📅 Posted 2017-06-25
So I figured I’d start to upgrade my home network and replace my aging Cisco SRP527W, which seems to be getting pretty flaky these days on the old WiFi.
The idea was to replace the SRP527W which was serving a bit of an all-in-one box with multiple boxes, with each doing one thing only.
My main objective was to keep the same set of functions, which are:
- ADSL modem, Annex M capable
- Wifi access point
- VOIP + Dial Gizmo for keeping that old rotary pulse-dial phone going
- … and a router I suppose!
Wifi was sorted. Ubiquiti has that covered, paired with a PoE switch.
VOIP… that’s still a work in progress. I don’t use the phone very much. So I’ll get on to that some time.
ADSL. Well I figured I’d like something rackmount, but the options are pretty thin on the ground. The Juniper SRX210 looked quite nice, with a mini-PIM module that gives the router an ADSL2+ Annex M modem. Sweet. Future upgrades could be a VDSL mini-PIM or even DOCSIS if cable is ever a thing (*cough* HFC over NBN anyone?)
So that was ordered and a few weeks later I had everything, including rack mount ears.
Boy, this one is difficult to configure!
I picked up a Juniper SRX210HE2-POE which has POE but hey I don’t think I’ll need to double up on that.
The rackmount ears “almost” fit but seem to be for the non-POE version, so the power supply doesn’t fit. It’s HUGE and 54V. Crazy.
Anyways, here’s the config after I spent about 4 nights trying different MTU settings. Turns out the PPPoE client in the SRX is pretty bad (maybe it’s the version of firmware?) but I was getting a lot of PADT packets coming back from the ISP with no attempt to authenticate. The thing would connect and drop within 5 seconds, continuously. Very annoying.
For some reason, I cannot find the PPP authentication in J-Web ANYWHERE so I went for a blind trial and uploaded the config.
It worked.
So the conclusion is: MTU of 1540 + PPPoA seemed to make it all sing and so here is my working config, for your viewing pleasure:
Last commit: 2017-06-24 13:52:02 UTC by root
version 12.1X44-D35.5;
system {
host-name srx210;
time-zone UTC;
root-authentication {
encrypted-password "//SNIP//";
}
name-server {
192.231.203.132;
192.231.203.3;
}
name-resolution {
no-resolve-on-input;
}
login {
user //SNIP// {
uid 2000;
class super-user;
authentication {
encrypted-password "//SNIP//";
}
}
}
services {
ssh;
telnet;
web-management {
http {
interface ge-0/0/0.0;
}
https {
system-generated-certificate;
interface ge-0/0/0.0;
}
session {
idle-timeout 60;
}
}
dhcp {
pool 10.0.0.0/24 {
address-range low 10.0.0.100 high 10.0.0.254;
default-lease-time 24800;
name-server {
192.231.203.132;
192.231.203.3;
}
router {
10.0.0.1;
}
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 202.44.98.18;
server 202.44.98.42;
server 192.231.203.132;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.0.0.1/24;
}
}
}
at-1/0/0 {
mtu 1540;
encapsulation atm-pvc;
atm-options {
vpi 8;
}
dsl-options {
operating-mode auto;
}
unit 0 {
encapsulation atm-ppp-llc;
vci 8.35;
shaping {
ubr;
}
ppp-options {
chap {
default-chap-secret "//SNIP//";
local-name "//SNIP//";
passive;
}
}
family inet {
negotiate-address;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop at-1/0/0.0;
}
}
protocols {
stp {
disable;
}
}
security {
flow {
tcp-mss {
all-tcp {
mss 1420;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 10.0.0.0/24;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ping;
traceroute;
}
}
interfaces {
at-1/0/0.0;
}
}
}
}
poe {
interface all;
}
This link helped a lot: http://forums.whirlpool.net.au/archive/1871230 - so a warm shoutout to the folk at Whirlpool.
I hope this helps other people in the future who wish to try a little bit of enterprise in the home.
Like this post? Subscribe to my RSS Feed or Buy me a coffee
Comments are closed