Help with SRX110 & VDSL config

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Help with SRX110 & VDSL config

1 | 2

hashbrown

463 posts

Ultimate Geek

#721250 22-Nov-2012 12:26

Not sure of the best way to do it on SRX, but I'd be looking for the equivalent of the Cisco "tcp adjust-mss" command rather than changing the MTU of the interface.

LennonNZ

2459 posts

Uber Geek

ID Verified

Trusted

#721256 22-Nov-2012 12:34

hashbrown: Not sure of the best way to do it on SRX, but I'd be looking for the equivalent of the Cisco "tcp adjust-mss" command rather than changing the MTU of the interface.

set security flow tcp-mss all-tcp mss XXXX

hashbrown

463 posts

Ultimate Geek

#721262 22-Nov-2012 12:48

LennonNZ: set security flow tcp-mss all-tcp mss XXXX

@mindshift Try this with an MSS of 1452

set security flow tcp-mss all-tcp mss 1452

mountainrescuer

1 post

Wannabe Geek

#797807 11-Apr-2013 14:58

All, as you know the SRX has been quite difficult in the past to get working here in New Zealand.

Juniper first amended code to allow the PPPoE authentication to be transmitted on VLAN 10 but then caused issues as LCP for PPPoE neg control packets were sent from the SRX marked as '6' (802.1p).

11.4R4.7 and 11.4R4.8 'resolved' the issue with outbound packets being sent as BE '0'. Later releases broke this again. A new command (as yet undocumented in the release notes) was added to 12.1R5.5 which allows you to set the 802.1p markings for RE generated traffic:
set class-of-service host-outbound-traffic ieee-802.1 default <802.1p setting> (either 'be' or '000' is valid)

Full VDSL working configuration is below (in copy & paste format):
set interfaces pt-1/0/0 vlan-tagging
set interfaces pt-1/0/0 vdsl-options vdsl-profile auto
set interfaces pt-1/0/0 unit 0 encapsulation ppp-over-ether
set interfaces pt-1/0/0 unit 0 vlan-id 10
set interfaces pp0 traceoptions flag all
set interfaces pp0 no-per-unit-scheduler
set interfaces pp0 unit 0 ppp-options pap local-name "REMOVED@snap.net.nz"
set interfaces pp0 unit 0 ppp-options pap local-password "REMOVED"
set interfaces pp0 unit 0 ppp-options pap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface pt-1/0/0.0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 10
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet negotiate-address
set class-of-service host-outbound-traffic ieee-802.1 default 000

For completeness I've included ADSL and UFB below:
set interfaces at-1/0/0 mtu 1514
set interfaces at-1/0/0 encapsulation atm-pvc
set interfaces at-1/0/0 atm-options vpi 0
set interfaces at-1/0/0 dsl-options operating-mode auto
set interfaces at-1/0/0 unit 0 encapsulation atm-ppp-vc-mux
set interfaces at-1/0/0 unit 0 vci 100
set interfaces at-1/0/0 unit 0 ppp-options pap local-name "snap.test3@snap.net.nz"
set interfaces at-1/0/0 unit 0 ppp-options pap local-password "$9$d2saUk.PF69P5rvMLN-k.mfFntuOESrtu"
set interfaces at-1/0/0 unit 0 ppp-options pap passive
set interfaces at-1/0/0 unit 0 family inet mtu 1500
set interfaces at-1/0/0 unit 0 family inet primary
set interfaces at-1/0/0 unit 0 family inet negotiate-address
set interfaces pp0 no-per-unit-scheduler
set interfaces pp0 unit 0 ppp-options pap local-name "REMOVED@snap.net.nz"
set interfaces pp0 unit 0 ppp-options pap local-password "REMOVED"
set interfaces pp0 unit 0 ppp-options pap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface at-1/0/0.0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 10
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet negotiate-address
set class-of-service host-outbound-traffic ieee-802.1 default 000

set interfaces fe-0/0/0 vlan-tagging
set interfaces fe-0/0/0 unit 0 encapsulation ppp-over-ether
set interfaces fe-0/0/0 unit 0 vlan-id 10
set interfaces pp0 no-per-unit-scheduler
set interfaces pp0 unit 0 ppp-options pap local-name "REMOVED@snap.net.nz"
set interfaces pp0 unit 0 ppp-options pap local-password "REMOVED"
set interfaces pp0 unit 0 ppp-options pap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/0.0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 10
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet negotiate-address
set class-of-service host-outbound-traffic ieee-802.1 default 000

--- JUNOS 12.1R5.5 built 2013-01-17 06:12:00 UTC
admin@*> show version
Hostname: *
Model: srx110h-va
JUNOS Software Release [12.1R5.5]

admin@*> show interfaces pp0 terse
Interface Admin Link Proto Local Remote
pp0 up up
pp0.0 up up inet 1.2.3.5 --> 1.2.3.4

Cheers,
Graham

davemc

38 posts

Geek

#2019508 20-May-2018 20:15

For complete completeness, here's a full config for an SRX110H-VA (not for a newer H2, and not for 12.3)

This is a routed (layer 3) configuration, not a transparent bridge or layer 2 configuration.

