我是 Juniper 产品的新手,所以这可能是一个愚蠢的问题,但我在互联网上找不到任何答案......
一般来说,我的实验室环境是示例,一个启用了 DHCP 的受信任区域和一个具有双 WAN IP 的不受信任区域,我的目标是让受信任区域用于访问互联网
我的电脑从 SRX DHCP 获取 IP 地址(完整配置可在本文末尾找到):
我的电脑上的配置
DHCP Enabled: Yes
IPv4 Address: 192.168.1.2
IPv4 Subnet Mask: 255.255.255.0
IPv4 Default Gateway: 192.168.1.1
IPv4 DHCP Server: 192.168.1.1
IPv4 DNS Server: 192.168.1.1
使用上述设置的测试结果
C:\Users\user>nslookup
Default Server: UnKnown
Address: 192.168.1.1
> google.com
Server: UnKnown
Address: 192.168.1.1
*** UnKnown can't find google.com: No response from server
C:\Users\user>ping 8.8.4.4
Pinging 8.8.4.4 with 32 bytes of data:
Reply from 8.8.4.4: bytes=32 time=4ms TTL=52
Reply from 8.8.4.4: bytes=32 time=4ms TTL=52
Reply from 8.8.4.4: bytes=32 time=4ms TTL=52
Ping statistics for 8.8.4.4:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 4ms, Average = 4ms
Control-C
^C
C:\Users\user>ping google.com
Ping request could not find host google.com. Please check the name and try again.
根据观察到的结果,我的电脑有互联网连接,但无法查找 DNS 记录,但是我在 SRX 中配置了 DNS 名称服务器,发现它可以使用 putty 查找 DNS 记录
telnet@SRX-A> traceroute google.com.hk inet
traceroute to google.com.hk (216.58.221.227), 30 hops max, 40 byte packets
1 123-123-123-254.static.hk.net (123.123.123.254) 8.488 ms 9.140 ms 9.889 ms
2 yckfb001.netvigator.com (203.198.7.179) 10.088 ms 9.899 ms 9.494 ms
3 n219076107190.netvigator.com (219.76.107.190) 9.552 ms 9.673 ms 9.445 ms
4 218.102.21.53 (218.102.21.53) 9.748 ms 9.872 ms 9.520 ms
5 wtsc3a054.netvigator.com (218.102.40.54) 10.259 ms 10.171 ms 9.045 ms
6 tenge8-1.br01.hkg15.pccwbtn.net (63.218.211.97) 20.303 ms 19.483 ms 19.979 ms
7 72.14.219.25 (72.14.219.25) 9.527 ms 20.102 ms 9.284 ms
8 209.85.241.56 (209.85.241.56) 20.241 ms 19.139 ms 9.785 ms
9 209.85.240.205 (209.85.240.205) 19.789 ms 9.647 ms 9.777 ms
10 hkg07s21-in-f227.1e100.net (216.58.221.227) 19.827 ms 19.441 ms 9.783 ms
以下是完整的配置文件:
## Last changed: 2015-11-11 15:38:50 UTC
version 12.1X44-D35.5;
groups {
node0 {
system {
host-name SRX-A;
backup-router 10.3.5.254 destination 192.168.1.0/24;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.3.5.1/24;
}
}
}
}
}
node1 {
system {
host-name SRX-B;
backup-router 10.3.5.254 destination 192.168.1.0/24;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.3.5.1/24;
}
}
}
}
}
}
apply-groups "${node}";
system {
root-authentication {
encrypted-password "$1$UxtwVlQz$JTySdQwlJvLVmR4KpA64O.";
}
name-server {
8.8.8.8;
8.8.4.4;
}
login {
user telnet {
full-name telnet;
uid 2000;
class super-user;
authentication {
encrypted-password "$1$t5x8eCya$egeoCAw3IsfAfaJT0XdxW0";
}
}
}
services {
telnet;
web-management {
http {
interface [ reth0.0 reth1.0 reth2.0 ];
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
name-server {
192.168.1.1;
}
}
}
}
}
chassis {
cluster {
reth-count 3;
redundancy-group 0 {
node 0 priority 200;
node 1 priority 100;
}
redundancy-group 1 {
node 0 priority 200;
node 1 priority 100;
interface-monitor {
ge-0/0/4 weight 255;
ge-5/0/4 weight 255;
ge-0/0/5 weight 255;
ge-5/0/5 weight 255;
ge-0/0/6 weight 255;
ge-5/0/6 weight 255;
}
}
}
}
interfaces {
ge-0/0/4 {
gigether-options {
redundant-parent reth0;
}
}
ge-0/0/5 {
gigether-options {
redundant-parent reth1;
}
}
ge-0/0/6 {
gigether-options {
redundant-parent reth2;
}
}
ge-5/0/4 {
gigether-options {
redundant-parent reth0;
}
}
ge-5/0/5 {
gigether-options {
redundant-parent reth1;
}
}
ge-5/0/6 {
gigether-options {
redundant-parent reth2;
}
}
fab0 {
fabric-options {
member-interfaces {
ge-0/0/2;
}
}
}
fab1 {
fabric-options {
member-interfaces {
ge-5/0/2;
}
}
}
reth0 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
reth1 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 123.123.123.74/24;
}
}
}
reth2 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 123.123.123.75/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 {
next-hop 123.123.123.254;
qualified-next-hop 123.123.123.254 {
preference 7;
}
preference 5;
}
}
}
security {
nat {
source {
rule-set rs1 {
from zone Trusted;
to zone Untrusted;
rule r1 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone Trusted to-zone Untrusted {
policy Outside {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy internet-access {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
default-policy {
permit-all;
}
}
zones {
security-zone Trusted {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
reth0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone Untrusted {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
reth1.0;
reth2.0;
}
}
}
}
答案1
我没有看到任何配置可以让 SRX 执行 DNS 代理。它可以退出,因为你给了它名称服务器,但没有任何东西可以将其传递给客户端。
DNS proxy configuration
Enable DNS proxy on a logical interface.
[edit system services]
user@host# set dns dns-proxy interface ge-0/0/1.0
Set a default domain name, and specify global name servers according to their >IP addresses.
[edit system services]
user@host# set dns dns-proxy default-domain * forwarders 172.17.28.100
If you are done configuring the device, commit the configuration.
[edit]
user@host# commit
To verify if the configuration is working properly, execute the show command.
user@hostshow system services dns dns-proxy