Posts Tagged ‘networking’

Getting started with Juniper SRX platform [en]

vendredi, janvier 6th, 2017

I started to play with the Juniper SRX platform a few month ago. I got a SRX 220 on loan from Rafael and i bought a SRX100 for my experimentations. The JunOS operating system installed on the boxes is heavily based on FreeBSD, so we’re in familar Unix-land. This is going to be fun. 🙂

I have access to lab documentation, but i will not exactly reproduce the setup from the books: there will be some adaptations (mainly about port numbering) that will fit my lab setup, since I will work on those devices from a remote location and i will not enjoy 100% physical access during my exercises. To make matters even more interesting, i still have my old ADSL connection that will be used as a separate internet access.

The default configuration is a simple NATing firewall/router, similar to the one you might expect from a stock OpenWRT installation. There is a web interface, but i will just ignore it, so let’s dig out the Cisco serial cable and connect to the console port.

Configuring the SRXes over serial port is nice, but they are available only in limited quantity on my Terminator server, so we will start by setting up the devices for a more convenient ssh access from my home network. The config statements allow for comments: they start with the character ‘#’ and the commands will be peppered with them, so you can copy-paste huge blocks of text at once.

We will start with the SRX100: the management port is connected to port 7 on the firewall

# Set system root password (REQUIRED)
set system root-authentication plain-text-password 

# Check if config passes
commit check 

# Remove interface from bridge
delete interfaces fe-0/0/7 unit 0 

# Add ssh pubkey
set system root-authentication ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC98TAUD9PPuzRj5uyHWlxZiXGLm1JI7T2hPNwmW9pU5V/guoJ90VTNQ7lugEoX8HYxB7JC0/RA5ogJBkhcQHIAMIGT6yM7F2zzVv9LadbiMU0KrB2dZVmPKKxi49uqqj+d8zIWTbm4tLf7xdF42kr7c2AUl1kYzaD1ymlAXSavvHTg7y/h2/mZ36F7WZmVwa7Q6iI5Vuca66lauwGgl1ETS2lwneQn+CWDZFMSFDT9TmphR8mpISi8063oTwvvHa/t0bpeQnKltg1iqM2YGTlIGTgXuEWsiAARfF96zhOUAXseA9WHeCTDUITmycFau4+ILxVH47Z6oC11W52BtwIf frederic@pekko"

# Set IP address
set interfaces fe-0/0/7 unit 0 family inet address 192.168.4.60/26

# Put interface into mgmt zone and activate services
set security zones security-zone mgmt interfaces fe-0/0/7.0 host-inbound-traffic system-services http
set security zones security-zone mgmt interfaces fe-0/0/7.0 host-inbound-traffic system-services https
set security zones security-zone mgmt interfaces fe-0/0/7.0 host-inbound-traffic system-services ssh
set security zones security-zone mgmt interfaces fe-0/0/7.0 host-inbound-traffic system-services ping

# save changes
commit

# From now, ssh is available and we can disconnect the serial interface. It won’t be used for the rest of the experimentations unless we need to move the management interface to another port. Now, let’s set up PPPoE…

set interfaces fe-0/0/0 unit 0 encapsulation ppp-over-ether
set interfaces pp0 unit 0 ppp-options chap local-name <YOUR_USERNAME>
set interfaces pp0 unit 0 ppp-options chap default-chap-secret <YOUR_PASSWORD>
set interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/0.0
set interfaces pp0 unit 0 pppoe-options client
# When using PPPoE, always set MTU to 1492
set interfaces pp0 unit 0 family inet mtu 1492
set interfaces pp0 unit 0 family inet negotiate-address
# Explicitly tell to use the PPPoE interface as default route
set routing-options static route 0.0.0.0/0 next-hop pp0.0 metric 0
commit

At that point, the PPPoE session is established. Let’s check it:

run show interfaces terse

<snip>
...
</snip>
pimd up up 
pime up up 
pp0 up up
pp0.0 up up inet 62.235.222.80 --> 62.235.222.1
ppd0 up up
ppe0 up up
st0 up up
tap up up
vlan up up
vlan.0 up up inet 192.168.1.1/24

This looks good ! We have an IP address from our ISP ! Let’s attack the SRX220…

 

About the random downtime [fr]

dimanche, décembre 13th, 2009

You might have noticed that this server is unreachable at times.

This problem is well known: the server simply runs out of RAM.
With 256 MiB of RAM, the server quickly hit the swap, system load is increasing and keep on thrashing until the OOM-killer comes into play and happily kill processes.

This will soon come to an end: i got a new server recently with 2 GiB of RAM (w00T !!) and now i’m busy preparing it carefully.

Please be patient… 🙂

Soekris Net4801 review [fr]

dimanche, novembre 8th, 2009

I have been using the Soekris Net4801 for a few years and here are my impressions

Soekris_net4801_boardThe good

  • This computer is small, power efficient, reliable and hacker-friendly.
  • It just has the needed hardware to make a decent router out-of-the-box and a little bit more.
  • It comes with a serial console to make configuration easy.
  • The BIOS can be set up, upgraded and flashed from the serial port.
  • It has GPIOs if you want to add custom hardware.
  • Bootable compact flash slot: enable you to build a router with no moving parts.
  • If the compact flash do not meet your needs, there is an optional bracket and cable to plug an IDE laptop harddisk.
  • One PCI slot and one mini-PCI slot for extensions like a WiFi card

The bad

  • This machine is underpowered: if you ask a little bit more than routing to the machine (file serving, playing MP3’s, imap server,…), performances are going straight to the toilet and you end up waiting… waiting… waiting…
  • Lack of USB ports: There is only one USB 1.0 port on the machine, limiting its potential.
  • The CF card slot is on the same IDE bus than the harddisk: if you want to use both, make sure the harddisk is configured as a slave device. You might want to test several compact flash cards for compatibility: many CF cards have a buggy IDE/ATA interface that will cause you headaches.

This machine should not be used as a file server due to the poor disk I/O performances, even with DMA on. I would like to see a similar setup with an Intel Atom CPU, a decent chipset and 4 USB 2.0 ports, then we would have a killer home server appliance.

Where to buy (europe)

I bought my board via Wim Vandeputte. This guy is reliable and is present at every event related to the free software movement.

Windows and IPv6 [fr]

dimanche, octobre 11th, 2009

This is something really nice about Windows that few people know about: anybody with a recent enough copy of Windows have an IPv6-ready network stack.

Windows XP

The IPv6 stack is disabled by default, but it is very easy to enable: you just need to open the command prompt as administrator (start->run, cmd),then run the following command

netsh interface ipv6 install

If you already have an IPv6-enabled network

(unlikely if you’re behind a consumer-grade router)
Windows will automatically build an usable address using the subnet sent by the router and the MAC-address of the selected interface.

If you’re behind a NAT box/router

Type the following command to enable Teredo tunnelling

netsh interface ipv6 set teredo client

Windows Vista ant up

You don’t have to do anything: what’s described here is (finally) enabled by default !!

Type ipconfig anytime to check your network configuration: a production-ready public address will usually start with 2001: