Hello,
My work has a need for a layer2 firewall that can slip inbetween some vendor equipment that we're not to tamper/reconfigure and the uplink. Hence, transparent mode. Downside is I'm not sure what traffic they need allowed yet, so I'll also have to observe (log) the policy rules .. and I'll add that later.
For now the problem I'm having is that I'd like to do inband management of it instead of out of band management. First I think I have a config that I'm only slightly sure would actually make a transparent firewall work in transparent mode ... with out of band management. What I wanted to do was set up the two gigabit interfaces so that they are untrust and trust. ge-0/0/0 is my uplink and is the untrust zone. ge-0/0/1 is my trust zone. Then I put the out of band management on the first fast ethernet port (fe-0/0/2). What I don't like about it is I don't dare loop the network and if people start plugging things in willy nilly, I really really don't want anything to go wrong. So I'm trying to get inband management work and NOT use a third port to manage it.
Here is that first config -
system {
host-name config4;
time-zone GMT;
root-authentication {
encrypted-password "###########################";
}
name-server {
8.8.8.8;
}
name-resolution {
no-resolve-on-input;
}
services {
ssh;
telnet;
web-management {
http {
interface vlan.1;
}
https {
system-generated-certificate;
interface vlan.1;
}
session {
idle-timeout 60;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server us.ntp.pool.org;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 10;
}
}
}
ge-0/0/1 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 10;
}
}
}
fe-0/0/2 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 30;
}
}
}
irb {
unit 0 {
family inet {
address 172.22.100.10/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 172.22.100.1;
}
}
security {
flow {
bridge {
bpdu-vlan-flooding;
}
}
policies {
from-zone trust to-zone untrust {
policy allow-any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy allow-any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
functional-zone management {
interfaces {
fe-0/0/2.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
all;
}
}
}
}
}
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/1.0;
}
}
}
}
bridge-domains {
transparent {
domain-type bridge;
vlan-id 10;
}
mgmt {
domain-type bridge;
vlan-id 30;
routing-interface irb.0;
}
}
Here's that second config -- this is the one where I DONT use fe-0/0/2 as the out of band management port -- where I'm trying to do inband management on either/both ge-0/0/0 and ge-0/0/1 -- do I have something obvious missing? I want to be able to ssh in from outside to the management IP 172.22.100.10 ... and the normal gateway on that subnet is at (for the sake of example) 172.22.100.1 -- the policy rules for now are wide open allow all both directions and no logging (yet).
system {
host-name config5;
time-zone GMT;
root-authentication {
encrypted-password "##################";
}
name-server {
8.8.8.8;
}
name-resolution {
no-resolve-on-input;
}
services {
ssh;
web-management {
http {
interface [ ge-0/0/1.0 ge-0/0/0.0 ];
}
https {
system-generated-certificate;
interface [ ge-0/0/1.0 ge-0/0/0.0 ];
}
session {
idle-timeout 60;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server us.ntp.pool.org;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 10;
}
}
}
ge-0/0/1 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 10;
}
}
}
irb {
unit 0 {
family inet {
address 172.22.100.10/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 172.22.100.1;
}
}
security {
flow {
bridge {
bpdu-vlan-flooding;
}
}
policies {
from-zone trust to-zone untrust {
policy allow-any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy allow-any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
http;
https;
ssh;
all;
}
}
}
}
}
security-zone trust {
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
http;
https;
ssh;
all;
}
}
}
}
}
}
}
bridge-domains {
transparent {
domain-type bridge;
vlan-id 10;
routing-interface irb.0;
}
}