Many internet services providers ( ISP) use a Point-to-Point Protocol over Ethernet (PPPoE) connection for their users. This type of connection helps them save their valuable IP address source because users’ IP address are on-demand; automatically provided by ISPs. That is, those IP addresses are not fixed, and can be easily reused. Moreover, using this technology allows the providers authenticate end users with the access control function, perform accounting, and monitor users’ behaviors to ensure security.
Configuration:
The set interface pp0 unit 0 family inet command needs to be configured to be unnumbered in this scenario.
set interfaces ge-0/0/0 unit 0 encapsulation ppp-over-ether
set interfaces ge-0/0/1 unit 0 family inet address 100.1.0.1/29
set interfaces pp0 unit 0 ppp-options chap default-chap-secret abcd
set interfaces pp0 unit 0 ppp-options chap local-name "abcd@juniper.net"
set interfaces pp0 unit 0 ppp-options chap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/0.0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 10
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inetset routing-options static route 0.0.0.0/0 next-hop pp0.0
set security policies from-zone trust to-zone untrust policy tr-un match source-address any
set security policies from-zone trust to-zone untrust policy tr-un match destination-address any
set security policies from-zone trust to-zone untrust policy tr-un match application any
set security policies from-zone trust to-zone untrust policy tr-un then permit
set security policies from-zone untrust to-zone trust policy un-tr match source-address any
set security policies from-zone untrust to-zone trust policy un-tr match destination-address any
set security policies from-zone untrust to-zone trust policy un-tr match application any
set security policies from-zone untrust to-zone trust policy un-tr then permit
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces pp0.0 host-inbound-traffic system-services all
Verification:
root@SRX> show interfaces pp0 terse
interface Admin Link Proto Local Remote
pp0 up up
pp0.0 up up inet <<< pp0.0 link is up and no IP address is displayed.
root@SRX> show route
inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:08:47
> via pp0.0
100.1.0.0/29 *[Direct/0] 00:11:29
> via ge-0/0/1.0
100.1.0.1/32 *[Local/0] 00:17:41
Local via ge-0/0/1.0
root@SRX> show ppp interface pp0 extensive
Sessions for interface pp0
Session pp0.0, Type: PPP, Phase: Network
LCP
State: Opened
Last started: 2016-02-05 10:09:57 UTC
Last completed: 2016-02-05 10:09:57 UTC
Negotiated options:
Authentication protocol: CHAP, Authentication algorithm: MD5,
Magic number: 1454334805, Local MRU: 1492
Authentication: CHAP
State: Success
Last completed: 2016-02-05 10:09:57 UTC
IPCP
State: Opened
Last started: 2016-02-05 10:12:25 UTC
Last completed: 2016-02-05 10:12:28 UTC
Negotiated options:
Primary DNS: 0.0.0.0, Secondary DNS: 0.0.0.0
Note:
The source address of self-originated packet sent from the pp0 interface — such as license update, signature update, etc. — will be 100.1.0.1 in the above scenario. However, if SRX has more than two interfaces in the same routing instance, the source address of the self-originated packet might not have the expected source address. The following NAT configuration will solve the source address issue.
set security nat source pool selfpacket address 100.1.0.1/32 <<< The address should be same as the trust interface address.
set security nat source rule-set selfnat from zone junos-host <<< Predefined zone for self-originated packet.
set security nat source rule-set selfnat to zone untrust
set security nat source rule-set selfnat rule 1 match source-address 0.0.0.0/0
set security nat source rule-set selfnat rule 1 then source-nat pool selfpacket
set security nat proxy-arp interface pp0.0 address 100.1.0.1/32
