Hi Juniper Gurus,
I'm fairly new to Juniper devices and configuration. I'm trying to setup my SRX210H connect to my home ISP and ASUS Wireless AP router (for WIFI only). I was able to use my SRX to act as a DHCP server for home lan users.
My issue is i'm actually doing double natting on the SRX as I'm still using the Private IP subnet of ISP Bell modem.
I use the Bell Home Hub 3000 and found the option for Advanced DMZ where it gave me the WAN IP assigned to my Juniper SRX 77.XX.XX.XX IP with Subnet range 127.255.255.255 but I'm unable to connect to internet or even ping to google 8.8.8.8 via my SRX.
Topology right now is Bell ISP Modem 192.168.2.1 LAN port --> SRX ge-0/0/0 192.168.2.10 (internet (untrust) zone) <NAT> acting as DHCP server (lan (trust) zone) ge-0/0/1 - 192.168.50.10 default GW for lan users --> Asus router in Wireless AP mode only. Currently this config works but I'm doing double NATting as I'm using a Private IP on SRX who is doing a NAT as well.
I would like to change my SRX to be dhcp client for ISP modem and use the WAN IP I got from my Bell Home hub 3000 Advanced DMZ, but somehow I cant even ping the internet even though I'm getting a public IP via dhcp client and I'm unsure how my LAN users will work because the set static route will be incorrect because the GW is the Private IP which IP should i add? Could you direct me to what I'm missing here? Do I need to configure PPPOE directly on my SRX?
How will this setting work if I have a Public IP on SRX? "set routing-options static route 0.0.0.0/0 next-hop 192.168.2.1"
set system host-name SRX1
set system root-authentication encrypted-password
set system name-server 4.2.2.1
set system name-server 8.8.8.8
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services dhcp-local-server group JunosDHCP-group interface ge-0/0/1.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services web-management https interface ge-0/0/1.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system syslog file blocked-traffic any any
set system syslog file blocked-traffic match RT_FLOW_SESSION_DENY
set system syslog file no-route-present any any
set system syslog file no-route-present match "NO ROUTE PRESENT"
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces ge-0/0/0 description Access_to_Internet
set interfaces ge-0/0/0 unit 0 family inet dhcp-client
set interfaces ge-0/0/1 description Access_to_LAN
set interfaces ge-0/0/1 unit 0 family inet address 192.168.50.10/24
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces lo0 unit 0 family inet address 11.11.11.1/24
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.2.1
set protocols stp
set security address-book global address lan 192.168.50.0/24
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set internet-nat from zone lan
set security nat source rule-set internet-nat to zone internet
set security nat source rule-set internet-nat rule lan-access match source-address 192.168.50.0/24
set security nat source rule-set internet-nat rule lan-access match destination-address 0.0.0.0/0
set security nat source rule-set internet-nat rule lan-access then source-nat interface
set security policies from-zone lan to-zone internet policy FirewallPolicy match source-address lan
set security policies from-zone lan to-zone internet policy FirewallPolicy match destination-address any
set security policies from-zone lan to-zone internet policy FirewallPolicy match application any
set security policies from-zone lan to-zone internet policy FirewallPolicy then permit
set security policies from-zone lan to-zone internet policy FirewallPolicy then log session-close
set security policies global policy global_drop match source-address any
set security policies global policy global_drop match destination-address any
set security policies global policy global_drop match application any
set security policies global policy global_drop then deny
set security policies global policy global_drop then log session-init
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust host-inbound-traffic protocols ospf
set security zones security-zone trust host-inbound-traffic protocols bgp
set security zones security-zone trust interfaces vlan.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone internet interfaces ge-0/0/0.0
set security zones security-zone lan host-inbound-traffic system-services ping
set security zones security-zone lan host-inbound-traffic system-services https
set security zones security-zone lan host-inbound-traffic system-services traceroute
set security zones security-zone lan host-inbound-traffic system-services ssh
set security zones security-zone lan host-inbound-traffic protocols bgp
set security zones security-zone lan host-inbound-traffic protocols ospf
set security zones security-zone lan interfaces ge-0/0/1.0 host-inbound-traffic system-services dhcp
set security zones security-zone lan interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone lan interfaces ge-0/0/1.0 host-inbound-traffic system-services https
set security zones security-zone lan interfaces ge-0/0/1.0 host-inbound-traffic system-services traceroute
set security zones security-zone lan interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh
set security zones security-zone lan interfaces ge-0/0/1.0 host-inbound-traffic protocols bgp
set security zones security-zone lan interfaces ge-0/0/1.0 host-inbound-traffic protocols ospf
set access address-assignment pool JunosPool family inet network 192.168.50.0/24
set access address-assignment pool JunosPool family inet range JunosRange low 192.168.50.11
set access address-assignment pool JunosPool family inet range JunosRange high 192.168.50.254
set access address-assignment pool JunosPool family inet dhcp-attributes maximum-lease-time 86400
set access address-assignment pool JunosPool family inet dhcp-attributes name-server 207.164.234.193
set access address-assignment pool JunosPool family inet dhcp-attributes name-server 207.164.234.129
set access address-assignment pool JunosPool family inet dhcp-attributes router 192.168.50.10
set poe interface all
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0