- This page was last modified on 4 November 2010, at 23:08.
- This page has been accessed 1,229 times.
- Privacy policy
- About KAREN wiki
- Disclaimers
Wanting to learn a little bit of JUNOS (it runs all the routing in KAREN), I borrowed an SRX210 with and ADSL2+ Annex A PIM.
With a combination of Googling and some trial and error I have a working config (below).
The trickiest bit was getting the right parameters for the ADSL interface. This seems to working now. The second trickiest bit was understanding who zones, policies and rules all tied together on the security side... and then punching some port forwarding holes through them for specific apps I like to access remotely.
In summary, this config:
--donaldsclark 20:01, 1 November 2010 (NZDT)
UPDATE 1
Some very odd iTunes behaviour - whenever I tried to click to download an app or movie / song there would be no response. I tracked down this Juniper Community entry that recommened setting a MTU and MSS explicitly. I did, and bizzarely it works know.
Who'd've thought it....
Config below updated to include these entires
"UPDATE 2"
I don't think my custom applications are traversing the firewall properly - I can SSH / HTTP into my home server, but not VNC or AirVideo.
--donaldsclark 12:08, 5 November 2010 (NZDT)
(Sorry for the odd wiki format handling of the code block)
version 10.0R1.8; system {
host-name 12B_SRX210;
time-zone Pacific/Auckland;
authentication-order password;
root-authentication {
encrypted-password "$1$q9SEQkKV$gkbHIxSs7y2KHKFE1y/2j0";
}
name-server {
203.97.78.44;
8.8.8.8;
}
login {
user vpnuser {
class operator;
authentication {
encrypted-password "$1$GBIV638S$zl7tTqXNWXyYXBEGqivwm.";
}
}
}
services {
ssh;
web-management {
http;
https {
system-generated-certificate;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.100 high 192.168.1.199;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 131.203.16.6 prefer;
}
} interfaces {
interface-range interfaces-trust {
member ge-0/0/0;
member ge-0/0/1;
member fe-0/0/2;
member fe-0/0/3;
member fe-0/0/4;
member fe-0/0/5;
member fe-0/0/6;
member fe-0/0/7;
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
at-1/0/0 {
description TNZ_ADSL;
mtu 1492;
encapsulation atm-pvc;
atm-options {
vpi 0;
}
dsl-options {
operating-mode auto;
}
unit 0 {
description TNZ_ADSL_PPPOA;
encapsulation atm-ppp-llc;
vci 0.100;
ppp-options {
pap {
local-name "donaldsclark@clear.net.nz";
local-password "$9$h5.cyKY2aikPWLgJZU.m0B1";
passive;
}
}
family inet {
negotiate-address;
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
} routing-options {
static {
route 0.0.0.0/0 next-hop at-1/0/0.0;
}
} security {
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool server-web {
address 192.168.1.5/32 port 80;
}
pool server-airvideo {
address 192.168.1.5/32 port 45631;
}
pool server-ssh {
address 192.168.1.5/32 port 22;
}
pool server-vnc {
address 192.168.1.5/32 port 45631;
}
rule-set home-servers {
from interface at-1/0/0.0;
rule forward-web {
match {
destination-address 0.0.0.0/0;
destination-port 80;
}
then {
destination-nat pool server-web;
}
}
rule forward-airvideo {
match {
destination-address 0.0.0.0/0;
destination-port 45631;
}
then {
destination-nat pool server-airvideo;
}
}
rule forward-ssh {
match {
destination-address 0.0.0.0/0;
destination-port 22;
}
then {
destination-nat pool server-ssh;
}
}
rule forward-vnc {
match {
destination-address 0.0.0.0/0;
destination-port 5900;
}
then {
destination-nat pool server-vnc;
}
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
at-1/0/0.0;
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy untrust-to-trust {
match {
source-address any;
destination-address any;
application [ 12b-macvnc 12b-airvideo junos-ssh junos-http junos-vnc junos-icmp-all ];
}
then {
permit;
}
}
}
}
flow {
tcp-mss {
all-tcp {
mss 1300;
}
}
}
} applications {
application 12b-airvideo {
protocol tcp;
destination-port 45631;
}
application 12b-macvnc {
protocol tcp;
destination-port 5900;
}
} vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}