Juniper SRX Simple Internet Gateway Setup Guide

This guide was written for someone that wants to configure a Juniper SRX firewall as a simple home or business Internet gateway. You will need some tech savvy since I have written the instructions for the CLI and not J-Web, by doing it this way I can keep the instructions short and to the point.

SRXEnviroment

General Configuration

Thse are things that we need to take care of before getting to far into things.
set system host-name Internet_Gateway
set system root-authentication plain-text-password

#I like to have domain name services so that I do name resolution although this is not really needed and can be omitted.

set system name-server 8.8.8.8

#Setup a user other than root for administration, this is a good practice since it is never good for root to login remotely.

set system login user admin uid 2000
set system login user admin class super-user
set system login user admin authentication plain-text-password

#For accurate date and time in logs configure an NTP server, in my case I used a publicly available server.

 set system ntp server 192.95.20.208 

Interface Configuration

#This is our internet facing link and it will pull IP configuration via DHCP from our provider.

 set interfaces ge-0/0/0 description Internet_Link
set interfaces ge-0/0/0 unit 0 family inet dhcp update-server

#I would like interface fe-0/0/2 to 0/0/7 to be a member of vlan 100 and behave like a switch.

set interfaces interface-range interface-trust member fe-0/0/2
set interfaces interface-range interface-trust member fe-0/0/3
set interfaces interface-range interface-trust member fe-0/0/4
set interfaces interface-range interface-trust member fe-0/0/5
set interfaces interface-range interface-trust member fe-0/0/6
set interfaces interface-range interface-trust member fe-0/0/7

#Family ethernet-switching will allow the range of ports to behave like a switch while belonging to vlan-trust which is where they will find the gateway IP.

set interfaces interface-range interface-trust unit 0 family ethernet-switching vlan members vlan-trust

#This will be the gateway for the LAN devices on fe-0/0/2 to 0/0/7.

set interfaces vlan unit 100 family inet address 192.168.1.1/24

#Let’s create the vlan-trust and attache vlan.100 which was the L3 interface we created above.

set vlans vlan-trust vlan-id 100
set vlans vlan-trust l3-interface vlan.100

Test

To see if DHCP is working on ge-0/0/0 issue the following command, you should see IP information from you Internet Service Provider.
admin@Internet_Gateway show system services dhcp client

Logical Interface name         ge-0/0/0.0
Hardware address        80:71:1f:b4:07:c0
Client status           bound
Address obtained        10.5.5.5
Update server           enabled
Lease obtained at       2013-05-08 19:14:06 UTC
Lease expires at        2013-05-08 23:14:06 UTC

DHCP options:
Name: server-identifier, Value: 10.5.5.254
Code: 1, Type: ip-address, Value: 255.255.255.0
Name: router, Value: [ 10.5.5.1 ]
Name: domain-name, Value: corp.test.com
Name: name-server, Value: [ 10.5.5.253 ]

LAN DHCP

Since we just finished configuring the LAN we should setup DHCP which will provide local addresses to devices in vlan-trust.

set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.50
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.200
set system services dhcp pool 192.168.1.0/24 default-lease-time 3600
set system services dhcp pool 192.168.1.0/24 router 192.168.1.1

#This statement propagate-settings will take configuration from the client DHCP on ge-0/0/0 if not otherwise specified, most importantly name-server which changes from ISP to ISP and is very important otherwise name resolutions on the LAN won’t work.

set system services dhcp pool 192.168.1.0/24 propagate-settings ge-0/0/0.0

Test

Lets see if the PC(s) connected to ports fa-0/02 to 0/0/7 are getting DHCP leases.
admin@Internet_Gateway> show system services dhcp binding
IP address       Hardware address   Type     Lease expires at
192.168.1.50     32:aa:a7:5e:17:45  dynamic  2013-05-08 20:14:02 UTC

Security Zones

We are going configure a zone for the LAN (Trust) and for our Internet (Untrust)

set security zones security-zone untrust description "Internet Link - DHCP Configured"

#Note we are allowing DHCP since the Internet facing interface will be a client.

