家向けSRXコンフィグ¶
基本設定¶
# これは最初に必要
set system root-authentication set system host-name srx-home
# タイムゾーン設定
set system time-zone Asia/Tokyo
# タイムアウトを設定するユーザ向け
set system login class super-user-local idle-timeout 1800
set system login class super-user-local permissions all
# ユーザを作る
set system login user kanai uid 1000
set system login user kanai class super-user-local
set system login user kanai authentication plain
# このあたりはご自由に(特にtelnet)
set system services ssh
set system services telnet
set system services netconf ssh
# 主にlocal向けのsyslog設定
set system syslog archive size 10m
set system syslog archive files 5
set system syslog user * any emergency
set system syslog user * authorization info
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system syslog time-format
# syslogを外部に出すときのsource addr
set system syslog source-address 192.168.100.253
# rollbackできるConfigの数
set system max-configurations-on-flash 49
set system max-configuration-rollbacks 49
# NTP
set system ntp server 210.173.160.57
set system ntp server 210.173.160.27
set system ntp server 210.173.160.87
set system ntp source-address 192.168.101.252
# netflow向け
set forwarding-options sampling input rate 8192
# SNMP
set snmp community public authorization read-only
set snmp community public clients 192.168.100.0/24
set snmp trap-options source-address lo0
ブロードバンドルータ設定¶
ここでは、port0をpppoeにつかい、port7をmgmtに使います。
# ユーザセグメント
set interfaces fe-0/0/2 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members v100
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members v100
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members v100
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members v100
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members v100
# ユーザ向けセグメント設定
set vlans v100 vlan-id 100
set vlans v100 l3-interface vlan.100
set interfaces vlan unit 100 family inet address 192.168.1.1/24
# mgmtセグメント
set interfaces fe-0/0/7 description mgmt
set interfaces fe-0/0/7 unit 0 family inet address 192.168.101.252/24
# ここをunderlayI/Fとして指定する。
set interfaces fe-0/0/0 description "pppoe uplink"
set interfaces fe-0/0/0 unit 0 encapsulation ppp-over-ether
# overlayのPPの設定
set interfaces pp0 unit 0 ppp-options chap default-chap-secret ""
set interfaces pp0 unit 0 ppp-options chap local-name "a@ocn.ne.jp"
set interfaces pp0 unit 0 ppp-options chap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/0.0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 10
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet mtu 1454
set interfaces pp0 unit 0 family inet negotiate-address
ルータとしての基本設定¶
set interfaces lo0 unit 0 family inet address 127.0.0.1/32
set interfaces lo0 unit 0 family inet address 192.168.255.253/32
set interfaces lo0 unit 0 family inet6 address fd00::253/128
# router用の設定
set routing-options router-id 192.168.255.253
set routing-options autonomous-system 65000
# RA用の設定
set protocols router-advertisement traceoptions file ra.log
set protocols router-advertisement traceoptions flag all
# BGP用の基本設定
set protocols bgp traceoptions file bgp.log
set protocols bgp traceoptions flag open
set protocols bgp hold-time 180
set protocols bgp group iBGP type internal
set protocols bgp group iBGP family inet unicast prefix-limit maximum 100
# route limitのteardown設定
set protocols bgp group iBGP family inet unicast prefix-limit teardown idle-timeout forever
set protocols bgp group iBGP local-as 65000
# ospfv2,v3,lldp周りの最低限の設定
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface lo0.0 metric 1
set protocols ospf3 area 0.0.0.0 interface lo0.0 passive
set protocols ospf3 area 0.0.0.0 interface lo0.0 metric 1
# 以下は経路はくときのテスト用
set routing-options rib inet6.0 static route fd00::ffff/128 discard
set routing-options static route 255.0.0.0/32 discard
# lldp
set protocols lldp interface all
set protocols lldp-med interface all
ホストフィルタ¶
これは、SRX自身へのアクセスを制限するものです。
# telnetはアドレス制限にしています
set firewall family inet filter telnet-access term telnet-permit from source-address 192.168.100.0/24
set firewall family inet filter telnet-access term telnet-permit from source-address 192.168.200.0/24
set firewall family inet filter telnet-access term telnet-permit from protocol tcp
set firewall family inet filter telnet-access term telnet-permit from destination-port telnet
set firewall family inet filter telnet-access term telnet-permit from destination-port ssh
set firewall family inet filter telnet-access term telnet-permit then accept
set firewall family inet filter telnet-access term telnet-deny from protocol tcp
set firewall family inet filter telnet-access term telnet-deny from destination-port telnet
set firewall family inet filter telnet-access term telnet-deny from destination-port ssh
