Juniper SRX PPPoE configuration for RCS RDS provider in Romania
Juniper SRX PPPoE configuration for RCS RDS provider in RomaniaRomanian ISP RCS-RDS provides very good internet connection for residential users. This services runs over fiber to home in some cases.
A Huawei modem/router/media converter is provided and configured as layer 2 device. This means that it will simply act as an ethernet switch, allowing the device behind it to perform PPPoE with ISP PPPoE server.
Juniper SRX firewall can be configured as a PPPoE client given correct ppp as well ass pppoe options under the pp0 unit 0 logical interface.
Juniper SRX pppoe configurationCode:
[edit]
user@srx# show interfaces fe-0/0/0
unit 0 {
encapsulation ppp-over-ether;
}
[edit]
user@srx# show interfaces pp0
unit 0 {
ppp-options {
pap {
local-name BB23453453;
local-password "$9$parolapppoerdsREehevM/9X7NbgoHqm3/C"; ## SECRET-DATA
passive;
}
}
pppoe-options {
underlying-interface fe-0/0/0.0;
idle-timeout 0;
auto-reconnect 10;
client;
}
family inet {
mtu 1492;
negotiate-address;
}
}
The physical interface fe-0/0/0 (fast ethernet pic 0 port 0) that carries the ppp traffic has to be configured to "ppp-over-ether" encapsulation
under unit 0.
Now that pppoe interface is configured, SRX needs a static route to point out towards it. Since it is a point-to-point interface, it can be used as a next-hop. Quote juniper.net:
Quote:
next-hop address—Reach the next-hop routing device by specifying an IP address, an interface name, or an ISO network entity title (NET).
IPv4 or IPv6 address of the next hop to the destination, specified as:
IPv4 or IPv6 address of the next hop
Interface name (for point-to-point interfaces only)
address or interface-name to specify an IP address of a multipoint interface or an interface name of a point-to-point interface.
Code:
[edit]
user@srx# show routing-options
static {
route 0.0.0.0/0 next-hop pp0.0;
}
The final step to allow SRX to pass traffic through the pppoe interface is to assign the pp0.0 interface to a security zone, I use default terminology "untrust" and allow traffic from "trust" zone to "untrust".
Code:
[edit]
user@srx# show security zones security-zone untrust
host-inbound-traffic {
system-services {
ike;
ssh;
}
}
interfaces {
pp0.0;
}
[edit]
user@srx# # show security policies from-zone trust to-zone untrust
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}