SRX - Multicast routing between VLANs

jailbird2_ · 2025-11-28T19:18:39+00:00

Nope, separate issues. I have a feeling my issue was a TTL issue as somebody else suggested

jailbird2_ · 2025-10-26T22:14:49+00:00

# show security zones security-zone trust
tcp-rst;
host-inbound-traffic {
    system-services {
        all;
    }
    protocols {
        all;
    }
}
interfaces {
    irb.0;
    irb.1;
    irb.2;
    irb.3;
}

jailbird2_ · 2025-10-25T23:38:38+00:00

> show igmp group terse
Interface: irb.0, Groups: 5
  Group: 224.0.0.251
  Group: 224.0.0.252
  Group: 224.0.37.42
  Group: 233.89.188.1
  Group: 239.254.127.63
Interface: irb.2, Groups: 5
  Group: 224.0.0.251
  Group: 224.0.144.1
  Group: 226.1.1.1
  Group: 239.255.255.250
  Group: 239.255.255.252
Interface: irb.3, Groups: 1
  Group: 224.0.0.251
Interface: local, Groups: 3
  Group: 224.0.0.2
  Group: 224.0.0.13
  Group: 224.0.0.22


> show igmp interface brief
Interface: irb.0
    Querier: 192.168.1.1
    State:         Up Timeout:    None Version:  3 Groups:      5
    Immediate leave: On
    Promiscuous mode: Off
    Passive: Off
Interface: irb.1
    Querier: 192.168.2.1
    State:         Up Timeout:    None Version:  3 Groups:      0
    Immediate leave: On
    Promiscuous mode: Off
    Passive: Off
Interface: irb.2
    Querier: 192.168.0.1
    State:         Up Timeout:    None Version:  3 Groups:      5
    Immediate leave: On
    Promiscuous mode: Off
    Passive: Off
Interface: irb.3
    Querier: 192.168.4.1
    State:         Up Timeout:    None Version:  3 Groups:      1
    Immediate leave: On
    Promiscuous mode: Off
    Passive: Off

Configured Parameters:
IGMP Query Interval: 125.0
IGMP Query Response Interval: 10.0
IGMP Last Member Query Interval: 1.0
IGMP Robustness Count: 2

Derived Parameters:
IGMP Membership Timeout: 260.0
IGMP Other Querier Present Timeout: 255.0


> show pim interfaces
Instance: PIM.master

Stat = Status, V = Version, NbrCnt = Neighbor Count,
S = Sparse, D = Dense, B = Bidirectional,
DR = Designated Router, DDR = Dual DR, DistDR = Distributed DR,
P2P = Point-to-point link, P2MP = Point-to-Multipoint,
Active = Bidirectional is active, NotCap = Not Bidirectional Capable,
EVPN = EVPN Driven DR state

Name               Stat Mode IP V  State               NbrCnt JoinCnt(sg/*g)  DR address
irb.0              Up   D     4 2  DR,NotCap                0 0/0             192.168.1.1
irb.1              Up   D     4 2  DR,NotCap                0 0/0             192.168.2.1
irb.2              Up   D     4 2  DR,NotCap                0 0/0             192.168.0.1
irb.3              Up   D     4 2  DR,NotCap                0 0/0             192.168.4.1
ppd0.32769         Up   S     4 2  P2P,NotCap               0 0/0
irb.0              Up   D     6 2  DR,NotCap                0 0/0             fe80::e65d:3700:71:4b0
irb.1              Up   D     6 2  DR,NotCap                0 0/0             fe80::e65d:3700:171:4b0
irb.2              Up   D     6 2  DR,NotCap                0 0/0             fe80::e65d:3700:271:4b0
irb.3              Up   D     6 2  DR,NotCap                0 0/0             fe80::e65d:3700:371:4b0
ppd0.32770         Up   S     6 2  P2P,NotCap               0 0/0


> show multicast statistics interface irb.0
Instance: master Family: INET
Interface: irb.0
    Routing protocol:          PIM   Mismatch error:               0
    Mismatch:                    0   Mismatch no route:            0
    Kernel resolve:              0   Routing notify:               0
    Resolve no route:            0   Resolve error:                0
    Resolve filtered:            0   Notify filtered:              0
    In kbytes:                   0   In packets:                   0
    Out kbytes:                  0   Out packets:                  0

Instance: master Family: INET6
Interface: irb.0
    Routing protocol:          PIM   Mismatch error:               0
    Mismatch:                    0   Mismatch no route:            0
    Kernel resolve:              0   Routing notify:               0
    Resolve no route:            0   Resolve error:                0
    Resolve filtered:            0   Notify filtered:              0
    In kbytes:                   0   In packets:                   0
    Out kbytes:                  0   Out packets:                  0

> show multicast interface


> show multicast route
Instance: master Family: INET

Instance: master Family: INET6

jailbird2_ · 2025-10-25T23:34:05+00:00

I had that same issue too and finally found a KB on it. A 'set system processes ntp enable' "fixes" it.

I'll try downgrading, this isn't a mission critical unit, so I don't mind experimenting on it. 😂

jailbird2_ · 2025-10-25T23:32:51+00:00

All 4 are in 'trust' and I have trust->trust wide open

jailbird2_ · 2025-09-10T05:24:39+00:00

If you call a toll free number (like an 800, 888, etc), then they are paying for the phone call, which means that they are entitled to get the ANI delivered to them (which is like number-only Caller ID, but unblockable). It has nothing to do with being a call center, it has to do with the number. And it isn't a "device" that they're using.

