Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
hashbrown
463 posts

Ultimate Geek


  #721250 22-Nov-2012 12:26
Send private message

Not sure of the best way to do it on SRX, but I'd be looking for the equivalent of the Cisco "tcp adjust-mss" command rather than changing the MTU of the interface.

LennonNZ
2434 posts

Uber Geek

Trusted

  #721256 22-Nov-2012 12:34
Send private message

hashbrown: Not sure of the best way to do it on SRX, but I'd be looking for the equivalent of the Cisco "tcp adjust-mss" command rather than changing the MTU of the interface.


set security flow tcp-mss all-tcp mss XXXX

 
 
 
 


hashbrown
463 posts

Ultimate Geek


  #721262 22-Nov-2012 12:48
Send private message

LennonNZ: set security flow tcp-mss all-tcp mss XXXX


@mindshift Try this with an MSS of 1452

set security flow tcp-mss all-tcp mss 1452

mountainrescuer
1 post

Wannabe Geek


  #797807 11-Apr-2013 14:58
Send private message

All, as you know the SRX has been quite difficult in the past to get working here in New Zealand.

Juniper first amended code to allow the PPPoE authentication to be transmitted on VLAN 10 but then caused issues as LCP for PPPoE neg control packets were sent from the SRX marked as '6' (802.1p).

11.4R4.7 and 11.4R4.8 'resolved' the issue with outbound packets being sent as BE '0'. Later releases broke this again. A new command (as yet undocumented in the release notes) was added to 12.1R5.5 which allows you to set the 802.1p markings for RE generated traffic:
set class-of-service host-outbound-traffic ieee-802.1 default <802.1p setting> (either 'be' or '000' is valid)

Full VDSL working configuration is below (in copy & paste format):
set interfaces pt-1/0/0 vlan-tagging
set interfaces pt-1/0/0 vdsl-options vdsl-profile auto
set interfaces pt-1/0/0 unit 0 encapsulation ppp-over-ether
set interfaces pt-1/0/0 unit 0 vlan-id 10
set interfaces pp0 traceoptions flag all
set interfaces pp0 no-per-unit-scheduler
set interfaces pp0 unit 0 ppp-options pap local-name "REMOVED@snap.net.nz"
set interfaces pp0 unit 0 ppp-options pap local-password "REMOVED"
set interfaces pp0 unit 0 ppp-options pap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface pt-1/0/0.0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 10
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet negotiate-address
set class-of-service host-outbound-traffic ieee-802.1 default 000

For completeness I've included ADSL and UFB below:
set interfaces at-1/0/0 mtu 1514
set interfaces at-1/0/0 encapsulation atm-pvc
set interfaces at-1/0/0 atm-options vpi 0
set interfaces at-1/0/0 dsl-options operating-mode auto
set interfaces at-1/0/0 unit 0 encapsulation atm-ppp-vc-mux
set interfaces at-1/0/0 unit 0 vci 100
set interfaces at-1/0/0 unit 0 ppp-options pap local-name "snap.test3@snap.net.nz"
set interfaces at-1/0/0 unit 0 ppp-options pap local-password "$9$d2saUk.PF69P5rvMLN-k.mfFntuOESrtu"
set interfaces at-1/0/0 unit 0 ppp-options pap passive
set interfaces at-1/0/0 unit 0 family inet mtu 1500
set interfaces at-1/0/0 unit 0 family inet primary
set interfaces at-1/0/0 unit 0 family inet negotiate-address
set interfaces pp0 no-per-unit-scheduler
set interfaces pp0 unit 0 ppp-options pap local-name "REMOVED@snap.net.nz"
set interfaces pp0 unit 0 ppp-options pap local-password "REMOVED"
set interfaces pp0 unit 0 ppp-options pap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface at-1/0/0.0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 10
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet negotiate-address
set class-of-service host-outbound-traffic ieee-802.1 default 000

set interfaces fe-0/0/0 vlan-tagging
set interfaces fe-0/0/0 unit 0 encapsulation ppp-over-ether
set interfaces fe-0/0/0 unit 0 vlan-id 10
set interfaces pp0 no-per-unit-scheduler
set interfaces pp0 unit 0 ppp-options pap local-name "REMOVED@snap.net.nz"
set interfaces pp0 unit 0 ppp-options pap local-password "REMOVED"
set interfaces pp0 unit 0 ppp-options pap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/0.0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 10
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet negotiate-address
set class-of-service host-outbound-traffic ieee-802.1 default 000

--- JUNOS 12.1R5.5 built 2013-01-17 06:12:00 UTC
admin@*> show version
Hostname: *
Model: srx110h-va
JUNOS Software Release [12.1R5.5]

admin@*> show interfaces pp0 terse
Interface Admin Link Proto Local Remote
pp0 up up
pp0.0 up up inet 1.2.3.5 --> 1.2.3.4

Cheers,
Graham

davemc
28 posts

Geek


  #2019508 20-May-2018 20:15
Send private message

For complete completeness, here's a full config for an SRX110H-VA (not for a newer H2, and not for 12.3)

 

This is a routed (layer 3) configuration, not a transparent bridge or layer 2 configuration.

 

Most people posting Junos config post only relevant snips, because they 'know' how to do the rest.

 

For those of us still only Juniper learners, it can be hard to draw it all together, so comments for improvement welcome.

