This article describes how to configure an unnumbered IP address against a WAN interface (PPPoE).
Configuration:
The set interface pp0 unit 0 family inet command needs to be configured to be unnumbered in this scenario.
set interfaces ge-0/0/0 unit 0 encapsulation ppp-over-ether
set interfaces ge-0/0/1 unit 0 family inet address 100.1.0.1/29
set interfaces pp0 unit 0 ppp-options chap default-chap-secret abcd
set interfaces pp0 unit 0 ppp-options chap local-name "abcd@juniper.net"
set interfaces pp0 unit 0 ppp-options chap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/0.0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 10
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet
set routing-options static route 0.0.0.0/0 next-hop pp0.0
set security policies from-zone trust to-zone untrust policy tr-un match source-address any
set security policies from-zone trust to-zone untrust policy tr-un match destination-address any
set security policies from-zone trust to-zone untrust policy tr-un match application any
set security policies from-zone trust to-zone untrust policy tr-un then permit
set security policies from-zone untrust to-zone trust policy un-tr match source-address any
set security policies from-zone untrust to-zone trust policy un-tr match destination-address any
set security policies from-zone untrust to-zone trust policy un-tr match application any
set security policies from-zone untrust to-zone trust policy un-tr then permit
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces pp0.0 host-inbound-traffic system-services all
Verification:
root@SRX> show interfaces pp0 terse
interface Admin Link Proto Local Remote
pp0 up up
pp0.0 up up inet <-- pp0.0 link is up and no IP address is displayed.
root@SRX> show route
inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:08:47
> via pp0.0
100.1.0.0/29 *[Direct/0] 00:11:29
> via ge-0/0/1.0
100.1.0.1/32 *[Local/0] 00:17:41
Local via ge-0/0/1.0
root@SRX> show ppp interface pp0 extensive
Sessions for interface pp0
Session pp0.0, Type: PPP, Phase: Network
LCP
State: Opened
Last started: 2016-02-05 10:09:57 UTC
Last completed: 2016-02-05 10:09:57 UTC
Negotiated options:
Authentication protocol: CHAP, Authentication algorithm: MD5,
Magic number: 1454334805, Local MRU: 1492
Authentication: CHAP
State: Success
Last completed: 2016-02-05 10:09:57 UTC
IPCP
State: Opened
Last started: 2016-02-05 10:12:25 UTC
Last completed: 2016-02-05 10:12:28 UTC
Negotiated options:
Primary DNS: 0.0.0.0, Secondary DNS: 0.0.0.0
Note:
The source address of self-originated packet sent from the pp0 interface -- such as license update, signature update, etc. -- will be 100.1.0.1 in the above scenario. However, if SRX has more than two interfaces in the same routing instance, the source address of the self-originated packet might not have the expected source address. The following NAT configuration will solve the source address issue.
set security nat source pool selfpacket address 100.1.0.1/32 <-- The address should be same as the trust interface address.
set security nat source rule-set selfnat from zone junos-host <-- Predefined zone for self-originated packet.
set security nat source rule-set selfnat to zone untrust
set security nat source rule-set selfnat rule 1 match source-address 0.0.0.0/0
set security nat source rule-set selfnat rule 1 then source-nat pool selfpacket
2020-06-22: Removed unnecessary configuration 'set security nat proxy-arp interface pp0.0 address 100.1.0.1/32' from the Note.