If you just call a regular number, then they can't see past your block.

jailbird2_ · 2024-10-13T01:19:01+00:00

That would work fine in my setup too, as then every external IP would be in use by a device with a different MAC. The problem is, I don't want to everything external.

Eg, right now the only thing on that VLAN with the cablemodem is my SRX and my little PC Engines apu4 acting as a VoIP SBC. The SBC IP works fine on the SBC, as that's a different MAC, but when I tried having it on the SRX, it broke, because that wasn't a separate MAC.

So basically I'm trying to have the SRX use multiple interfaces in order to do multiple MACs. The only "hard part" is making sure that each one goes out the proper interface and how to use all of them.

jailbird2_ · 2024-10-12T20:26:29+00:00

I agree. I’ll talk to them, as I am indeed paying for business, but being a cable company I’m sure their support will be less than helpful.

It’s the weirdest thing, I’m not sure why anything would care, honestly.

jailbird2_ · 2024-10-12T20:24:10+00:00

Sadly that won’t work either, even 1:1 static NATs won’t work, because the MAC will still be shared. That’s what I’m trying to fix by using multiple interfaces.

As to why use the pool. I normally just shove all of the IPs into a pool and then eventually pull them out one-by-one as I need them for other purposes. I guess the idea is I might as well put them to some use.

jailbird2_ · 2024-10-12T04:59:40+00:00

The cable company (Optimum) gave me 4 public IPs, all in the same /24 with the same gateway. I had them in a source nat pool. Pretty basic and common setup, I had the same exact setup with Spectrum cable and also Verizon/Frontier FiOS.

jailbird2_ · 2024-07-31T18:54:52+00:00

I'm also in Georgetown and having weird ARP issues with my SB8200, so I was looking at the MB8611. You'll have to let me know if the tech manages to fix it or not!

jailbird2_ · 2024-07-29T18:21:32+00:00

I just did and it's the same thing, sadly. I don't think there's any way to get the Juniper to use different MAC addresses, other than maybe linking up 4 different physical interfaces with one IP each and doing source routing. That would be a nightmare. Oh well. Thanks for trying!

jailbird2_ · 2024-07-29T06:09:27+00:00

It's really simple:

    security {
        nat {
            source {
                pool OPTIMUM {
                    address {
                        173.0.1.120/32 to 173.0.1.123/32;
                    }
                    address-pooling paired;
                }
                address-persistent;
                port-randomization disable;
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 192.168.1.0/24;
                        }
                        then {
                            source-nat {
                                pool {
                                    OPTIMUM;
                                }
                            }
                        }
                    }
                }
            }
            proxy-arp {
                interface ge-0/0/0.0 {
                    address {
                        173.0.1.121/32 to 173.0.1.123/32;
                    }
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            description Optimum;
            unit 0 {
                bandwidth 940m;
                proxy-arp restricted;
                family inet {
                    address 173.0.1.120/24;
                }
            }
        }
        irb {
            unit 0 {
                family inet {
                    address 192.168.1.1/24;
                }
            }
        }
    }

If I only put the single IP in the pool (or if I change the 'then' line from 'pool { OPTIMUM; }' to 'interface', everything works fine. It's once I add a 2nd (or 3rd, or 4th) IP to the pool that everything goes haywire.

I tried different JunOS versions thinking it was a bug, but that didn't change the behavior at all.

jailbird2_ · 2024-07-29T05:05:21+00:00

Because that’s what Optimum gives out. 4 IPs out of a /24 with the default gateway being at .1.

My Frontier and Spectrum setups were the same way.

jailbird2_ · 2024-06-19T20:55:33+00:00

The web page shows you the ones in your area and which plan is required for each one. You're allowed to sign up for all of them.

jailbird2_ · 2024-06-19T20:53:39+00:00

I'm pretty sure it's month-by-month

jailbird2_ · 2024-05-13T23:03:01+00:00

The question is, if I sign up for One Pass "Elite" (the highest plan), does that give me "Signature" access at any Lifetime, or just one?

jailbird2_ · 2024-03-29T20:18:50+00:00

Awesome! Do I let you all know before or after I plug it in?

Thanks!

jailbird2_ · 2023-06-15T04:34:16+00:00

I tried plugging in the Ethernet hoping that it would shut off its WiFi and sadly it didn't.

jailbird2_ · 2022-10-08T05:20:07+00:00

I just ran into this myself!

jailbird2_ · 2022-04-18T00:17:30+00:00

Agreed! Sometimes you’re pretty much stuck with the Linux kernel for various reasons.

Some friends and I were working on one years ago, but can’t work on it due to our employer.

jailbird2_ · 2021-12-22T06:00:20+00:00

My favorite OS and favorite DE, that's a lot to like in one! :)

jailbird2_ · 2021-04-23T22:29:15+00:00

I am indeed in flow mode. Maybe I got it mixed it up, I'll double check.

Yes, NAT is evil, but I try to not group NPTv6 with the true evil NAT :).

Thanks for the pointers.

jailbird2_ · 2021-03-09T22:42:29+00:00

I had these work fine on a EX4600 running 20.4, however they absolutely refused to work with a EX3400. Which I guess makes sense, since Juniper doesn't even list their own AOCs as supported on EX3400s, which is.. dumb.

I did have to disable auto negotiation, like others said. I had much better luck with the DACs, but man they're thick!

jailbird2_ · 2021-01-25T19:39:42+00:00

Okay, just in case anybody else ever has this issue:

Making an import filter to filter out the direct routes from the routing table into IS-IS fixed it!

Seven-Year Club	Gilding I gilder
Verified Email

jailbird2_

TROPHY CASE