Home CPE choice

Owen DeLong owen at delong.com
Thu Apr 1 06:00:22 UTC 2010


Yeah, the one unfortunate ting in the J-series and SRX-series is that after 9.6
you have to put in a whole bunch of config to turn it back into a router.
JunOS on these "services" routers now wants to behave like a netscreen
until bludgeoned otherwise.  The way to achieve this is not intuitively
obvious, especially the forwarding-options mpls (which affects inet,
not just mpls) and the flow stuff.

Owen


Here's a useful template for those that care:

security {
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                    bgp;
                    ospf;
                    router-discovery;
                }
            }
            interfaces {
                all;
            }
        }
    }
    alg {
        dns disable;
        ftp disable;
        h323 disable;
        mgcp disable;
        msrpc disable;
        sunrpc disable;
        real disable;
        rsh disable;
        rtsp disable;
        sccp disable;
        sip disable;
        sql disable;
        talk disable;
        tftp disable;
        pptp disable;
    }
    forwarding-options {
        family {
            inet6 {
                mode packet-based;
            }
            mpls {
                mode packet-based;
            }
        }
    }
    flow {
        allow-dns-reply;
        tcp-session {
            no-syn-check;
            no-syn-check-in-tunnel;
            no-sequence-check;
        }
    }
}

On Mar 31, 2010, at 4:23 PM, Iain Morris wrote:

> Juniper's SSG5 and SRX100 are nice options for home.  I've enjoyed an SSG5
> for awhile now.  SRX100 for junos.  SSG5's pop up on ebay occasionally for a
> few $100.
> 
> -Iain
> 
> On Wed, Mar 31, 2010 at 4:18 PM, Marty Anstey <marty.anstey at sunwave.net>wrote:
> 
>> 
>>> 
>>> Hopefully this e-mail is considered operational content :)
>>> 
>>> 
>>> The recent thread on the new linkys kit and ipv6 support got me
>>> thinking about CPE choice.
>>> 
>>> What good off the shelf solutions are out there? Should one buy the
>>> high end d-link/linksys/netgear products? I've had bad experiences
>>> with those (netgear in particular).
>>> 
>>> Should one get a "real" cisco router? The 877 or something? Maybe an
>>> ASA or the new small business targeted ISR (can't recall the model
>>> number off hand right now). There is mikrotik but I'm not so sure
>>> about the operating system.
>>> 
>>> Is there a market for a new breed of CPE running OpenWRT or pfsense on
>>> hardware with enough CPU/RAM to not fall over?
>>> 
>>> Granted that won't cost $79.00 at best buy. However it seems to me
>>> that decent CPE is going to run a couple hundred dollars in order to
>>> have sufficient ram/cpu.
>>> 
>>> My current home router is a cisco 1841. I keep my 6mbps DSL line
>>> pretty much saturated all the time. Often times my wife will be
>>> watching Hulu in the living room, I'll be streaming music and running
>>> torrents (granted I have tuned my Azures client fairly well) all at
>>> the same time and it's a good experience.  Running that kind of
>>> traffic load through my linksys would cause it to need a reboot once
>>> or more a day.
>>> 
>>> What are folks here running in SOHO environments that doesn't require
>>> too frequent oil changes :)
>>> 
>>> 
>> I run FreeBSD on a PIII; I can easily saturate my 15mbit cable
>> connection without it breaking a sweat. I also have a couple Cisco
>> 2610's, one of which is my ipv6 tunnel endpoint.
>> 
>> -M
>> 
>> 
>> 
>> 
>> 
> 
> 
> -- 
> -- -
> Iain Morris
> iain.t.morris at gmail.com





More information about the NANOG mailing list