 

set version 12.1R6.5
set system host-name router
set system domain-name dsl.geekzone.co.nz
set system time-zone Pacific/Auckland
# password1
set system root-authentication encrypted-password "$1$HtmDHHrH$PRRW.o0UF.Lr1W1BjIeCT."
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.3
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
# "Propagate the dns server from the untrust to trust interface."
set system services dhcp propagate-settings pt-1/0/0.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp server nz.pool.ntp.org
set interfaces interface-range interfaces-trust member fe-0/0/1
set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust
# 0 is configured as an untrust ethernet feed
set interfaces fe-0/0/0 unit 0 family inet dhcp
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 unit 0 family inet
# nz specific vdsl stuff from mountainrescuer post above
set interfaces pt-1/0/0 vlan-tagging
set interfaces pt-1/0/0 vdsl-options vdsl-profile auto
set interfaces pt-1/0/0 unit 0 encapsulation ppp-over-ether
set interfaces pt-1/0/0 unit 0 vlan-id 10
set interfaces pp0 traceoptions flag all
set interfaces pp0 no-per-unit-scheduler
set interfaces pp0 unit 0 ppp-options pap local-name "user@xtrabb.co.nz"
# generic password 'telecom', anything will do, actual security is by physical card line port
set interfaces pp0 unit 0 ppp-options pap local-password "$9$UmD.5n6AO1hqmT39pREX7-"
set interfaces pp0 unit 0 ppp-options pap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface pt-1/0/0.0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 10
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet negotiate-address
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set routing-options static route 0.0.0.0/0 next-hop pp0.0
set routing-options static route 0.0.0.0/0 metric 100
set protocols stp
set class-of-service host-outbound-traffic ieee-802.1 default 000
annotate class-of-service "Very important sets BE (aka 000) on LCP 6 reply packets for vdsl correct operation."
set security flow tcp-mss all-tcp mss 1452
annotate security "Without this flow full size inbound vdsl packets are lost."
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule match destination-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces vlan.0 host-inbound-traffic protocols all
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces pt-1/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces pt-1/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces pp0.0
# Junos uses vlan 3 as default for trusted interfaces
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

 

 


davemc
28 posts

Geek


  #2019511 20-May-2018 20:26
Send private message

Oh, and how to get the above into your device?

 

  • Connect cisco-type light blue cable from db9 serial port or db9 serial USB dongle to console port (rj45) of router
  • Startup serial utility like minicom, set serial port to match hardware, eg /tty/S0 or /tty/USB0, set parameters to 9600,8,n,1
  • Startup router, login with root and your password, or password1 if using above config, or factory reset the password
  • At % prompt type cli
  • At > prompt type edit
  • At # prompt paste the text above
  • type commit to save the above. Here any logical errors will be reported, and the config won't save.
  • exit to leave edit mode
  • show configuration - to see what you got, as indented & braced config layout
  • show interfaces pt-1/0/0 extensive - to see how fast your link is, on the line Bit rate (kbps)

Lias
4228 posts

Uber Geek

Trusted
Lifetime subscriber

  #2019599 21-May-2018 08:46
Send private message

You probably want to remove the password line from that .. hashed or not..





 
 
 
 


davemc
28 posts

Geek


  #2019676 21-May-2018 11:08
Send private message

Why is that?  Both the passwords in the config are well known, obvious, stated in clear text in the comments, and provide a fully functioning copy & paste.  Neither are my passwords, and the root one is not suitable for production usage, which is obvious from it's simplicity. The pap password is required to make it work.

 

If a user wants to change the root password they can, if they want to take the security risk, that's also their choice.

 

As you say, information wants to be free.  Could you suggest any other security improvements to this config?


Lias
4228 posts

Uber Geek

Trusted
Lifetime subscriber

  #2019688 21-May-2018 11:30
Send private message

Up to you I guess.. 

 

I personally wouldn't because A: someone will inevitably just cut and paste it and use it, and B: getting into the habit of pasting configs without always removing the password is probably not a good habit to get into.





1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic




News »

HP unveils new innovations for businesses adapting to rapidly evolving workstyles and workforces
Posted 17-Sep-2020 15:36


GoPro launches new HERO9 Black camera
Posted 17-Sep-2020 09:45


Telecommunications industry launches new 5G Facts website
Posted 17-Sep-2020 07:56


New Zealand ranks 3rd in world in GSMA index
Posted 15-Sep-2020 10:13


Trend Micro Security Suite adds web monitoring to prevent identity theft
Posted 14-Sep-2020 15:37


NVIDIA to acquire Arm for US$ 40 billion
Posted 14-Sep-2020 12:27


Epson launches its next gen A3+ colour EcoTank multi-function printer
Posted 10-Sep-2020 16:08


Sony launches three new native 4K SXRD home cinema projectors
Posted 9-Sep-2020 18:00


Catalyst Cloud brings Kubernetes-based open-source web hosting solution to market
Posted 9-Sep-2020 17:54


Verizon Connect eyes further growth in New Zealand
Posted 8-Sep-2020 09:26


PNY launches XLR8 gaming NVIDIA GeForce RTX 30 series powered by the all-new NVIDIA Ampere architecture
Posted 3-Sep-2020 16:39


NVIDIA delivers greatest-ever generational leap with GeForce RTX 30 Series GPUs
Posted 3-Sep-2020 16:17


Weta Digital advances visual effects and animation in the cloud with AWS
Posted 2-Sep-2020 17:09


Kiwrious lab-in-the-pocket kit designed for schoolchildren
Posted 28-Aug-2020 09:03


Fitbit introduces Sense, its most advanced health smartwatch
Posted 26-Aug-2020 10:14



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.