Links
Categories

Bluetrait
        Bluetrait
                Bluetrait
                    Coding
                    Geek
                    General
                    Videos
                    Solar
                    Coding
                    Geek
                    General
                    Coding
                        PHP
                        Bluetrait
                        PHP
                        Bluetrait
                        WordPress
                            Plugins
                        PHP
                        Bluetrait (Program)
                    Geek
                        Juniper
                        Cisco
                        IBM N2200 8363
                        PCs
                        Spam
                        IPv6
                        Apple
                        NetScreen
                        Internet
                    General
                        Uni

Sat, 12 Mar 2016 3:07 PM

Debian + Proxmox + VYOS + NAT + IPSec + IPTables = Fun

Michael Dale

I ended up writing this in pages but here is the PDF.

[Download PDF, ~800KB]


Geek, Juniper

Permalink | Comments 0

Sat, 23 Aug 2014 1:27 PM

Running JunOS 12.1X47 on first gen SRX240H

Michael Dale

So 12.1X47 just came out and no longer supports SRX devices with less than 2GB of ram.

I have a couple of spare Juniper SRX240Hs (so first gen devices with 1GB of ram) and would like to test 12.1X47 in my lab, unfortunately I don't have any 2GB ram devices in my lab.

When trying to install 12.1X47 on the SRX240H you get the following error:

Copying package ...
ERROR: Unsupported platform srx240h for 12.1X47 and higher
ERROR: validate-config: junos/+REQUIRE fails

So I decided to see if I could work around this and trick JunOS into installing on my 240H, I was successful :D

I wouldn't recommend ever using this in production, but I am sure it will work fine for the lab. The only difference between the 240H and the 240H2 is that the H2 has 2GB flash and 2GB ram, CPU is the same.

Now you can actually upgrade the ram in the SRX240H to 2GB, it just uses standard DDR2 PC ram (you just need to find a 2GB stick, I used 800MHz but 667MHz ram should work too).

First Upgrading SRX ram

Take off the SRX case and swap out the ram, easy!

Juniper SRX240H

Old Ram:

Old Ram

New Ram:
New Ram

As you can see the SRX now boots with 2GB of ram:

2GB Ram

Second modifying the installer checks

Unfortunately this isn't enough for 12.1X47 to install, the installer checks the model number not the amount of ram.

Copying package ...
ERROR: Unsupported platform srx240h for 12.1X47 and higher
ERROR: validate-config: junos/+REQUIRE fails
WARNING: Current configuration not compatible with /altroot/cf/packages/install-tmp/junos-12.1X47-D10.4-domestic

So it is time to modify junos-srxsme-12.1X47-D10.4-domestic.tgz to work on 240H devices.

I did this on Mac OS but any *nix system will work, it isn't that hard.

  1. Go and download junos-srxsme-12.1X47-D10.4-domestic.tgz from Juniper.
  2. Extract junos-srxsme-12.1X47-D10.4-domestic.tgz
  3. Now all we need to do is edit 2 files.
    1. In the +INSTALL file: Comment out line: 889 -> Error "Unsupported platform $product_model for 12.1X47 and higher" 
    2. In the +REQUIRE file: Comment out line: 889 -> Error "Unsupported platform $product_model for 12.1X47 and higher" 
      To comment out just add a # at the start of the line.
  4. Now we need to tar this back into a tgz file.
    1. So from the command line cd into the unzipped folder
    2. Now tar gz everything: tar czf ../junos-srxsme-12.1X47-D10.4-domestic-fixed.tgz *
    3. Once done I changed junos-srxsme-12.1X47-D10.4-domestic-fixed.tgz back to junos-srxsme-12.1X47-D10.4-domestic.tgz, not sure if that matters.
  5. Now you can install like any normal firmware upgrade: root> request system software add http://xxx/junos/junos-srxsme-12.1X47-D10.4-domestic.tgz reboot

Done!

 

Now this process still leaves the SRX 240H with only 1GB of flash, but even with a dual root partition there is still 100M+ free space on the primary mount point.

That should be fine for now, you might need to use external logging or a usb flash drive in future though.

Storage on 12.1X47

 

I am interested to know if this process works on 1GB ram devices, as these changes might allow JunOS X47 it install on them. Although I would recommend 2GB ram. 


Juniper

Permalink | Comments 22

Sat, 23 Aug 2014 12:37 AM

JunOS 12.1X47, first gen SRX devices are no longer supported

Michael Dale

ERROR: Unsupported platform srx210h for 12.1X47 and higher

This is the error that you will get if you try and install 12.1X47 on a Juniper SRX 210H (or 100B, 100H or any "first gen" srx).

