out, therefore nothing to configure there.
WAN side configuration
All DSL providers in here use the same interface configuration:
VLAN ID: 848 PPP Username: cetin <anything will work> PPP Password: cetin <anything will work> MTU 1492
As the access network provider relies on other authentication mechanisms instead of PPPoE PAP to identify individual subscribers, the Username/Password combination can be completely arbitrary in my case.
The configuration above translates to the following JunOS config:
interfaces {
# Transparent DSL bridge modem will be connected
# to interface ge-0/0/0. The interface is a VLAN
# trunk, internet is served inside VLAN 848
ge-0/0/0 {
vlan-tagging;
unit 0 {
encapsulation ppp-over-ether;
vlan-id 848;
}
}
pp0 {
unit 848 {
ppp-options {
pap {
local-name cetin;
local-password cetin;
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/0.0;
idle-timeout 0;
auto-reconnect 10;
client;
}
family inet {
mtu 1492;
# Automatically obtain an IP address
negotiate-address;
}
}
}
}
# Point a default route over PPPoE
routing-options {
static {
route 0.0.0.0/0 next-hop pp0.848;
}
}
At this stage, the connection should establish and the device should receive an IP address. This can take a small bit of time, but we should ultimately gain internet access on the SRX itself.
LAN side configuration
I would like the LAN to use the 192.168.1.0/24 subnet, with 192.168.1.1 being the router itself and Google DNS handed over DHCP.
# Define "vlan-trust" as our LAN VLAN
# Linked to IRB interface irb.0 to provide
# a gateway for LAN devices
vlans {
vlan-trust {
vlan-id 3;
l3-interface irb.0;
}
}
interfaces {
# LAN interfaces in "vlan-trust", repeated for every remaining interface
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 { ... }
ge-0/0/3 { ... }
# IRB interface with IP 192.168.1.1
irb {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
# Definition of the DHCP pool, configuration of what to hand out
access {
address-assignment {
pool pool4 {
family inet {
network 192.168.1.0/24;
range range {
low 192.168.1.100;
high 192.168.1.254;
}
dhcp-attributes {
name-server {
8.8.8.8;
8.8.4.4;
}
router {
192.168.1.1;
}
}
}
}
}
}
# Enable the DHCP service on irb.0
system {
services {
dhcp-local-server {
group jdhcp-group {
interface irb.0;
}
}
}
}
The in-between – NAT
Now that the WAN and LAN section are configured, it is time to make sure we can route, NAT and ultimately exchange data in between the two.
security {
# Configure MSS clamping to 1452 bytes
# (1500b - 8b PPPoE - 20b IPv4 - 20b TCP)
flow {
tcp-mss {
all-tcp {
mss 1452;
}
}
}
# Define security zones and assign WAN/LAN
# interfaces to the correct ones
zones {
# LAN zone "trust"
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.0;
}
}
# WAN zone "untrust"
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
pp0.848;
}
}
}
# SNAT between zones
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
# Just match everything
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
# Set the egress IP address to the interface address
interface;
}
}
}
}
}
}
}
With this configuration, the SRX should assign an IP address to connected devices, allow packets from the LAN to reach the internet and in turn, allow us to read this blog at last 🙂
We can monitor the NAT performance using the show security nat source rule source-nat-rule command in the CLI:
root> show security nat source rule source-nat-rule
source NAT rule: source-nat-rule Rule-set: trust-to-untrust
Rule-Id : 1
Rule position : 1
From zone : trust
To zone : untrust
Match
Source addresses : 0.0.0.0 - 255.255.255.255
Action : interface
Persistent NAT type : N/A
Persistent NAT mapping type : address-port-mapping
Inactivity timeout : 0
Max session number : 0
Translation hits : 3444936
Successful sessions : 3254413
Number of sessions : 106
Finally, among the other useful things, the PPPoE session state can be monitored with the following command:
root> show ppp interface pp0 extensive
Sessions for interface pp0
Session pp0.848, Type: PPP, Phase: Network
LCP
State: Opened
Last started: 2023-08-07 23:56:16 UTC
Last completed: 2023-08-07 23:56:17 UTC
Negotiated options:
Authentication protocol: PAP, Magic number: xxxxx, Local MRU: 1492
Authentication: PAP
State: Success
Last started: 2023-08-07 23:56:17 UTC
Last completed: 2023-08-07 23:56:17 UTC
IPCP
State: Opened
Last started: 2023-08-07 23:56:20 UTC
Last completed: 2023-08-07 23:56:20 UTC
Negotiated options:
Local address: x.x.x.x, Remote address: x.x.x.x, Primary DNS: x.x.x.x, Secondary DNS: x.x.x.x
Michal Breškovec
April 6, 2024 — 6:36 pm
Thank you for this article, you saved my life. I was missing MSS clamping config, and I was not able to find reason why something is working and something not, until I am found your blog article.