Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Using the CBA850 3G/4G/LTE Wireless WAN Bridge for Backup

 

In this scenario, the CBA850 3G/4G/LTE wireless WAN bridge will only be used when the primary interface is down. This is shown mostly for illustrative purposes, because only a failure in the primary interface triggers a failover.

Also, this scenario can only be used with the CBA850 operating in the always on mode, because once the bridge is connected, DHCP requests from the SRX Series Services gateway will keep the connection up. We do not recommend that you increase the lease times, because after a new connection the modem might not be assigned the same IP address. This scenario calls for short lease times to ensure that the gateway is notified of address changes.

Figure 1 shows the interface backup.

Figure 1: Interface Backup
Interface Backup

The complete default configuration is as follows:

/* Interface Configs */

set interfaces interface-range Trust member-range ge-0/0/2 to ge-0/0/6

set interfaces interface-range Trust unit 0 family ethernet-switching port-mode access

set interfaces interface-range Trust unit 0 family ethernet-switching vlan members Trust


/* Main Internet Link */

set interfaces ge-0/0/0 unit 0 family inet address 198.0.0.2/24



/* CBA850 backup link */

set interfaces ge-0/0/1 unit 0 family inet dhcp

set vlans default l3-interface vlan.1

set interfaces vlan unit 1 description Trust

set interfaces vlan unit 1 family inet address 192.168.1.1/24


/* Default route points to the primary link and it takes precedence over the DHCP assigned default */

set routing-options static route 0.0.0.0/0 next-hop 198.0.0.1


/* NAT Configuration */

set security nat source rule-set Outbound-NAT from zone trust

set security nat source rule-set Outbound-NAT to zone untrust

set security nat source rule-set Outbound-NAT rule Nat-All match source-address 0.0.0.0/0

set security nat source rule-set Outbound-NAT rule Nat-All match destination-address 0.0.0.0/0

set security nat source rule-set Outbound-NAT rule Nat-All then source-nat interface


/* Security Zones */

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping

set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services dhcp

set security zones security-zone trust host-inbound-traffic system-services ping

set security zones security-zone trust interfaces vlan.1 host-inbound-traffic system-services dhcp

set security zones security-zone trust interfaces vlan.1 host-inbound-traffic system-services ping

set security zones security-zone trust interfaces vlan.1 host-inbound-traffic system-services ssh


/* Allow outboud traffic from trust to untrust */

set security policies from-zone trust to-zone untrust policy permit-outbound match source-address any

set security policies from-zone trust to-zone untrust policy permit-outbound match destination-address any

set security policies from-zone trust to-zone untrust policy permit-outbound match application any

set security policies from-zone trust to-zone untrust policy permit-outbound then permit