From reading:

http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/topic-collections/release-notes/12.1x47/index.html?topic-87511.html

"Note: Upgrading to Junos OS Release 12.1X47-D10 or later is not supported on the J Series devices or on the low-memory versions of the SRX100 and SRX200 lines."

I thought maybe it would just be the base memory devices e.g SRX100B or SRX210B but it looks like any SRX device with 512MB or 1GB ram are not supported.

This is a shame as for example the SRX110H devices weren't that old and supported removable/upgradable CF cards. Even the SRX240B2 is not supported! You need 2GB of ram.

The ASA5505 is good example of a device designed to last. Pity I like JunOS so much!

I have a couple of SRX240Hs, these allow you to upgrade the ram (standard DDR2), so I wonder if an upgraded 240H will work.


Juniper, Cisco

Permalink | Comments 0

Mon, 07 Apr 2014 9:45 PM

Networking Lab

Michael Dale

 My current networking lab setup for testing a new network design including OSPF, BGP & IPsec route based VPNs.

From top to bottom:

  • The imposter, a Ubiquiti EdgeRouter Lite!
  • Juniper SSG 5 (extended license )
  • Juniper SRX 100 (base memory )
  • Juniper SSG 20 (not currently being used)
  • Juniper SRX 110H (older 1GB ram model)
  • Juniper SRX 210H-POE (pretty old slow beast with 1GB ram and a lowly 400MHz CPU). I still run a standard 210H at home, one day I'll get the 210H2....

 

 

 


Juniper, NetScreen

Permalink | Comments 6

Fri, 19 Nov 2010 12:54 PM

Basic JunOScript PHP Client

Michael Dale

Still needs some work.

Link


Juniper

Permalink | Comments 0

Sun, 08 Aug 2010 10:53 AM

Cisco Fail

Michael Dale

I don't normally sell Cisco products, but one of my clients already has a full Cisco network, so for them we purchased an ASA5505 for a remote office.

Cisco have made a number of upgrades to the software of the ASA range and have really stuffed up a few sections.

  1. It took me about a month to get a new ASA5505 (the new 512mb version as the OS now needs more memory)! For some reason Cisco cannot manage their stock, they suck. Also the ASA5505 should have had 512mb to start with.
  2. Finally when the ASA5505 comes, it doesn't work! It doesn't even switch on. I don't think I've ever had a DOA Juniper product. I understand these things happen but it doesn't leave a good impression.
  3. The power connector is really bad, it is some stupidly small plastic thing that will no doubt break in the future.

Overall the ASA5505 is a good product, but they've done some stupid things with the range. I wouldn't recommend one over a Juniper SSG.

I don't know why companies always create shitty products, the Juniper SRX range is another fine example. The code base on the Juniper SRX is still buggy. Junos 10.2 should finally fix most of my issues with the OS, but really. 


Juniper, Cisco

Permalink | Comments 2

Fri, 29 Jan 2010 6:18 PM

Juniper SRX210 Review

Michael Dale

Well I've finally had some time to finish off my review of the SRX210! It's only taken like 4 months. There is still some things missing from this review that I will post about at some stage.

 
The Juniper SRX 210 is a new firewall/router released earlier in 2009. It is the second smallest device in the SRX range (the SRX 100 being the smallest).
 
The SRX range runs on JunOS with some new security features added that can be found in Juniper's previous firewall rage the SSG (and before that the netscreen) and in JunOS-ES.
 
It is my understanding that the SRX series will slowly replace the SSG range.
 
I recently purchased an SRX210 so that I could learn JunOS. I am coming from a Juniper SSG/Netscreen background, having looked after many Netscreen 5GTs, 25s and 50s along with the newer range the SSG 5/20/520 etc range.
 
I have primarily used the SSGs for linking sites together with VPNs, providing VPN access to clients/employees, general firewalling/routing and some high availability. More recently I have been doing IPv6 over some of them.
 
Since the SRX is based on JunOS it has all the underlying routing features found in Junipers other product ranges (such as the J series) plus the security features recently added, while the SSG is primarily a firewall device (although it has some pretty cool routing features in it too). You can read my review of the SSG 5 here.
 
So lets first look at the smaller SSG and SRX line up.
 
The SRX100 is basically the SSG5 equivalent, while the SRX210 better matches up to the SSG20.
 
