入手價 – 470 nzd (7/2023)
這是我第一台硬件式路由器防火牆
入手經過頗為奇特,事緣於TradeMe上閒逛,竟然發現了一間尃門處理企業清盤的店,不定時會為破產企業拍賣家檔,全都是0元起拍到多少就賣多少
Skyrarc
https://www.trademe.co.nz/a/search?member_listing=326563
自取地點不固定,記得要先看看是不是自己附近,暫時有見過Christchurch, Dunedin, Timaru, Nelson
除了這台防火牆,還有買過HP的伺服器和藤椅,十分化算
這台防火牆使用Juniper自己的OS Junos (實際上是某種Unix)
老實說學習門檻極高,用了非常多時間才能成功連接上網 (真的只是上網),功能很多但竟然有需另外購買的DLC (Next Generation Firewall的部分)
紐西蘭Voyager Internet Fiber設定如下 (要先要求移除VLAN10)
1. 先拿最左上角的1000M RJ45來連接上網 (ge-7/0/0)
interfaces { } 內:
ge-7/0/0 {
description pppoe;
mtu 1492;
link-mode full-duplex;
ether-options {
auto-negotiation;
}
gigether-options {
no-loopback;
auto-negotiation;
}
unit 0 {
encapsulation ppp-over-ether;
}
}2. 設定PP0, 這裡主要曼輸入連接戶口並連結上面設定的ge-7/0/0
interfaces { } 內:
pp0 {
unit 0 {
apply-macro "Startup_Connection;";
ppp-options {
chap {
default-chap-secret "密碼"; ## SECRET-DATA
local-name "戶口名";
passive;
}
pap {
local-name "戶口名";
local-password "密碼"; ## SECRET-DATA
passive;
}
}
pppoe-options {
underlying-interface ge-7/0/0.0;
idle-timeout 0;
auto-reconnect 10;
client;
}
family inet {
mtu 1492;
primary;
negotiate-address;
}
}
}3. 由於這是對外連接笫一點,所以也會用作dhcp伺服器
例
– SRX1500 ip 192.168.1.1
– dhcp ip pool 192.168.1.100-253 (192.168.1.2-99用作static ip)
– DNS 1.1.1.1 (Cloudflare) / 8.8.8.8 (Google)
access { } 內
access {
address-assignment {
pool home {
family inet {
network 192.168.1.0/24;
range home {
low 192.168.1.100;
high 192.168.1.253;
}
dhcp-attributes {
name-server {
1.1.1.1;
8.8.8.8;
}
router {
192.168.1.1;
}
}
}system { services { } } 內
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.100 high 192.168.1.253;
}
}4. Static routing全都去PP0.0
最外層
routing-options {
static {
route 0.0.0.0/0 next-hop pp0.0;
}
}
5. 最後是Security group, zone和policy,都設定好才能上網
flow mss也得改一下
例
– 在LAN內可以外出無阻
– 拒絕所有WAN進入LAN的連接
– 回應ICMP ping
– LAN接口為xe-7/0/16.0 (四個10g SFP+當中左上角的一個)
security { } 內
flow {
tcp-mss {
all-tcp {
mss 1350;
}
}
}
policies {
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
xe-7/0/16.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
ge-7/0/10.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
pp0.0;
ge-7/0/0.0;
}
application-tracking;
}
}
}設定好就應該可以上網了,以上為被玩兩個月兼不停上網找答案的成果
