Ziggo Internet, Juniper Firewalls and DHCP

At the house I have currently two ISP delivering broadband. Well, broadband isn't the correct word, since the the one of them is only a mere 256kbps (I think). The other is a 'whopping' 20Mbps.
The 20Mb connection is provided by XS4ALL, and the 256kbps is for free (if you have a phone subscription with Ziggo). The 256kbp is the minimum they provide to transport the phone calls, but if you're a masochist you can also browse the internet over that connection.

So, two ISP @ home. Combine that with a Juniper SRX firewall, and a dual ISP setup is born. The theory of that setup is that I connect both ISP's to the firewall, and use the 20Mb line as a default internet connection, but when that one dies, I automatically get switched to the backup line (256kbps).

The setup at home consists of a couple of HP switches to stretch the network. I configured a couple of VLAN's to transport the different types of traffic through the house. The cable modem is connected to a VLAN which is transported through a dot1q tunnel to another switch, which connects to the firewall. So the cable modem has a layer 2 connection to the firewall interface.

So I started to configure one of the interface on the SRX to behave as a DHCP client, and put it in a separate zone. After that I connected the Ziggo modem (Motorola Surfboard Cable Modem - SBV5120E) to that interface..... No IP address was received on the SRX... That's when the troubleshooting started;

  • Reset the modem (since it remembers the last known MAC address)
  • Plugged in a laptop to see if the modem still provided the public IP address, which actually worked. Even with the stretched VLAN over a couple of switches.

(note that I reset the modem in the following steps between every hardware switch, unless otherwise specified)

  • Plugged in the firewall. Still no IP address.
  • Configures a span/monitor port to see the (DHCP) traffic, and all looked good. The DHCP discover packets were transmitted, only nothing was received. I also saw lot's of (public) ARP requests, layer two was obviously in order.
  • Attached a 'fresh' laptop to the modem, and it got the public IP address.
  • Switched back to the SRX and still no IP address.

This is were the frustration kicked in, since the interface to XS4ALL was also configured as DHCP, and that one worked.

Next option was to see what happens when I copied the MAC address from the laptop and all the relevant IP details to the firewall. Everything fixed, no DHCP. This should work (in theory).

  • Reset the modem
  • Connect the laptop
  • Copy the MAC address and the IP details to the SRX

This worked. I was able to ping over that interface....

  • Reconfigured the interface as a DHCP client (kept the copied MAC address though)

This also worked. The interface received the same IP address as I had configured before. I double checked this by using the 'request system service DHCP client' command. So I finally got my public IP on the SRX interface, but there was still some testing to do. This method relied on ARP caching etc., since the actual link on the cable modem never went down (due to the switches in the network). What would happen if I power-cycled the modem? Would the cloned MAC address be sufficient to receive the IP address again?

Well, no. A power cycle (or reset) of the modem left me with an IP-less SRX. The only way of getting this to work is to plugin the laptop (with the original MAC address), unplug it, and connect the SRX port (with the cloned MAC address) to the modem.
Unfortunately, this is not really satisfactory. So the 'battle' continues.

Options I will have to try as well are:

  • Install a broadband router between the SRX and the cable modem. I'd rather not do that, since I have to work with NAT in that setup. I WANT MY PUBLIC IP ON MY FIREWALL!!!
  • Or request a new modem/router from Ziggo, which I put in bridge mode and see if that works.

In the mean time I tried a 'new' SRX100 with the default config (fe-0/0/0 as DHCP client in the untrust zone), and that interface for the public IP immediatelly (w00t!!!), but a reboot of the device left me without an IP address. Even tried to connect the device to the modem directly, but still no go. Even after having it powered off for at least an hour. It must havesomething to do with the position of the moon, sun and stars, because I have no idea what the hell is going on here..... Note that a normal laptop gets an IP address everytime....

 [I'll append more info later on]

Posted on August 9, 2012 and filed under Annoying, Hardware, Internet, Security, Tips'n Tricks.