[Config] Juniper SRX home LAN with dual AX411 wireless Access Points and source nat / dhcp untrust
Below is a simple config of an SRX 220 managing two Juniper AX411 Access points, performing source nat from trust (internal LAN) to untrust (internet). It permits all traffic from trust->untrust as well.
Hierarchical config:
Code:
## Last changed: 2013-04-19 16:27:21 UTC
version 11.4R7.5;
system {
host-name Andrei-SRX;
root-authentication {
encrypted-password "<SECRET DATA>"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
8.8.8.8;
}
services {
ssh {
root-login allow;
protocol-version v2;
}
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.10;
}
https {
system-generated-certificate;
interface vlan.10;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
domain-name 8.8.8.8;
router {
192.168.1.1;
}
propagate-settings vlan.10;
}
pool 10.0.0.1/28 {
address-range low 10.0.0.2 high 10.0.0.5;
name-server {
8.8.8.8;
}
router {
10.0.0.1;
}
propagate-settings vlan.9;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
interface-range WLAN {
member ge-0/0/1;
member ge-0/0/2;
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ vlan-10-trust vlan-9-mgmt ];
}
native-vlan-id 9;
}
}
}
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-10-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-10-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-10-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-10-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-10-trust;
}
}
}
}
vlan {
unit 9 {
family inet {
address 10.0.0.1/28;
}
}
unit 10 {
family inet {
address 192.168.1.1/32;
}
}
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy untrust-to-trust {
match {
source-address any;
destination-address any;
application [ junos-https junos-http ];
}
then {
permit;
}
}
}
default-policy {
deny-all;
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.10;
}
}
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ssh;
dhcp;
bootp;
}
}
}
}
}
security-zone management {
interfaces {
vlan.9 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
}
poe {
interface all {
disable;
}
interface ge-0/0/1 {
priority high;
}
interface ge-0/0/2 {
priority high;
}
}
wlan {
admin-authentication {
encrypted-password "<SECRET DATA>"; ## SECRET-DATA
}
access-point AP1 {
mac-address 28:c1:da:d1:05:50;
access-point-options {
country {
NL;
}
}
radio 2 {
radio-options {
mode bgn;
}
virtual-access-point 0 {
ssid Andrei-SRX;
vlan 10;
security {
wpa-personal {
wpa-version {
v2;
}
cipher-suites {
both;
}
key "<SECRET DATA>"; ## SECRET-DATA
broadcast-key-refresh-rate 20;
}
}
}
}
radio 1 {
radio-options {
mode 5GHz;
}
virtual-access-point 0 {
ssid Andrei-SRX;
vlan 10;
security {
wpa-personal {
wpa-version {
v2;
}
cipher-suites {
both;
}
key "<SECRET DATA>"; ## SECRET-DATA
broadcast-key-refresh-rate 20;
}
}
}
}
}
access-point AP2 {
mac-address 2c:6a:e5:14:72:10;
access-point-options {
country {
NL;
}
}
radio 2 {
radio-options {
mode bgn;
}
virtual-access-point 0 {
ssid Andrei-SRX;
vlan 10;
security {
wpa-personal {
wpa-version {
v2;
}
cipher-suites {
both;
}
key "<SECRET DATA>"; ## SECRET-DATA
broadcast-key-refresh-rate 20;
}
}
}
}
radio 1 {
radio-options {
mode 5GHz;
}
virtual-access-point 0 {
ssid Andrei-SRX;
vlan 10;
security {
wpa-personal {
wpa-version {
v2;
}
cipher-suites {
both;
}
key "<SECRET DATA>"; ## SECRET-DATA
broadcast-key-refresh-rate 20;
}
}
}
}
}
}
vlans {
vlan-10-trust {
vlan-id 10;
l3-interface vlan.10;
}
vlan-9-mgmt {
vlan-id 9;
l3-interface vlan.9;
}
}
Display set config
Code:
set version 11.4R7.5
set system host-name Andrei-SRX
set system root-authentication encrypted-password "<SECRET DATA>"
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system name-server 8.8.8.8
set system services ssh root-login allow
set system services ssh protocol-version v2
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.10
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.10
set system services dhcp router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
set system services dhcp pool 192.168.1.0/24 domain-name 8.8.8.8
set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 propagate-settings vlan.10
set system services dhcp pool 10.0.0.1/28 address-range low 10.0.0.2
set system services dhcp pool 10.0.0.1/28 address-range high 10.0.0.5
set system services dhcp pool 10.0.0.1/28 name-server 8.8.8.8
set system services dhcp pool 10.0.0.1/28 router 10.0.0.1
set system services dhcp pool 10.0.0.1/28 propagate-settings vlan.9
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces interface-range WLAN member ge-0/0/1
set interfaces interface-range WLAN member ge-0/0/2
set interfaces interface-range WLAN unit 0 family ethernet-switching port-mode trunk
set interfaces interface-range WLAN unit 0 family ethernet-switching vlan members vlan-10-trust
set interfaces interface-range WLAN unit 0 family ethernet-switching vlan members vlan-9-mgmt
set interfaces interface-range WLAN unit 0 family ethernet-switching native-vlan-id 9
set interfaces ge-0/0/0 unit 0 family inet dhcp
