I have gotten my hands on an older Juniper SRX 300. Lacking a better use case, I determined this could be a reasonable home router for my VDSL2 connection.
First, let’s start with the requirements – what are we even trying to configure?
- WAN side terminating a PPPoE session, dialing a connection through a modem in a transparent bridge mode
- LAN VLAN with a DHCP server, contains all the remaining device Ethernet ports
- SNAT between LAN <> WAN
- MSS clamping towards WAN – unfortunately baby jumbo is not supported on the access network at all
The VDSL2 modem used here is called CETIN Terminator, a rebranded Zyxel VMG4005-B50B device capable of running in a VDSL2 profile 35b, as well as bonding two DSL lines.
As the modem is supplied by CETIN (the access network owner), it does contain a special customized firmware that locks it into a transparent bridge mode. Additionally, any and all user facing management is stripped out, therefore nothing to configure there.
WAN side configuration
All DSL providers in here use the same interface configuration:
VLAN ID: 848 PPP Username: cetin <anything will work> PPP Password: cetin <anything will work> MTU 1492
As the access network provider relies on other authentication mechanisms instead of PPPoE PAP to identify individual subscribers, the Username/Password combination can be completely arbitrary in my case.
The configuration above translates to the following JunOS config:
interfaces { # Transparent DSL bridge modem will be connected # to interface ge-0/0/0. The interface is a VLAN # trunk, internet is served inside VLAN 848 ge-0/0/0 { vlan-tagging; unit 0 { encapsulation ppp-over-ether; vlan-id 848; } } pp0 { unit 848 { ppp-options { pap { local-name cetin; local-password cetin; passive; } } pppoe-options { underlying-interface ge-0/0/0.0; idle-timeout 0; auto-reconnect 10; client; } family inet { mtu 1492; # Automatically obtain an IP address negotiate-address; } } } } # Point a default route over PPPoE routing-options { static { route 0.0.0.0/0 next-hop pp0.848; } }
At this stage, the connection should establish and the device should receive an IP address. This can take a small bit of time, but we should ultimately gain internet access on the SRX itself.
LAN side configuration
I would like the LAN to use the 192.168.1.0/24
subnet, with 192.168.1.1
being the router itself and Google DNS handed over DHCP.
# Define "vlan-trust" as our LAN VLAN # Linked to IRB interface irb.0 to provide # a gateway for LAN devices vlans { vlan-trust { vlan-id 3; l3-interface irb.0; } } interfaces { # LAN interfaces in "vlan-trust", repeated for every remaining interface ge-0/0/1 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/2 { ... } ge-0/0/3 { ... } # IRB interface with IP 192.168.1.1 irb { unit 0 { family inet { address 192.168.1.1/24; } } } } # Definition of the DHCP pool, configuration of what to hand out access { address-assignment { pool pool4 { family inet { network 192.168.1.0/24; range range { low 192.168.1.100; high 192.168.1.254; } dhcp-attributes { name-server { 8.8.8.8; 8.8.4.4; } router { 192.168.1.1; } } } } } } # Enable the DHCP service on irb.0 system { services { dhcp-local-server { group jdhcp-group { interface irb.0; } } } }
The in-between – NAT
Now that the WAN and LAN section are configured, it is time to make sure we can route, NAT and ultimately exchange data in between the two.
security { # Configure MSS clamping to 1452 bytes # (1500b - 8b PPPoE - 20b IPv4 - 20b TCP) flow { tcp-mss { all-tcp { mss 1452; } } } # Define security zones and assign WAN/LAN # interfaces to the correct ones zones { # LAN zone "trust" security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { irb.0; } } # WAN zone "untrust" security-zone untrust { interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { dhcp; } } } pp0.848; } } } # SNAT between zones nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { # Just match everything match { source-address 0.0.0.0/0; } then { source-nat { # Set the egress IP address to the interface address interface; } } } } } } }
With this configuration, the SRX should assign an IP address to connected devices, allow packets from the LAN to reach the internet and in turn, allow us to read this blog at last 🙂
We can monitor the NAT performance using the show security nat source rule source-nat-rule
command in the CLI:
root> show security nat source rule source-nat-rule source NAT rule: source-nat-rule Rule-set: trust-to-untrust Rule-Id : 1 Rule position : 1 From zone : trust To zone : untrust Match Source addresses : 0.0.0.0 - 255.255.255.255 Action : interface Persistent NAT type : N/A Persistent NAT mapping type : address-port-mapping Inactivity timeout : 0 Max session number : 0 Translation hits : 3444936 Successful sessions : 3254413 Number of sessions : 106
Finally, among the other useful things, the PPPoE session state can be monitored with the following command:
root> show ppp interface pp0 extensive Sessions for interface pp0 Session pp0.848, Type: PPP, Phase: Network LCP State: Opened Last started: 2023-08-07 23:56:16 UTC Last completed: 2023-08-07 23:56:17 UTC Negotiated options: Authentication protocol: PAP, Magic number: xxxxx, Local MRU: 1492 Authentication: PAP State: Success Last started: 2023-08-07 23:56:17 UTC Last completed: 2023-08-07 23:56:17 UTC IPCP State: Opened Last started: 2023-08-07 23:56:20 UTC Last completed: 2023-08-07 23:56:20 UTC Negotiated options: Local address: x.x.x.x, Remote address: x.x.x.x, Primary DNS: x.x.x.x, Secondary DNS: x.x.x.x