Description

I really should have documented my SRX210 setup. It’s been four years since I drafted something for the SRX220H2 that replaced it, but I never published it! This is just how I’ve used mine for a homelab. The goal was to isolate the homelab and make use of a lot of Juniper features in the process. I’m still using my home router so the family can use the internet as the ISP intended.

The SRX has a presence on the network with an IP on its untrust interface, and it uses a /29 block which NATs to the DMZ subnet. There is also a server subnet and an internal WIFI range, for which the SRX handles DHCP address assignment.

There are some examples of homelab setups on the Juniper forums—usually for the 210—but Google also turns up examples for the 220s.

Example-Config-for-SRX210-Home-User

Below a Conceptual plan of the Network :

dmg-01

System Setup

First run through some simple config.

  1. Hostname and time zone
set system host-name "core-220"
set system time-zone UTC
  1. Login message

junos-os-login-settings

set system login message "UNAUTHORIZED USE OF THIS ROUTER\n\tIS STRICTLY PROHIBITED!\n\n"
  1. Turn off webmin, remove telnet and older clear text requests xnm-clear-text
delete system services web-management
delete system services telnet
delete system services xnm-clear-text

DNS

Delete the current servers provided by factory config then add in chosen Cloudflare and google.

delete system name-server 208.67.222.222
delete system name-server 208.67.220.220
set system name-server 1.1.1.1
set system name-server 1.0.0.1
set system name-server 8.8.8.8
set system name-server 8.8.4.4

NTP

junos-ntp-configuring

Add the home router in as a peer and two external timeservers (https://www.ntppool.org/zone/uk). There should not be any config for NTP initially.

set system ntp peer 192.168.0.1
set system ntp server 213.168.251.87
set system ntp server 185.57.191.229

root@core-220> show ntp status
status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg,
version="ntpd 4.2.0-a Wed Jul 29 01:38:39 UTC 2020 (1)",
processor="octeon", system="JUNOS12.3X48-D105.4", leap=00, stratum=2,
precision=-17, rootdelay=33.039, rootdispersion=26.507, peer=1334,
refid=185.57.191.229,
reftime=ebdf5624.0965bfcd  Mon, May 26 2025 21:05:40.036, poll=10,
clock=ebdf57a6.05e03f9f  Mon, May 26 2025 21:12:06.022, state=4,
offset=-1.404, frequency=19.552, jitter=4.292, stability=0.021

Configure VLANS and Ports

The SRX factory setup is based on 192.168.1.0/24 network. Remove this config.

delete interfaces vlan unit 0 family inet address 192.168.1.1/24
delete system services dhcp

Setup the VLANs and interfaces, will need to delete any config not below. The SRX needs an IP for each subnet to act as a router.

set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.253/24
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-wifi-1
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-dmz
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-dmz
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan-dmz
set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members vlan-dmz
set interfaces vlan unit 0 family inet
set interfaces vlan unit 10 family inet address 192.168.1.1/24
set interfaces vlan unit 20 family inet address 192.168.2.1/24
set interfaces vlan unit 30 family inet address 192.168.3.1/24
set vlans vlan-dmz vlan-id 10
set vlans vlan-dmz l3-interface vlan.10
set vlans vlan-server vlan-id 20
set vlans vlan-server l3-interface vlan.20
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0
set vlans vlan-wifi-1 vlan-id 30
set vlans vlan-wifi-1 l3-interface vlan.30

Also setup the routing options

set routing-options static route 0.0.0.0/0 next-hop 192.168.0.1

DHCP

Configure DHCP for the WIFI vlan and subnet.

set system services dhcp pool 192.168.3.0/24 address-range low 192.168.3.2
set system services dhcp pool 192.168.3.0/24 address-range high 192.168.3.254
set system services dhcp pool 192.168.3.0/24 router 192.168.3.1
set system services dhcp pool 192.168.3.0/24 propagate-settings vlan.30

SNMP

Ideally this should be random community string or use the SNMPv3 secure. Also the client should be locked down to /32.

set snmp location homelab
set snmp contact "[email protected];"
set snmp community homelab authorization read-only
set snmp community homelab clients 192.168.1.0/24

Security Zones

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces vlan.30 host-inbound-traffic system-services dhcp
set security zones security-zone trust interfaces vlan.30 host-inbound-traffic system-services ssh
set security zones security-zone trust interfaces vlan.20 host-inbound-traffic system-services all
set security zones security-zone trust interfaces vlan.10 host-inbound-traffic system-services all

NAT (192.168.0.224/29 -> 192.168.1.224/29)

Ideally the dmz-range would not be in the global but instead trust zone. The policy allows http and https only.

set security address-book global address dmz-range 192.168.1.224/29

set security nat static rule-set dmz-nat from zone untrust
set security nat static rule-set dmz-nat rule dmz-nat-range match destination-address 192.168.0.224/29
set security nat static rule-set dmz-nat rule dmz-nat-range then static-nat prefix 192.168.1.224/29

set security policies from-zone untrust to-zone trust policy allow-to-dmz match source-address any
set security policies from-zone untrust to-zone trust policy allow-to-dmz match destination-address dmz-range
set security policies from-zone untrust to-zone trust policy allow-to-dmz match application junos-http
set security policies from-zone untrust to-zone trust policy allow-to-dmz match application junos-https
set security policies from-zone untrust to-zone trust policy allow-to-dmz then permit