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-10-trust
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-10-trust
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-10-trust
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan-10-trust
set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members vlan-10-trust
set interfaces vlan unit 9 family inet address 10.0.0.1/28
set interfaces vlan unit 10 family inet address 192.168.1.1/32
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone untrust to-zone trust policy untrust-to-trust match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match destination-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match application junos-https
set security policies from-zone untrust to-zone trust policy untrust-to-trust match application junos-http
set security policies from-zone untrust to-zone trust policy untrust-to-trust then permit
set security policies default-policy deny-all
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.10
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services bootp
set security zones security-zone management interfaces vlan.9 host-inbound-traffic system-services all
set security zones security-zone management interfaces vlan.9 host-inbound-traffic protocols all
set poe interface all disable
set poe interface ge-0/0/1 priority high
set poe interface ge-0/0/2 priority high
set wlan admin-authentication encrypted-password "<SECRET DATA>"
set wlan access-point AP1 mac-address 28:c1:da:d1:05:50
set wlan access-point AP1 access-point-options country NL
set wlan access-point AP1 radio 2 radio-options mode bgn
set wlan access-point AP1 radio 2 virtual-access-point 0 ssid Andrei-SRX
set wlan access-point AP1 radio 2 virtual-access-point 0 vlan 10
set wlan access-point AP1 radio 2 virtual-access-point 0 security wpa-personal wpa-version v2
set wlan access-point AP1 radio 2 virtual-access-point 0 security wpa-personal cipher-suites both
set wlan access-point AP1 radio 2 virtual-access-point 0 security wpa-personal key "<SECRET DATA>"
set wlan access-point AP1 radio 2 virtual-access-point 0 security wpa-personal broadcast-key-refresh-rate 20
set wlan access-point AP1 radio 1 radio-options mode 5GHz
set wlan access-point AP1 radio 1 virtual-access-point 0 ssid Andrei-SRX
set wlan access-point AP1 radio 1 virtual-access-point 0 vlan 10
set wlan access-point AP1 radio 1 virtual-access-point 0 security wpa-personal wpa-version v2
set wlan access-point AP1 radio 1 virtual-access-point 0 security wpa-personal cipher-suites both
set wlan access-point AP1 radio 1 virtual-access-point 0 security wpa-personal key "<SECRET DATA>"
set wlan access-point AP1 radio 1 virtual-access-point 0 security wpa-personal broadcast-key-refresh-rate 20
set wlan access-point AP2 mac-address 2c:6a:e5:14:72:10
set wlan access-point AP2 access-point-options country NL
set wlan access-point AP2 radio 2 radio-options mode bgn
set wlan access-point AP2 radio 2 virtual-access-point 0 ssid Andrei-SRX
set wlan access-point AP2 radio 2 virtual-access-point 0 vlan 10
set wlan access-point AP2 radio 2 virtual-access-point 0 security wpa-personal wpa-version v2
set wlan access-point AP2 radio 2 virtual-access-point 0 security wpa-personal cipher-suites both
set wlan access-point AP2 radio 2 virtual-access-point 0 security wpa-personal key "<SECRET DATA>"
set wlan access-point AP2 radio 2 virtual-access-point 0 security wpa-personal broadcast-key-refresh-rate 20
set wlan access-point AP2 radio 1 radio-options mode 5GHz
set wlan access-point AP2 radio 1 virtual-access-point 0 ssid Andrei-SRX
set wlan access-point AP2 radio 1 virtual-access-point 0 vlan 10
set wlan access-point AP2 radio 1 virtual-access-point 0 security wpa-personal wpa-version v2
set wlan access-point AP2 radio 1 virtual-access-point 0 security wpa-personal cipher-suites both
set wlan access-point AP2 radio 1 virtual-access-point 0 security wpa-personal key "<SECRET DATA>"
set wlan access-point AP2 radio 1 virtual-access-point 0 security wpa-personal broadcast-key-refresh-rate 20
set vlans vlan-10-trust vlan-id 10
set vlans vlan-10-trust l3-interface vlan.10
set vlans vlan-9-mgmt vlan-id 9
set vlans vlan-9-mgmt l3-interface vlan.9
A little about the above:
- Interface ge-0/0/0 is the interface facing the internet and it belogs to "untrust" security zone with only a handfull of host-inbound system services allowed. Also, it uses dhcp to aquire an IP address.
- Interfaces ge-0/0/1 and ge-0/0/2 are configured for AX411 APs (POE enabled). Both are configured under "interface-range WLAN" instead of each one individually. They are both configured in trunk for VLAN10 (trust vlan) and vlan 9 (management, untagged traffic between SRX and AX411). I did not want to use default vlan here to avoid future problems.
- Both APs advertise SSID and mark wireless clients traffic with vlan10 towards the srx.
- All traffic from trust zone to internet is allowed and source nat
News 
Site map 
SitemapIndex 
RSS Feed 