![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Configuring the SRX100
Aug. 22nd, 2011 07:05 amThe need to switch ISPs finally pushed me to configure the Juniper SRX100 router.
As my current ISP, KGT New Media, is giving up their consumer Internet access over T-DSL product and has canceled the contract to end of August, I am a bit under pressure to get everything running with a different ISP. So, back to Titan Networks, although their offer is not quite what I was looking for. For € 24.50 per month, about the same price as with KGT, I get not a traffic flat rate, but a volume of 25GB, with extra traffic for € 5.50/GB. This should usually be enough, but in the past I have had a huge traffic peak once, which suddenly cost me additional 90 Euros. But there are not very many ISPs offering IPv6 for end customer prices to choose from.
Of course, before I switch completely, particularly all the DNS entries for- and backwards, I want to make sure everything works. This gave me another opportunity and additional motivation to finally tackle the SRX100, and I did.
While the Cisco 1712 still runs with KGT, the SRX100 is now running the Titan connection, although in a kind of "client-only" mode, without allowing incoming connections. Making incoming traffic possible requires much more firewall-fu than the little I have already understood. This is really not easy.
Doing the basic configuration -- forwarding IPv4 and IPv6 between the core and the WLAN network and the PPPoE connection to the ISP -- was moderately simple. Junos configuration is indeed a bit less of a pain in the back than IOS. I especially like the method of modifying a configuration until it is done and only then committing it to be activated. Otherwise it would have been more difficult or required a reboot to do reconfigurations that would have cut me off from the router in mid-change.
I also think the explicitly hierarchical configuration makes sense as a way of structuring everything; when I dive into some hierarchy level, I can concentrate on just that and show just that bit, for instance. Ah, yes, you can show the configuration while editing, isn't that just amazing? (I probably have only missed that with IOS, but to me it's still a difference.) And then there are the little things, like being able to go back in the pager (while viewing configuration or the like). I like it.
One thing had me busy for a while, though: There is no possibility to use IPv6 with vlan interfaces. This restriction still puzzles me, but apparently it is intentional, or at least specified. That I was not able to set an IPv6 address on a vlan interface from the CLI but could do that from the web interface added to my confusion. But even if an address has been set on a vlan interface, it cannot actually be used. Took me quite a while to find the final answer.
In the end I gave up and configured the interfaces not as switching group members, but as IP interfaces, and then everything worked. Well, except for the switching, of course -- I need a separate switch now where a port-based vlan on the SRX100 should have been sufficient. That is annoying.
Apart from that and the still unresolved incoming traffic issue, everything works fine now.
Perhaps I will finally just switch the Cisco over to Titan, and then the SRX100 to the currently unused T-Online connection -- I used it briefly for testing the SRX100 and found it that instead of the 30 ms roundtrip to my external server, it gave me 8! The T-Online access is with IPv4 only (currently; IPv6 probably next year) and with changing addresses. But that is fine for the clients, while the server can still use the fixed-address IPv6 and IPv4 access over the Cisco and Titan.
As my current ISP, KGT New Media, is giving up their consumer Internet access over T-DSL product and has canceled the contract to end of August, I am a bit under pressure to get everything running with a different ISP. So, back to Titan Networks, although their offer is not quite what I was looking for. For € 24.50 per month, about the same price as with KGT, I get not a traffic flat rate, but a volume of 25GB, with extra traffic for € 5.50/GB. This should usually be enough, but in the past I have had a huge traffic peak once, which suddenly cost me additional 90 Euros. But there are not very many ISPs offering IPv6 for end customer prices to choose from.
Of course, before I switch completely, particularly all the DNS entries for- and backwards, I want to make sure everything works. This gave me another opportunity and additional motivation to finally tackle the SRX100, and I did.
While the Cisco 1712 still runs with KGT, the SRX100 is now running the Titan connection, although in a kind of "client-only" mode, without allowing incoming connections. Making incoming traffic possible requires much more firewall-fu than the little I have already understood. This is really not easy.
Doing the basic configuration -- forwarding IPv4 and IPv6 between the core and the WLAN network and the PPPoE connection to the ISP -- was moderately simple. Junos configuration is indeed a bit less of a pain in the back than IOS. I especially like the method of modifying a configuration until it is done and only then committing it to be activated. Otherwise it would have been more difficult or required a reboot to do reconfigurations that would have cut me off from the router in mid-change.
I also think the explicitly hierarchical configuration makes sense as a way of structuring everything; when I dive into some hierarchy level, I can concentrate on just that and show just that bit, for instance. Ah, yes, you can show the configuration while editing, isn't that just amazing? (I probably have only missed that with IOS, but to me it's still a difference.) And then there are the little things, like being able to go back in the pager (while viewing configuration or the like). I like it.
One thing had me busy for a while, though: There is no possibility to use IPv6 with vlan interfaces. This restriction still puzzles me, but apparently it is intentional, or at least specified. That I was not able to set an IPv6 address on a vlan interface from the CLI but could do that from the web interface added to my confusion. But even if an address has been set on a vlan interface, it cannot actually be used. Took me quite a while to find the final answer.
In the end I gave up and configured the interfaces not as switching group members, but as IP interfaces, and then everything worked. Well, except for the switching, of course -- I need a separate switch now where a port-based vlan on the SRX100 should have been sufficient. That is annoying.
Apart from that and the still unresolved incoming traffic issue, everything works fine now.
Perhaps I will finally just switch the Cisco over to Titan, and then the SRX100 to the currently unused T-Online connection -- I used it briefly for testing the SRX100 and found it that instead of the 30 ms roundtrip to my external server, it gave me 8! The T-Online access is with IPv4 only (currently; IPv6 probably next year) and with changing addresses. But that is fine for the clients, while the server can still use the fixed-address IPv6 and IPv4 access over the Cisco and Titan.