Inital Setup

The test network for most of this guide is setup according to the following diagram:

The client and server are bothe Ubuntu 12.04 boxes with mutliple IP addresses on their eth1 interfaces. The client has addresses 192.168.200.81 through 192.168.200.89, and the server has addresses 10.80.80.80 through 10.80.80.89. The client is in the UNTRUST security zone, and the server is in the TRUST security zone. A Juniper SRX sits in between the client and server, with interface ge-0/0/3 sitting in the TRUST zone using the IP adress of 10.80.80.1, and ge-0/0/4 is in the UNTRUST zone and assigned IP address 192.168.200.1.

The server is running a web server and a STUN server. The web server serves up some test files that are 1 Mb, and 10 Mb in size. The STUN daemon is running with the following command:

stund command run on server

stund  -h 10.80.80.80 -a 10.80.80.82 -b

There are a couple of shell scripts on the client that will be used to create traffic flows over the SRX. They use wget with a rate limiter to fetch a fairly large file, and thus keep the sessions open for long enough to inspect what is going on. The wget command has flags that let you rate limit the traffic and source the traffic off a specific IP address. The shell scripts are as follows:

nat-test_overload_singleIP.sh: Used to start up 8 sessions from a single IP address.

#!/bin/sh
# nat-test_overload_singleIP.sh

RATELIMIT=20k
IP_PREFIX="192.168.200"
TARGET="10.80.80.80"
TARGET_FILE="file.10m"
URL="http://$TARGET/$TARGET_FILE"
ip="81"

for session in `seq 1 8`; do
  wget -q --bind-address=$IP_PREFIX.$ip -O /dev/null --limit-rate="$RATELIMIT" "$URL" &

done

nat-test_overload_singleIP.sh: Used to start up 1 session each from IP addresses 192.168.200.80 through 192.168.200.89 for a total of 9 sessions.

#!/bin/sh
# nat-test_overload_singleIP.sh

RATELIMIT=20k
IP_PREFIX="192.168.200"
TARGET="10.80.80.80"
TARGET_FILE="file.10m"
URL="http://$TARGET/$TARGET_FILE"

for ip in `seq 81 89`; do
  wget -q --bind-address=$IP_PREFIX.$ip -O /dev/null --limit-rate="$RATELIMIT" "$URL" &
done

nat-test_overload_randomIP.sh: Used to start up 9 sessions random IP address in the range 192.168.200.80 through 192.168.200.89.

#!/bin/sh
# nat-test_overload_randomIP.sh

RATELIMIT=512k
IP_PREFIX="192.168.200"
TARGET="10.80.80.80"
TARGET_FILE="file.1m"
URL="http://$TARGET/$TARGET_FILE"

for ip in `seq 1 9`; do
  IP_RAND=$(( 80 + `grep -m1 -ao '[1-9]' /dev/urandom | head -n1`))
  IPA="$IP_PREFIX"."$IP_RAND"
  wget -q --bind-address=$IPA -O /dev/null --limit-rate="$RATELIMIT" "$URL" &
done

The SRX starts with some basic policy to allow wide open bidirectional communication between the TRUST and UNTRUST security zones:

SRX Basic Policies

[edit security policies]
juniper@SRX# show
from-zone UNTRUST to-zone TRUST {
    policy ACCEPT-LOG {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
            log {
                session-init;
                session-close;
            }
        }
    }
}
from-zone TRUST to-zone UNTRUST {
    policy ACCEPT-LOG {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
            log {
                session-init;
                session-close;
            }
        }
    }
}

[edit security policies]