First thing, my configuration
## Last changed: 2013-09-26 19:30:45 CEST
version 11.2R4.3;
system {
host-name router;
domain-name ---;
time-zone Europe/Amsterdam;
root-authentication {
encrypted-password ---;
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface [ vlan.0 vlan.1 ];
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}
pool 10.10.2.0/24 {
address-range low 10.10.2.2 high 10.10.2.254;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-wired;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
unit 1 {
family inet {
address 10.10.2.1/24;
}
}
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set trust-any {
from zone trust;
to zone trust;
rule any-address {
match {
source-address 0.0.0.0/32;
destination-address 0.0.0.0/32;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
vlan.1;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
vlan-wired {
vlan-id 2;
l3-interface vlan.1;
}
}
This is the default configuration of my SRX220, with an extra vlan (vlan-wired), that has a new interface vlan.1 with addresses 10.10.2.x. It's in the trust zone, and its only interface is ge-0/0/2. I also added a NAT from the trust zone to the trust zone (ruleset trust-any), in attempt to solve my problem. My problem is: if I connect a computer to ge-0/0/2, it gets a 10.10.2.x address, but can't reach the router. The error I get if I try to ssh is "no route to host". No problems from ge-0/0/1.
I would assume it's a routing problem, as the new vlan is in another subnet, but I don't know how to solve it.
Also, the computer on ge-0/0/2 doesn't appear in the arp:
root@router> show arp
MAC Address Address Name Interface Flags
94:de:80:6e:8b:05 192.168.1.2 192.168.1.2 vlan.0 none
but it does appear in the dhcp bindings, and twice, with two addresses from two subnets:
root@router> show system services dhcp binding
IP address Hardware address Type Lease expires at
192.168.1.3 5c:26:0a:18:47:01 dynamic 2013-09-27 20:41:36 CEST
10.10.2.2 5c:26:0a:18:47:01 dynamic 2013-09-27 19:19:22 CEST
192.168.1.2 94:de:80:6e:8b:05 dynamic 2013-09-27 20:42:34 CEST
Why is that? Did I miss anything?
As a last question: what is the purpose of the default vlan (that is, the vlan with name "default")? Doesn't seem to work in a normal way. After all, if it did there probably wouldn't be a vlan-trust in the default configuration. Can I use the default?
Many thanks