How to Configure a Juniper SRX Firewall on a Telekom VDSL Connection with a VDSL Modem
Configuring a Juniper SRX firewall on a Telekom VDSL connection with a VDSL modem might seem daunting, but it’s easier than it looks. Here’s a detailed guide on the necessary steps to get it functioning.
Present Equipment and Documents:
- Telekom Speedport Smart 3
- Juniper SRX300 without expansion cards
- VDSL internet connection with 100 MBit/s download and 40 MBit/s upload
- Telekom VDSL access credentials
Important to Know:
- Telekom sends VDSL data traffic over VLAN.
- VLAN ID: 7
- Authentication method: CHAP.
- X unsuccessful authentication attempts result in a temporary suspension of DSL access.
Important Before You Begin:
Make sure to back up the configuration in case you need to revert to the original state later.
Step 1: Prepare the Router/Modem
I purchased the Telekom Speedport Smart 3 to use it as a modem. Here’s how to prepare it via the web interface:
- Log in to the device using the set IP.
- Go to Settings, then DSL Modem.
- Save the existing configuration by clicking on Configuration Backup.
- Switch the mode to use Speedport as DSL modem.
Refer to the device’s manual for detailed instructions. Here’s a link to Telekom’s help page [external link]: Manual
Connect a notebook or computer to LAN 1, LAN 2, or LAN 3 to view modem status information. Assign a static IP and enter the address 169.254.2.1 in the browser.
Connect the Juniper SRX to LAN 4.
Step 2: Merge Data
We Need:
- Telekom access credentials
- Any Ethernet interface
- SSH access to the firewall
For a residential connection, concatenate the authentication name under ppp-options chap local-name.
The Connection Identifier consists of 12 numbers starting with two or three zeros, e.g., 0034 1234 1234 The Access Number consists of 12 numbers, e.g., 5678 5678 5678 The Shared User Number consists of 4 numbers, e.g., 0001
Concatenate them as follows:
Connection Identifier + Access Number + Shared User Number + @t-online.de
Example:
0034123412345678567856780001@t-online.de
Then, enter your personal password under ppp-options chap default-chap-secret.
Once you have all the data and preparations, execute the following commands in sequence.
Step 3: Configure SRX
Switch to configuration mode with edit. Customize the set commands listed below to match your environment. Then, check syntax and logic with commit check. Once confirmed, finalize with commit and-quit.
Preview the edited configuration using show | compare to ensure consistency.
The final configuration looks like this:
set interfaces ge-0/0/0 vlan-tagging
set interfaces ge-0/0/0 unit 0 encapsulation ppp-over-ether
set interfaces ge-0/0/0 unit 0 vlan-id 7
set interfaces pp0 unit 0 ppp-options chap default-chap-secret "$9$P569O1Rcrhjjhjh767zF6p0"
set interfaces pp0 unit 0 ppp-options chap local-name "0012345678905501234567890001@t-online.de"
set interfaces pp0 unit 0 ppp-options chap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/0.0
set interfaces pp0 unit 0 pppoe-options idle-timeout 0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 120
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet mtu 1492
set interfaces pp0 unit 0 family inet negotiate-address
set routing-options static route 0.0.0.0/0 next-hop pp0.0
set routing-options static route 0.0.0.0/0 preference 1
set routing-options router-id 192.168.1.1
set security flow tcp-mss all-tcp mss 1452
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces pp0.0
You can use show | compare to display the changes made in the edited configuration within curly brackets beforehand. This should look similar to the example shown below.
The final configuration looks like this:
interfaces {
ge-0/0/0 {
vlan-tagging; #Aktivierung von VLAN-Tags auf diesem Interface
unit 0 {
encapsulation ppp-over-ether; #Festlegen des logical link-layer encapsulation auf PPPoE
vlan-id 7; #Setzen des VLAN-Tags auf ID 7
}
}
pp0 {
unit 0 {
ppp-options {
chap { #Authentifizierungsmethode setzen inkl. Kennwort und Loginname
default-chap-secret "$9$P569O1Rcrhjjhjh767zF6p0"; ## SECRET-DATA
local-name "0012345678905501234567890001@t-online.de";
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/0.0;
idle-timeout 0; #0 bedeutet, Verbindung wird dauerhaft aufrecht gehalten
auto-reconnect 60;
client;
}
family inet {
mtu 1492;
negotiate-address;
}
}
}
routing-options {
static {
route 0.0.0.0/0 {
next-hop pp0.0;
preference 1;
}
}
router-id 192.168.1.1;
}
security {
flow {
tcp-mss {
all-tcp {
mss 1452;
}
}
zones {
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ike;
ping;
}
}
interfaces {
pp0.0;
}
}
Step 4: Check Connection Establishment
Finally, verify if the connection is established.
Use the following command with brief to display a summary of the PPPoE interface statistics:
show pppoe interfaces brief pp0.0
Output:
meow@fwgt; show pppoe interfaces brief pp0.0
Interface Underlying State Session Remote
interface ID MAC
pp0.0 ge-0/0/0.0 Session up 69 dc:f3:02:48:10:09
Using this command with extensive allows you to view detailed statistics of the PPPoE interface. This enables you to identify at which step the session creation failed.
show pppoe interfaces extensive pp0.0
Output
meow@fwgt; show pppoe interfaces extensive pp0.0
pp0.0 Index 69
State: Session up, Session ID: 69,
Service name: None,
Session AC name: FFMu10, Configured AC name: None,
Remote MAC address: dc:f3:02:48:10:09,
Session uptime: 2d 06:49 ago,
Auto-reconnect timeout: 120 seconds, Idle timeout: Never,
Underlying interface: ge-0/0/0.0 Index 69
PacketType Sent Received
PADI 17 0
PADO 0 3
PADR 3 0
PADS 0 3
PADT 1 0
Service name error 0 0
AC system error 0 0
Generic error 0 0
Malformed packets 0 0
Unknown packets 0 0
Timeout
PADI 2
PADO 0
PADR 0
Receive Error Counters
PADI 0
PADO 0
PADR 0
PADS 0
Summary
With all the data and components at hand, the entire configuration takes 10-20 minutes. The only point where something can go significantly wrong, in my opinion, is the CHAP authentication. If an incorrect username or password is entered, it can lead to delays or temporary disconnection. I will reach out to Telekom for more information on this.
I find the configuration pretty straightforward and it has enhanced my understanding of PPPoE connection setup. As such, I’ll list all my sources and research links below.
Sources/Research
https://www.juniper.net/documentation/en_US/junos/topics/example/pppoe-security-interface-configuring.html
https://kb.juniper.net/InfoCenter/index?page=content&id=KB15736&actp=METADATA
https://forums.juniper.net/t5/SRX-Services-Gateway/Setting-up-PPPoE-with-username-and-password/td-p/307233
https://telekomhilft.telekom.de/t5/Geraete-Zubehoer/Juniper-SRX110-VDSL-settings/td-p/1588724