Most people posting Junos config post only relevant snips, because they 'know' how to do the rest.

For those of us still only Juniper learners, it can be hard to draw it all together, so comments for improvement welcome.

set version 12.1R6.5
set system host-name router
set system domain-name dsl.geekzone.co.nz
set system time-zone Pacific/Auckland
# password1
set system root-authentication encrypted-password "$1$HtmDHHrH$PRRW.o0UF.Lr1W1BjIeCT."
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.3
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
# "Propagate the dns server from the untrust to trust interface."
set system services dhcp propagate-settings pt-1/0/0.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp server nz.pool.ntp.org
set interfaces interface-range interfaces-trust member fe-0/0/1
set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust
# 0 is configured as an untrust ethernet feed
set interfaces fe-0/0/0 unit 0 family inet dhcp
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 unit 0 family inet
# nz specific vdsl stuff from mountainrescuer post above
set interfaces pt-1/0/0 vlan-tagging
set interfaces pt-1/0/0 vdsl-options vdsl-profile auto
set interfaces pt-1/0/0 unit 0 encapsulation ppp-over-ether
set interfaces pt-1/0/0 unit 0 vlan-id 10
set interfaces pp0 traceoptions flag all
set interfaces pp0 no-per-unit-scheduler
set interfaces pp0 unit 0 ppp-options pap local-name "user@xtrabb.co.nz"
# generic password 'telecom', anything will do, actual security is by physical card line port
set interfaces pp0 unit 0 ppp-options pap local-password "$9$UmD.5n6AO1hqmT39pREX7-"
set interfaces pp0 unit 0 ppp-options pap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface pt-1/0/0.0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 10
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet negotiate-address
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set routing-options static route 0.0.0.0/0 next-hop pp0.0
set routing-options static route 0.0.0.0/0 metric 100
set protocols stp
set class-of-service host-outbound-traffic ieee-802.1 default 000
annotate class-of-service "Very important sets BE (aka 000) on LCP 6 reply packets for vdsl correct operation."
set security flow tcp-mss all-tcp mss 1452
annotate security "Without this flow full size inbound vdsl packets are lost."
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule match destination-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces vlan.0 host-inbound-traffic protocols all
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces pt-1/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces pt-1/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces pp0.0
# Junos uses vlan 3 as default for trusted interfaces
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

davemc

38 posts

Geek

#2019511 20-May-2018 20:26

Oh, and how to get the above into your device?

Connect cisco-type light blue cable from db9 serial port or db9 serial USB dongle to console port (rj45) of router
Startup serial utility like minicom, set serial port to match hardware, eg /tty/S0 or /tty/USB0, set parameters to 9600,8,n,1
Startup router, login with root and your password, or password1 if using above config, or factory reset the password
At % prompt type cli
At > prompt type edit
At # prompt paste the text above
type commit to save the above. Here any logical errors will be reported, and the config won't save.
exit to leave edit mode
show configuration - to see what you got, as indented & braced config layout
show interfaces pt-1/0/0 extensive - to see how fast your link is, on the line Bit rate (kbps)

Lias

5589 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2019599 21-May-2018 08:46

You probably want to remove the password line from that .. hashed or not..

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup.

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

davemc

38 posts

Geek

#2019676 21-May-2018 11:08

Why is that? Both the passwords in the config are well known, obvious, stated in clear text in the comments, and provide a fully functioning copy & paste. Neither are my passwords, and the root one is not suitable for production usage, which is obvious from it's simplicity. The pap password is required to make it work.

If a user wants to change the root password they can, if they want to take the security risk, that's also their choice.

As you say, information wants to be free. Could you suggest any other security improvements to this config?

Lias

5589 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2019688 21-May-2018 11:30

Up to you I guess..

I personally wouldn't because A: someone will inevitably just cut and paste it and use it, and B: getting into the habit of pasting configs without always removing the password is probably not a good habit to get into.

1 | 2