I have done some lab testing for the firewall but i did not manage to get internet from it. From the device itself i can ping to anything but once i connected to switch and directly connect to my laptop it does not provide internet. I suspect it is a NAT policy but correct me if i am wrong. Feel free to let me know if there is some fine tuning that i need to do. Thank you
This will be the link for my configuration in the firewall.
You’ve created one security zone per VLAN. This might be what you want, but it probably isn’t. A basic branch firewall setup will usually only have three or four zones:
trust zone for this.untrust zone for this.Traffic from one zone to another is dropped by default. You have to configure explicit rules allowing it for each zone pair. So in the above model you would need to configure rules for from-zone trust to-zone untrust, from-zone guest to-zone untrust, from-zone dmz to-zone untrust and from-zone untrust to-zone dmz. This is in addition to NAT rules.
I would also not allow all host-inbound-services from all of the internal zones. Do that for trust, but then only allow dmz and guest to ping and traceroute (and dhcp if necessary).
security {
policies {
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone dmz to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone guest to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone dmz {
policy permit-web {
match {
source-address any;
destination-address WEBSERVER;
application [ http https ];
}
then {
permit;
}
}
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
}
}
the most likely cause is a vlan misalignment/ port tagging on the connected switch.
Assuming you have plugged in the laptop to ge-0/0/2 but have the switch connected to ge-0/0/1, try setting the native vlan on ge-0/0/1 to vlan-trust.
One issue might be you don’t have an interface specified in you trust zone.
You probably need to put your uplink and downlink ports into security zones and then allow traffic between those zones
Not sure if anyone said this yet - you do not have any interfaces in the trusted zone. You need a policy from office to untrust as well.
Also a quick note on your 300 do yourself a favor and plug a USB into it and request a slice to that USB. It’ll save your ass once the internal flash on the srx-300 goes bad.
Sorry for the delay. Yes you can have all your vlans in one zone and you can route between them
Your policies are fine. There are a couple of things to note
Based on my configuration is there any issue on it ? For the switch port 1 is my uplink to firewall. The dhcp seems to be fine just did not get the internet.
meaning i have do declared interface vlan to untrust correct ? because i have multiple vlan and i cannot put in one zone
Yup i believe this is the reason why i dont have internet access. So i need to declare every vlan to untrust correct ?
I will try this tomorrow. Is it okay if i keep you updated about my work to you ? I just need a feedback from your expertise about juniper firewall
I am able to ping the pc on the same VLAN but not the pc on different VLAN. I can ping different VLAN gateway but not the one connected to it. Do you mind helping me in this case. I believe it has something to do with NAT and also static routing.
Yup the list you just mention is correct. Requirement from my client. Is my method good enough for this inter vlan ?
Also I had to turn my pc firewalls off to test the config
The dhcp seems to be fine just did not get the internet.
so you are connecting a laptop to the switch, its getting an IP in the range 172.16.88.100-172.16.88.200. ???
can you ping the IRB (172.16.88.1)?
Can you ping an internet address? If you can ping an internet address it might be the MSS.
configuration is there any issue on it ?
you have set all system services / protocols as enabled, generally you want this just to be DHCP / ping
host-inbound-traffic {system-services {dhcp;ping;
on the NAT rule you have source IP as “vlan1”, but this matches the from zone. Im not sure if this is wrong but its unnecessary, equally you shouldn’t need to specify the destination.
rule-set office-to-untrust {from zone Office;to zone untrust;rule office-to-untrust {match {source-address 0.0.0.0/0;}then {source-nat {interface;
in the DHCP settings (e.g. Office_Pool) you have
propagate-settings irb.1;
this is propagating DHCP settings from Irb.1 to Irb.1 in effect. This setting is used to take the DHCP options from one interface and push to another. So for instance if you are getting the DNS servers from the firewall/ modem on ge-0/0/0 then you can use propagate settings ge-0/0/0.0 to push in to irb.1 clients.
EDIT
also you need a policy to allow office traffic to untrusted.
policies {
from-zone Office to-zone untrust {
policy Office-to-untrust {
match {
source-address any;
destination-address any;
application any;
Yeah, every vlan ( irb) needs to be in a zone and a policy to get out to the internet. You can also use a global policy instead. Here is a link for you
That’s fine I was checking. The config worked in my lab
can you ping the IRB (172.16.88.1)?
Yes i can ping the irb but not the ip internet. I believe this is because of my configuration on the zone part.
propagate-settings irb.1;
I will change everything to ge-0/0/0.0. Thank you for the advice
host-inbound-traffic {system-services {dhcp;ping;
Yup this one is just for testing purposes. Will do it later
policies {
from-zone Office to-zone untrust {
policy Office-to-untrust {
match {
source-address any;
destination-address any;
application any;
I believe for this configuration, i will need to specify all the vlan (1-12) to zone untrust to get the internet correct ?
example from zone (vlan) to zone untrust