In the SSG range the SSG5 and SSG20 were exactly the same except for the following differences:
  • SSG20 has two mini-pim slots (for ADSL modules etc)
  • SSG20 loses two of the ethernet ports the SSG5 has
  • SSG20 is physically larger
Other than that both have the same performance, memory options, wireless options etc.
 
With the new SRX range the SRX210 is actually faster than the SRX100 and includes some nice extra features such as:
  • SRX210 has 100mbit more routing throughput (750mbit)
  • 2 gigabit ethernet ports
  • Express card slot for 3G modems
  • 1 mini-pim slot
  • plus some other software things (increased session limit, max policies etc)
Juniper have a nice product chart here:
 
One interesting difference between the two is the memory configuration options.
  • The SRX100 models all have 1GB of ram installed, yet the base version has a software licensing limitation of 512mb.
  • You cannot upgrade a base SRX210 to 1GB as the base version only has 512mb of fixed memory.
 At this stage there is no built in wireless options for the SRX range. Juniper have released an external wireless access point that you can configure from the SRX, but I'm not going to talk about that in this review.
 
So the SRX210 is actually quite a bit more useful than SRX100 depending on what you want to do, although both devices should be more than powerful enough for most routing requirements (750mbit on the SRX210!), although If you want to take full BGP tables you will need to be using at least an SRX650. I think this is a bit of a shame seeing as we're no longer limited by the operating system routing capabilities.
 
One thing that I think is a bit odd is that the SRX can only do 3G via the Express Card slot (so SRX210 only); they don't support using usb modems (both SRX100 and SRX210 have USB ports). This feature could come in a software update, but I don't know if it will. At least it is an improvement over the SSG range that couldn't do it at all.
 
So for the Netscreen/SSG users what does the SRX range offer:
  • 3G WWLAN (SRX210 only)
  • Significant routing performance increase
  • JunOS
  • Gigabit ethernet on smaller devices (from SRX210 upwards)
  • PoE options (SRX210)
  • Jflow/Netflow support
So sounds great but unfortunately the SRX range is actually missing some features from the SSGs:
  • Usable web interface (more on this later)
  • Integrated ADSL and wireless options
  • Auto Connect VPN (probably will be fixed in a software update)
  • Other minor feature differences 
So lets now look at the software in a bit more depth.
 
ScreenOS vs JunOS.
 
One of the reason's I liked the SSG range was the web interface. You can do just about anything from the web interface, it is really easy to see what policies are setup and you can easily disable and rearrange them.
 
ScreenOS can have some interesting WebUI bugs but if you're running a fairly recent version and using Firefox or IE it works pretty well. It can be a bit slow to load over a WAN link, but once it has finished loading the excessive amount of javascript it is pretty quick.
 
The SRX version of JunOS (tested with 9.6R2.11) has a web interface that is completely different to ScreenOS. It is broken down into two main sections configure and monitor. Unlike ScreenOS you need to switch between these two sections to either configure a setting or see what is actually going on. It might actually be a useful feature if is wasn't for the fact that the web interface is bad, really bad.
 
My biggest issues include:
  • It's slow, much much slower to load that ScreenOS
  • It seems to expire my session and log me out while in the process of doing stuff
  • It doesn't feel like it was designed for people to actually use. It is basically a graphical representation of the configuration file. I've noticed that I expect different things from a web interface verses a command line interface.
Because of these reasons I don't even bother using the web interface, which really feels like I'm going backwards compared to the SSG. Don't get me wrong the command line in JunOS is great, more complex than ScreenOS but in the long term you will appreciate the power of it.
 
For the larger range of SRX devices this probably doesn't matter as much because the people configuring them should really know how to use the command line; but I believe a good web interface is really important for the smaller devices especially if Juniper want this device to be popular in not just the enterprise market.
 
UPDATE:
 
Juniper have since released JunOS 10.0R2.10 which seems to have improved the speed of the web interface. They have also started working on fixing up many of the configuration pages. From what I have heard Juniper plan to keep improving it over the next few versions. I might do an updated post once the WebUI has been improved further.
 
During the writing of this review Juniper have released at least three software updates and at least for me each upgrade as been an improvement. Before JunOS 10.0R2.10 the SRX210 was really too buggy for production use, I had lots of issues with keeping a stable PPPoE link up. Luckily this seems to have finally been fixed in the latest OS. This was one of the main reasons for the delay in this review. I really wanted to get the problem fixed first.
 
Also during the review, one of the companies I work for purchased two SRX240s, this has allowed me to really get used to the operating system as I've had to setup Clustering/NAT/DHCP/VLANs/SNMP/VPNs and some firewall rules. I ended up configuring everything via the command line and I'm glad I did because the command line in JunOS is really much better than ScreenOS.
 
