Junos OS

Hi,

I'm trying to configure my SRX 220. Being a noob, I didn't manage to get it working. I did manage to get an address from the DHCP server of my provider, which would mean I at least have configured ADSL correctly. However, when I try to ping an IP address from the router I get a no route to host error.

The impression is that I don't have a default route, which is strange, as I seem to get a DHCP lease. Even trying to add a default route by myself didn't work. It's obviously possible that I made a mistake there though.

I don't know what to do. Any suggestion is appreciated. Thank.

My config:

## Last changed: 2013-09-23 00:37:55 CEST
version 11.2R4.3;
system {
    host-name router;
    domain-name ---
    time-zone Europe/Amsterdam;
    root-authentication {
        encrypted-password ---
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
            }
            propagate-settings ge-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet;
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    at-2/0/0 {
        encapsulation ethernet-over-atm;
        atm-options {
            vpi 0;
        }
        dsl-options {
            operating-mode auto;
        }
        unit 1 {
            encapsulation ether-over-atm-llc;
            vci 0.34;
            family inet {
                dhcp {
                    update-server;
                }
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
protocols {
    stp;
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone trust {
            policy trust-permit-all {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
                at-2/0/0.1;
                ge-0/0/1.0;
                ge-0/0/2.0;
                ge-0/0/3.0;
                ge-0/0/4.0;
                ge-0/0/5.0;
                ge-0/0/6.0;
                ge-0/0/7.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

Well a couple of comments. You have an DHCP adsl connection from your provider. This will provide with your default route. If you issue the operational command:

user@host> show route 

You should see something like:

0.0.0.0/0      *[access-internal/12] . . . .

                       > to x.x.x.x via at-2.0.0.0

HOWEVER! Your config has some issues. Look at your security zone setup. You have the adsl I/F (at-2.0.0.0) in your trust zone. This is your GW to the Internet. You are wide open here. You are allowing all protocols and services to come into any I/F in the trust zone and you have an security policy of trust to untrust any, any, any. 

All that is fine EXCEPT that you need to move the at-2.0.0. I/F to your untrust zone ASAP. 

All should work fine then.

Thanks for the answer.

Concerning the trust zone, I mostly followed what I found here:

http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/topic-collections/hardware/srx-series/srx-interfaces/book-srx-series-interfaces-hw.pdf

Or at least I think I did.

I did think that it might be too permissive, but I also fear mistakes that might make me troubles. In this way I can least exclude access errors, I hope. A few years ago I couldn't get a connection because I was blocking DHCP communication.

Concerning the route, I'm afraid something doesn't work:

root@router> show route 

inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.1.0/24     *[Direct/0] 03:28:34
                    > via vlan.0
192.168.1.1/32     *[Local/0] 03:28:34
                      Local via vlan.0

 What can also be interesting, now that I'm getting acquainted with the CLI, is this:

root@router> show arp 
MAC Address       Address         Name                      Interface           Flags
94:de:80:6e:8b:05 192.168.1.2     192.168.1.2               vlan.0              none
5c:26:0a:18:47:01 192.168.1.3     192.168.1.3               vlan.0              none
Total entries: 2

Which I don't understand, as the web interface clearly says that my at-2/0/0.1 has an address. That address is, as far as I can tell, my usual external IP address.

I really don't get it

Okay, I found the command show system services dhcp client, which shows I have a server (dhcp server, I assume), and 2 DNS servers. None of which I can ping; I always get no route to host.

Besides, I saw this:

root@router> show route forwarding-table 
Routing table: default.inet
Internet:
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            perm     0                    rjct    36     1
0.0.0.0/32         perm     0                    dscd    34     1
192.168.1.0/24     intf     0                    rslv   543     1 vlan.0
192.168.1.0/32     dest     0 192.168.1.0        recv   541     1 vlan.0
192.168.1.1/32     intf     0 192.168.1.1        locl   542     2
192.168.1.1/32     dest     0 192.168.1.1        locl   542     2
192.168.1.2/32     dest     1 94:de:80:6e:8b:5   ucst   552     2 vlan.0
192.168.1.3/32     dest     1 5c:26:a:18:47:1    ucst   553     2 vlan.0
192.168.1.255/32   dest     0 192.168.1.255      bcst   540     1 vlan.0
224.0.0.0/4        perm     0                    mdsc    35     1
224.0.0.1/32       perm     0 224.0.0.1          mcst    31     1
255.255.255.255/32 perm     0                    bcst    32     1

Routing table: __master.anon__.inet
Internet:
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            perm     0                    rjct   524     1
0.0.0.0/32         perm     0                    dscd   522     1
224.0.0.0/4        perm     0                    mdsc   523     1
224.0.0.1/32       perm     0 224.0.0.1          mcst   519     1
255.255.255.255/32 perm     0                    bcst   520     1

Routing table: default.iso
ISO:
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            perm     0                    rjct    60     1

Routing table: __master.anon__.iso
ISO:
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            perm     0                    rjct   530     1

Routing table: default.inet6
Internet6:
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            perm     0                    rjct    44     1
::/128             perm     0                    dscd    42     1
ff00::/8           perm     0                    mdsc    43     1
ff02::1/128        perm     0 ff02::1            mcst    39     1

Routing table: __master.anon__.inet6
Internet6:
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            perm     0                    rjct   536     1
::/128             perm     0                    dscd   534     1
ff00::/8           perm     0                    mdsc   535     1
ff02::1/128        perm     0 ff02::1            mcst   532     1

Routing table: default.mpls
MPLS:
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            perm     0                    dscd    50     1

