Update!
It is working now.
Neither of us correctly guessed the screwed up config the ISP has set on their device that is handing off my ethernet circuit from the ONT.
I was figuring they would have the two 65.x addresses on their netvanta, and I would have the 207.x pool to do as I wish.
You had guessed that I would set my extrnal IP to one of the 65.x addresses, AND I would get all the 207.x addresses.
Neither are the case.
Their Netvanta box has both 65.x addresses, AND the first usable IP in the 207.x pool.
So I set my external IP to the next one down the line and my gateway to the first IP on the 207.x pool...and it worked. !?
Never seen THAT setup before and I have done quite a few of these installs with the /29 pool.
Thanks CenturyLink! Needless to say, I will be calling tomorrow to have a review of their provisioning of the netvanta box. Then I will get to rebuild the config all over again.
There are MANY things about this circuit which are way off. I am in Seattle, and the geotag shows someplace I have never heard of before, in Kansas. When I checked again, I was out of some place in TX. Still not Seattle, WA.
The upload is 960mb according to google fiber speedcheck (I used theirs because the CL one only goes to 20mb!)
The download is 260mb consistently over the last 2 hrs. I will be asking a tech to come out to determine the speed issue. bypassing the SRX and running directly off the netvanta on a clean windows install with no active AV and the speed test is the same.
Here is my working config, for what it is worth:
## Last changed: 2016-09-18 01:16:41 GMT-8
version 12.1X44.3;
system {
host-name FW;
time-zone GMT-8;
root-authentication {
encrypted-password "xxxxxx";
}
name-server {
205.171.3.65;
205.171.2.65;
208.67.222.222;
208.67.220.220;
}
name-resolution {
no-resolve-on-input;
}
login {
user xxxxxx {
uid 2000;
class super-user;
authentication {
encrypted-password "xxxxxx";
}
}
}
services {
ssh;
telnet;
web-management {
http {
interface ge-0/0/3.0;
}
https {
system-generated-certificate;
interface ge-0/0/3.0;
}
session {
idle-timeout 60;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server us.ntp.pool.org;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 207.108.206.250/29;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 192.168.160.1/24;
}
}
}
}
routing-options {
static {
route 207.108.206.248/29 next-hop 65.153.72.74;
route 0.0.0.0/0 {
next-hop [ 65.153.72.74 207.108.206.249 ];
resolve;
}
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set nsw_srcnat {
from zone Internal;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool 192_168_160_9_443 {
address 192.168.160.9/32 port 443;
}
pool 192_168_160_9_80 {
address 192.168.160.9/32 port 80;
}
pool 192_168_160_9_143 {
address 192.168.160.9/32 port 143;
}
pool 192_168_160_9_110 {
address 192.168.160.9/32 port 110;
}
pool 192_168_160_9_25 {
address 192.168.160.9/32 port 25;
}
rule-set nsw_destnat {
from zone Internet;
rule 0_Web_Server--Internal_443 {
match {
source-address 0.0.0.0/0;
destination-address 207.108.206.250/32;
destination-port 443;
}
then {
destination-nat pool 192_168_160_9_443;
}
}
rule 0_Web_Server--Internal_80 {
match {
source-address 0.0.0.0/0;
destination-address 207.108.206.250/32;
destination-port 80;
}
then {
destination-nat pool 192_168_160_9_80;
}
}
rule 1_Mail_Server--Internal_143 {
match {
source-address 0.0.0.0/0;
destination-address 207.108.206.250/32;
destination-port 143;
}
then {
destination-nat pool 192_168_160_9_143;
}
}
rule 1_Mail_Server--Internal_110 {
match {
source-address 0.0.0.0/0;
destination-address 207.108.206.250/32;
destination-port 110;
}
then {
destination-nat pool 192_168_160_9_110;
}
}
rule 1_Mail_Server--Internal_25 {
match {
source-address 0.0.0.0/0;
destination-address 207.108.206.250/32;
destination-port 25;
}
then {
destination-nat pool 192_168_160_9_25;
}
}
}
}
}
policies {
from-zone Internet to-zone Internal {
policy Web_Server_Internet_Internal {
match {
source-address any;
destination-address any;
application [ junos-http junos-https ];
}
then {
permit;
}
}
policy Mail_Server_Internet_Internal {
match {
source-address any;
destination-address any;
application [ junos-smtp junos-imap junos-pop3 ];
}
then {
permit;
}
}
}
from-zone Internal to-zone Internet {
policy All_Internal_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone Internal {
interfaces {
ge-0/0/3.0 {
host-inbound-traffic {
system-services {
ping;
http;
https;
ssh;
telnet;
}
}
}
}
}
security-zone Internet {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
}
}
}
}
}
}
}