Almost 3 years since I posted anything. Decided to make a quick post today since my firewall died and I replaced it with a Juniper SRX 210. For home use, this firewall kind of sucks. DHCP client on the WAN (untrusted) connection does not work out of the box, I had to do a little tweaking to get it running. In addition to that, the remote access VPN is clunky and I was unable to get it running using 3rd party client software. There is no UPnP of course, which is expected from this type of firewall. But like I said, I am using this as a temporary replacement cause my home firewall died so I had to manually open all my port which was kind of a pain.
First of all, to get my DHCP working so the ONT can assign my firewall an IP I had to do a couple of things. The first was enable the interface for DHCP client, that was easily done from the GUI with a check box. Next I execute the following from the shell
vi /etc/rc.custom
· save this file
· execute the following
sysctl -w net.inet.ip.mcast_ttl=64
· Modify the permission
chmod 777 /cf/etc/rc.custom
Then from the CLI we need to modify the security policy to accept DHCP for the interface that needs to obtain an IP address. In my case it was the ge-0/0/0.0
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
· Then execute the following command
request system services dhcp renew ge-0/0/0.0
My firewall did not receive and IP address till I power cycled the ONT.
Enabling each port through the firewall was a serious beating. When using multiple ports to forward to the same server. You will need to make a new address entry for that same IP for each new rule. You can use and modify the following to make it a quick copy and paste
· define your addresses
set security zones security-zone trust address-book address sodapc 192.168.150.99/32
· define your applications
set applications application qbtor protocol tcp
set applications application qbtor destination-port 9497
· define your nat rules
set security nat destination pool dnat-192_168_150_99m32 address 192.168.150.99/32
set security nat destination pool dnat-192_168_150_99m32 address port 9497
· adjust the nat rule for your public IP
set security nat destination rule-set dst-nat rule rule3 match destination-address 0.0.0.0/0
set security nat destination rule-set dst-nat rule rule3 match destination-port 9497
set security nat destination rule-set dst-nat rule rule3 then destination-nat pool dnat-192_168_150_99m32
· create the policies to permit the traffic
set security policies from-zone untrust to-zone trust policy untrust-to-trust3 match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust3 match destination-address sodapc
set security policies from-zone untrust to-zone trust policy untrust-to-trust3 match application qbtor
set security policies from-zone untrust to-zone trust policy untrust-to-trust3 then permit
I have a ton of service at home so I went on with this for quite a while. UPnP would have saved a lot of time.