The configuration in JunOS is converted to XML when loading, so the configuration process has a much more structured feel to it. Everything is nicely broken down into different sections such as: system, interfaces, security, vlans etc. I've found this makes it easier to find what you're looking when changing things.
 
Upgrading the operating system is also easy as you can simply point JunOS to an HTTP url and not need to setup a TFTP server.
 
I still prefer the ScreenOS WebUI for configuring firewall policies though, the whole process just seems quicker and better thought out.
 
For laptop style VPNs Juniper have moved away from Netscreen Remote the 3rd party IPsec VPN software and replaced it with basically nothing. They now have something call dynamic VPN, which I haven't used yet. This type of VPN setup has a new VPN client but it also requires extra licenses to be purchased (at great expense I'm sure), so I probably won't use it. Luckily JunOS still supports IPsec VPNs so you should simply be able to use one of the better free VPN clients (Netscreen Remote really sucked anyway so no big loss). I haven't tested this yet, although if it does work correctly that is great because the SRX actually supports 128 IPsec tunnels on the SRX100 and double that on the 210! Heaps more than the old SSGs.
 
One last thing I will mention in the software section, JunOS doesn't seem to support IPv6 in flow-based mode which is a shame. Hopefully this will come soon.
 
Hardware
 
The base Juniper SRX210 is about the same size as the SSG20; it includes 8 ethernet ports and a single mini-pim slot (the SSG20 had two, which was useful if say you wanted to have two adsl connections).
 
The main difference between the two is the different integrated options.
The SSG20 allowed for wireless, where as the SRX210 gives you PoE and VoIP options.
 
Final Thoughts
 
The SRX210 is a promising device that has been plagued by some early software bugs (most of which have been fixed). It doesn't include all the features from the old SSG range (yet) and it does feel a bit more enterprise than the SSG. I think the smaller SSG range was great for small businesses, where as the smaller SRX range can get quite expensive with some of the optional extras.
 
I will miss the integrated wireless options from the SSGs (the SRX external wireless is very expensive) and for the time being some of the stability.
 
Saying all this JunOS is the future for Juniper and I believe the SRX range will keep getting better (and quickly JunOS 10.1 is due out soon).
 
Juniper have also produced some nice help documents recently for users of ScreenOS, they also have many examples of say VPNs between an SSG and SRX which makes the upgrade process easier.
 
Further Reading
 
Mapping of common troubleshooting commands from ScreenOS to JUNOS http://kb.juniper.net/index?page=content&id=KB14000
 
Update
 
Just a quick update, there are currently some serious issues with clustering in the SRX series. If you head over to the SRX section in the Juniper forum, lots of people are having issues (including myself). I would recommend that you hold off any purchases of the SRX devices for use in clustered environments. 

Juniper

Permalink | Comments 10

Sun, 17 Jan 2010 11:10 AM

Native IPv6 over PPPoE with Internode and a Juniper SSG5

Michael Dale

Internode released a trial of native IPv6 over ADSL a few months back, so anyone with an ADSL account with them can try it.

So one of my clients has an SSG5 and an internode connection so I thought I'd set it up.

So the setup:

  • ADSL modem in bridge mode
  • SSG5 running ScreenOS 6.3.0r2 (I had some issues with 6.2, so it is best to use the latest OS)

The very first step is to enable IPv6 on the SSG5, this requires you to run the following command and then restart/reboot the device:

set envar ipv6=yes

Once done you should now have access to all the IPv6 functions in the WebUI.

The next step is to modify your PPPoE connection settings.

set pppoe name "Internode" username "username@ipv6.internode.on.net" password "encryptedpassword"

set pppoe name "Internode" ppp ipv6cp ipcp

Now you need to enable IPv6 on the interface that the PPPoE connection is setup on.

set interface "ethernet0/0" ipv6 mode "host"

set interface "ethernet0/0" ipv6 enable

set interface ethernet0/0 ipv6 ra accept

unset interface ethernet0/0 ipv6 nd nud

So the above should be enough for you to get the /64 on the PPPoE interface.

Internode is currently handing out a /60 for use in your network (via DHCPv6), so lets now set that up.

set interface ethernet0/0 dhcp6 client

set interface ethernet0/0 dhcp6 client options rapid-commit

set interface ethernet0/0 dhcp6 client options request pd

set interface ethernet0/0 dhcp6 client pd ra-interface bgroup0

set interface ethernet0/0 dhcp6 client enable

In the above "bgroup0" is my LAN interface.

