Thursday, August 18, 2016

Setup DHCP client for SRX interface and port forwarding

Almost 3 years since I posted anything. Decided to make a quick post today since my firewall died and I replaced it with a Juniper SRX 210. For home use, this firewall kind of sucks. DHCP client on the WAN (untrusted) connection does not work out of the box, I had to do a little tweaking to get it running. In addition to that, the remote access VPN is clunky and I was unable to get it running using 3rd party client software. There is no UPnP of course, which is expected from this type of firewall. But like I said, I am using this as a temporary replacement cause my home firewall died so I had to manually open all my port which was kind of a pain.

 

First of all, to get my DHCP working so the ONT can assign my firewall an IP I had to do a couple of things. The first was enable the interface for DHCP client, that was easily done from the GUI with a check box. Next I execute the following from the shell

 

vi /etc/rc.custom

·         save this file

·         execute the following

sysctl -w net.inet.ip.mcast_ttl=64

·         Modify the permission

chmod 777 /cf/etc/rc.custom

 

 

Then from the CLI we need to modify the security policy to accept DHCP for the interface that needs to obtain an IP address. In my case it was the ge-0/0/0.0

 

 

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp

 

 

·         Then execute the following command

request system services dhcp renew ge-0/0/0.0

 

My firewall did not receive and IP address till I power cycled the ONT.

 

Enabling each port through the firewall was a serious beating. When using multiple ports to forward to the same server. You will need to make a new address entry for that same IP for each new rule. You can use and modify the following to make it a quick copy and paste

 

·         define your addresses

set security zones security-zone trust address-book address sodapc 192.168.150.99/32

·         define your applications

set applications application qbtor protocol tcp

set applications application qbtor destination-port 9497

·         define your nat rules

set security nat destination pool dnat-192_168_150_99m32 address 192.168.150.99/32

set security nat destination pool dnat-192_168_150_99m32 address port 9497

·         adjust the nat rule for your public IP

set security nat destination rule-set dst-nat rule rule3 match destination-address 0.0.0.0/0

set security nat destination rule-set dst-nat rule rule3 match destination-port 9497

set security nat destination rule-set dst-nat rule rule3 then destination-nat pool dnat-192_168_150_99m32

·         create the policies to permit the traffic

set security policies from-zone untrust to-zone trust policy untrust-to-trust3 match source-address any

set security policies from-zone untrust to-zone trust policy untrust-to-trust3 match destination-address sodapc

set security policies from-zone untrust to-zone trust policy untrust-to-trust3 match application qbtor

set security policies from-zone untrust to-zone trust policy untrust-to-trust3 then permit

 

I have a ton of service at home so I went on with this for quite a while. UPnP would have saved a lot of time.

No comments:

Post a Comment