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp

#Allow any service/protocol to the internal interface. (Should be safe in our case)

set security zones security-zone trust description "Local Area Network"
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all

#Attach vlan.100 to the trust zone.

set security zones security-zone trust interfaces vlan.100

Source NAT

Since 19.168.1.0/24 is private and won’t be routed on the Internet we will need to source NAT this internal subnet to our Internet facing egress interface.
set security nat source rule-set internal-to-internet description “NAT anything from trust zone to untrust (LAN to Internet)”

set security nat source rule-set internal-to-internet from zone trust
set security nat source rule-set internal-to-internet to zone untrust
set security nat source rule-set internal-to-internet rule internet-access match source-address 0.0.0.0/0
set security nat source rule-set internal-to-internet rule internet-access match destination-address 0.0.0.0/0
set security nat source rule-set internal-to-internet rule internet-access then source-nat interface

Policies

Allow anything from trust to untrust (LAN to Internet) Since there is an implicit deny by default traffic from trust to untrust will automatically be dropped and doesn’t need a policy.

set security policies from-zone trust to-zone untrust policy defaul-permit match source-address any
set security policies from-zone trust to-zone untrust policy defaul-permit match destination-address any
set security policies from-zone trust to-zone untrust policy defaul-permit match application any
set security policies from-zone trust to-zone untrust policy defaul-permit then permit

Management

This is a simple Internet gateway so lets enable SSH and HTTPS access from the inside LAN only.

set system services ssh protocol-version v2
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.100

Full Configuration

For those who would just like to copy and paste the entire configuration into the SRX.

set system host-name Serenity
set system root-authentication encrypted-password "$1$QgzUP4DH$dbmMYIKqw.I0b2KSIK1gB0"
set system name-server 8.8.8.8
set system login user lleroux uid 2000
set system login user lleroux class super-user
set system login user lleroux authentication encrypted-password "$1$FKKuZxhz$j0Yu8AYMW0x4JbH0CxkVZ1"
set system services ssh protocol-version v2
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.100
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.50
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.200
set system services dhcp pool 192.168.1.0/24 default-lease-time 3600
set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 propagate-settings ge-0/0/0.0
set system ntp server 192.95.20.208
set interfaces interface-range interface-trust member fe-0/0/2
set interfaces interface-range interface-trust member fe-0/0/3
set interfaces interface-range interface-trust member fe-0/0/4
set interfaces interface-range interface-trust member fe-0/0/5
set interfaces interface-range interface-trust member fe-0/0/6
set interfaces interface-range interface-trust member fe-0/0/7
set interfaces interface-range interface-trust unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/0 description Internet_Link
set interfaces ge-0/0/0 unit 0 family inet dhcp update-server
set interfaces vlan unit 100 family inet address 192.168.1.1/24
set security nat source rule-set internal-to-internet description "NAT anything from trust zone to untrust (LAN to Internet)"
set security nat source rule-set internal-to-internet from zone trust
set security nat source rule-set internal-to-internet to zone untrust
set security nat source rule-set internal-to-internet rule internet-access match source-address 0.0.0.0/0
set security nat source rule-set internal-to-internet rule internet-access match destination-address 0.0.0.0/0
set security nat source rule-set internal-to-internet rule internet-access then source-nat interface
set security policies from-zone trust to-zone untrust policy defaul-permit match source-address any
set security policies from-zone trust to-zone untrust policy defaul-permit match destination-address any
set security policies from-zone trust to-zone untrust policy defaul-permit match application any
set security policies from-zone trust to-zone untrust policy defaul-permit then permit
set security zones security-zone untrust description "Internet Link - DHCP Configured"
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone trust description "Local Area Network"
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.100
set vlans vlan-trust vlan-id 100
set vlans vlan-trust l3-interface vlan.100

3 thoughts on “Juniper SRX Simple Internet Gateway Setup Guide

  1. Ayman Mosaad

    Hi Thuong, I was configuring my srx 300 as internet gateway for home netwrok and as I was following the steps explained above, I got this error :

    admin@Internet_Gateway# set vlans vlan-trust l3-interface vlan.100
    error: l3-interface: ‘vlan.100’: Only IRB interface is supported, e.g. irb.10

    could you please help me solving this error? should I just use irb.100 insted of vlan.100?
    Thank you
    Ayman

    Reply
    1. thuongnguyen Post author

      Hello,

      I would like to inform you that starting from version 15.1X+ the vlan interface is no longer supported on SRX and instead irb interface will be used for the same purpose.
      You can use the following online converter tool to convert the configruation from the old configuration to the new supported configuration.

      https://www.juniper.net/customers/support/configtools/elstranslator/index.jsp

      You need to use irb interface in a zone for allowing the host-inbound traffic.

      Also When you configure a device as Ethernet switch , the mode changes to mix mode and during commit a warning will be seen for a reboot so you need to also reboot the SRX for this configuration to take effect.

      If nothing from the above works then refer the following document which is for EX series device but will be same for the SRX 320 device.

      Thanks,
      Thuong Nguyen

      Reply
  2. LastMarylin

    I have noticed you don’t monetize your page, don’t waste your traffic, you can earn extra cash every month because you’ve got
    hi quality content. If you want to know how to make extra
    money, search for: Mertiso’s tips best adsense alternative

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.