Now let's get IPv6 running on "bgroup0"

set interface "bgroup0" ipv6 mode "router"

set interface "bgroup0" ipv6 ip 2001:44b8:7763:baa0::1/64

set interface "bgroup0" ipv6 enable

set interface bgroup0 ipv6 ra link-address

set interface bgroup0 ipv6 ra transmit

unset interface bgroup0 ipv6 nd nud

In the above the IPv6 address there is my first /64 out of the /60, I've manually set it to a :1 address but you can use whatever it's default auto assigned address is.

Now you might want to hand out internodes IPv6 DNS server addresses to your LAN

set interface bgroup0 dhcp6 server

set interface bgroup0 dhcp6 server options dns dns1 2001:44b8:1::6

set interface bgroup0 dhcp6 server options dns dns2 2001:44b8:2::6

set interface bgroup0 dhcp6 server enable

Now we need to setup the default IPv6 route, as the one that is added by default is incorrect.

set route ::/0 interface ethernet0/0 gateway ::

And finally the IPv6 policy to allow traffic out (yay no NAT).

set policy id 12 from "Trust" to "Untrust"  "Any-IPv6" "Any-IPv6" "ANY" permit log

That should be all you need to do to get IPv6 working on your network.

There is more information over at the internode site if needed.

And here is a traceroute from a computer on the LAN

C:\Users\Administrator>tracert -6 ipv6.google.com

Tracing route to ipv6.l.google.com [2001:4860:c004::68]

over a maximum of 30 hops:

  1     1 ms    <1 ms    <1 ms  2001:44b8:7763:baa0::1

  2    37 ms    37 ms    37 ms  loop0.lns6.syd7.internode.on.net [2001:44b8:b070::4]

  3    37 ms    37 ms    37 ms  gi1-1.cor2.syd7.internode.on.net [2001:44b8:b070:5::1]

  4    37 ms     *       37 ms  gi6-0-0-146.bdr1.syd6.internode.on.net [2001:44b8:b060:146::1]

  5    37 ms    37 ms    37 ms  2001:4860:1:1:0:1283:0:2

  6    38 ms    38 ms    39 ms  2001:4860::1:0:9f8

  7   184 ms   295 ms   174 ms  2001:4860::1:0:165

  8   175 ms   175 ms   175 ms  2001:4860::1:0:890

  9   181 ms   176 ms   182 ms  2001:4860::29

 10   185 ms   176 ms   244 ms  tx-in-x68.1e100.net [2001:4860:c004::68]

Trace complete.


Juniper, IPv6

Permalink | Comments 6

Thu, 13 Aug 2009 6:52 PM

Jflow on SRX210

Michael Dale

We'll I've got my Juniper SRX210 up and running and it supports some stuff the old SSG didn't (it is also missing a few features too).

One of the new features is the support for JFlow (which is the Juniper version of Cisco's NetFlow).

Basically it means that the firewall can log traffic to a server in a format that allows for graphs such as this:

Jflow

Pretty cool. Anyway the documentation for the SRX isn't that great, so here is my configuration for this (running SRX JunOS 9.6):

fe-0/0/7 {

    unit 0 {

        family inet {

            filter {

                input cflow;

                output all;

            }

            address 203.206.210.249/29;

        }

    }

}

firewall {

    filter all {

        term all {  

            then {

                sample;

                accept;

            }

        }

    }

    filter cflow {

        term 1 {

            then {

                sample;

                accept;

            }

        }

    }

}

forwarding-options {

    sampling {

        input {

            rate 1;

            run-length 0;

            max-packets-per-second 50000;

        }           

        family inet {

            output {

                flow-server 203.206.210.250 {

                    port 2055;

                    version 5;

                }

            }

        }

    }

}

 
 

 


Juniper

Permalink | Comments 0

Wed, 22 Jul 2009 9:40 PM

New Router/Firewall Time! Juniper SRX 210

Michael Dale

We'll I've had my SSG 5 for about 2.5 years now and it has worked great, and will probably keep working for many years to come. But Juniper have released a new/replacement model (kind of, they're still selling the SSGs) that runs JunOS.

So I thought it was about time to learn the operating system as ScreenOS (OS on the SSG) will eventually be discontinued.

The SRX 210 is really more of a replacement to the SSG 20, but it looks there isn't a SSG 5 replacement (yet at least, I did see some mentions of an SRX 100).

Anyway hopefully I should get it next week and then I'll do a review of it.

Juniper SRX 210


Juniper

Permalink | Comments 6