set firewall family inet filter telnet-access term telnet-deny then discard
# BGPに関しては定義されているneighbor単位でのacceptにします
# これによって、bgpを用いたtcp syn attackを防ぎます
set policy-options prefix-list bgp-peers apply-path "protocols bgp group <*> neighbor <*>;"
set firewall family inet filter bgp-access term bgp-permit from prefix-list bgp-peers
set firewall family inet filter bgp-access term bgp-permit from protocol tcp
set firewall family inet filter bgp-access term bgp-permit from port 179
set firewall family inet filter bgp-access term bgp-permit then accept
set firewall family inet filter bgp-access term bgp-deny from protocol tcp
set firewall family inet filter bgp-access term bgp-deny from port 179
set firewall family inet filter bgp-access term bgp-deny then discard
# それ以外に関しては一度すべてをpassするようにしています
set firewall family any filter permit-all term permit-all then accept
ルーティングインスタンス¶
このネットワークでは、mgmtとlanのセグメントは完全に分離します。 mgmtをRIできる方法もありますが、ntpやDNSなどがRI上にあると、JUNOS 17以下ではうまく動かないので、 ユーザセグメントをRIとして切ることにします。
set routing-instances lan instance-type virtual-router
set routing-instances lan interface fe-0/0/0.0
# pppoeはlanの出口なので、同じVLANに入れておきます
set routing-instances lan interface pp0.0
# vlan100はユーザ用VLAN
set routing-instances lan interface vlan.100
# default gateはpppoeに向けます
set routing-instances lan routing-options static route 0.0.0.0/0 next-hop pp0.0
ユーザ向けRIのDHCPd¶
RI上でDHCPを上げるには、system dhcpではなく、access poolで設定しないといけません(多分)
set routing-instances lan system services dhcp-local-server group pool_vlan_100 interface vlan.100
set routing-instances lan access address-assignment pool pool_vlan_100 family inet network 192.168.1.0/24
set routing-instances lan access address-assignment pool pool_vlan_100 family inet range dhcp low 192.168.1.100
set routing-instances lan access address-assignment pool pool_vlan_100 family inet range dhcp high 192.168.1.199
set routing-instances lan access address-assignment pool pool_vlan_100 family inet dhcp-attributes maximum-lease-time 300
set routing-instances lan access address-assignment pool pool_vlan_100 family inet dhcp-attributes name-server 192.168.1.1
set routing-instances lan access address-assignment pool pool_vlan_100 family inet dhcp-attributes router 192.168.1.1
mgmt向けrouting¶
mgmtで必要な経路を書きます。 基本的にMGMTはこのSRXで外部にroutingしません。
# mgmt内のntp routing
set routing-options rib inet.0 static route 210.173.160.57/32 next-hop 192.168.101.1
set routing-options rib inet.0 static route 210.173.160.27/32 next-hop 192.168.101.1
set routing-options rib inet.0 static route 210.173.160.87/32 next-hop 192.168.101.1
set routing-options rib inet.0 static route 8.8.8.8/32 next-hop 192.168.101.1
DHCP on VRF¶
# 以下は古い試行なので無視
set system services dhcp router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
set system services dhcp propagate-settings fe-0/0/0.0
NAT¶
普通のNAT設定です
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
zone間ポリシ¶
明示的なpermit
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies default-policy deny-all
zone設定¶
# 家では便利性からTrustからのすべて受け取る
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.100
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/1.0 host-inbound-traffic system-services dhcpv6
set security zones security-zone untrust interfaces pp0.0
# mgmt
set security zones security-zone mgmt host-inbound-traffic system-services all
set security zones security-zone mgmt host-inbound-traffic protocols all
set security zones security-zone mgmt interfaces fe-0/0/7.0
SRX de MAC RADIUS認証¶
インストール¶
sudo apt-get instll freeradius
clients.conf
client 192.168.101.0/24{
secret = secret
}
service freeradius reload
"radiusd.conf"
auth = yes
auth_badpass = yes
auth_goodpass = yes
eap.conf
peap {
use_tunneled_reply = yes
00247ffffff Auth-type:=EAP, User-Password := "00247effffff"
Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = "v200"
のように書く。
SRX側の設定¶
https://www.juniper.net/documentation/en_US/junos/topics/example/802-1x-pnac-ex-series-connecting-server-configuring.html
# radiusサーバの設定
set access radius-server 192.168.101.22 secret public
set access profile raspi-radius authentication-order radius
set access profile raspi-radius radius authentication-server 192.168.101.22
# インタフェースにそのプロファイルでの認証を紐づける
set protocols dot1x authenticator interface fe-0/0/6.0 mac-radius restrict
set protocols dot1x authenticator authentication-profile-name raspi-radius
set protocols dot1x traceoptions flag all
set protocols dot1x traceoptions file _dot1x
認証の確認¶
show vlans
show dot1x interface
> fe-0/0/6.0 Authenticator Authenticated 00:24:7E:16:31:1E 00247e16311e
注意¶
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members v100
とあってもRADIUSからの応答で上書きしてしまうので注意!