Routing table: default.ethernet-switching
ETHERNET-SWITCHING:
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            perm     0                    dscd    66     1
2, *               intf     0                    rslv   517     1
3, *               user     0                    comp   551     2
3, *               intf     0                    rslv   518     1
3, 00:11:e5:00:d9:ee user     0                  ucst   550     5 ge-0/0/1.0
3, 08:81:f4:79:e0:08 user     0                  recv    65     1
3, 5c:26:0a:18:47:01 user     0                  ucst   550     5 ge-0/0/1.0
3, 94:de:80:6e:8b:05 user     0                  ucst   550     5 ge-0/0/1.0

Routing table: default.vmembers
VMEMBERS:
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            perm     0                    dscd    74     8
70 65535           user     0                    dscd    74     8
71 65535           user     0                    dscd    74     8
72 65535           user     0                    dscd    74     8
73 65535           user     0                    dscd    74     8
74 65535           user     0                    dscd    74     8
75 65535           user     0                    dscd    74     8
76 65535           user     0                    dscd    74     8

Routing table: default.MSTI
MSTI:
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            perm     0                    dscd    82    15
70, 0              user     0                    dscd    82    15
70, 254            user     0                    dscd    82    15
71, 0              user     0                    dscd    82    15
71, 254            user     0                    dscd    82    15
72, 0              user     0                    dscd    82    15
72, 254            user     0                    dscd    82    15
73, 0              user     0                    dscd    82    15
73, 254            user     0                    dscd    82    15
74, 0              user     0                    dscd    82    15
74, 254            user     0                    dscd    82    15
75, 0              user     0                    dscd    82    15
75, 254            user     0                    dscd    82    15
76, 0              user     0                    dscd    82    15
76, 254            user     0                    dscd    82    15

Routing table: default.dhcp-snooping
DHCP Snooping:
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            perm     0                    dscd    98     1

 Which, if I understand correctly, means that I have no default route. Which brings me to the questions:

1) is it correct that I don't have a default route?

2) why don't I get a route from DHCP?

3) how do I set one?

Well I am not sure what the WEB I/F is showing. But your show route command is not showing a connection on at-2.0/0/0 I/F that is for sure. You should see a direct and local route for that I/F in the table. You should see an arp entry of course and your show route forwarding-table should of course show routes.

So you not only don't have a default route but you don't have a valid connection to the ISP. Have you issued a basic command like show interfaces terse and see the I/F status?

Also I will say again, your ISP I/F is in the wrong zone. This is your untrust I/F and belongs in the untrust zone. I understand what the guide says but in the context of using an ADSL connection to an ISP your configuration is setup so that anyone from the outside world could hit your firewall on every single port the traffic would be allowed in. You have a policy of trust-to-trust any that makes you wide open.

The show interface terse says everything is up, with inet protocol:

root@router> show interfaces at-2/0/0 terse 
Interface               Admin Link Proto    Local                 Remote
at-2/0/0                up    up  
at-2/0/0.1              up    up   inet    
at-2/0/0.32767          up    up  

 The web interface I saw was for the DHCP. In fact I have my address where it says "Address obtained" (not shown here, of course):

root@router> show system services dhcp client 

 Logical Interface name         at-2/0/0.1
        Hardware address        08:81:f4:79:e0:54
        Client status           bound
        Address obtained        xx.xx.xx.xx
        Update server           enabled
        Lease obtained at       2013-09-24 02:39:29 CEST
        Lease expires at        2013-09-24 08:39:29 CEST

DHCP options:
    Name: server-identifier, Value: 194.109.22.18
    Code: 1, Type: ip-address, Value: 255.255.255.0
    Name: router, Value: [ 83.160.150.1 ]
    Name: name-server, Value: [ 194.109.6.66, 194.109.9.99 ]
    Name: domain-name, Value: adsl.xs4all.nl

So I do have an IP, and a DNS (with a backup DNS). That looks pretty good

For the rest, I added at to the untrust zone, allowing dns, dhcp and router discovery:

security-zone untrust {
    screen untrust-screen;
    host-inbound-traffic {
        system-services {
            dns;
        }
        protocols {
            router-discovery;
        }
    }
    interfaces {
        ge-0/0/0.0 {
            host-inbound-traffic {
                system-services {
                    dhcp;
                    tftp;
                }
            }
        }
        at-2/0/0.1 {
            host-inbound-traffic {
                system-services {
                    dhcp;
                    dns;
                }
                protocols {
                    router-discovery;
                }
            }
        }
    }
}

not sure where tftp is coming from. That should be okay, I guess.

I assume 83.160.150.1 is my gateway, so I also tried to add a default route:

routing-options {
    static {
        route 0.0.0.0/0 next-hop 83.160.150.1;
    }
}

 but that didn't work

Look at your interface under the show interfaces terse - there is no DHCP address associated with it unless you did not include in the post. Plus your previous post with the show route command did not show a direct / local route for the at-2-0/0/0 IF. Even though you show the dhcp client as getting an IP address the SRX is not showing it assigned to that logical I/F. 

If you do a request system services dhcp release and then renew do you see your address get released and then returned? 

Also I am not a ADSL guy - one thing that I did notice is that your logical IF is configured as unit "1" - normally in the few times that I have brought up ADSL I have always made my unit 0. Might try switching it to unit 0.

Finally, just as an fyi - under your security zone untrust, system services you show dns. This will not be used within this config anywhere. As you have system services defined in the zone for each of the specific I/F's please note that there is NO inheritance. They just get what is specified for each I/F - no real impact - just wanted to point it out.

---

@muttbarker wrote:

Also I am not a ADSL guy - one thing that I did notice is that your logical IF is configured as unit "1" - normally in the few times that I have brought up ADSL I have always made my unit 0. Might try switching it to unit 0.

 

---

Yeah, I noticed. I was thinking about changing it. That was the first thing I set up, and I thought 1 would be a safer bet, because I didn't know if it was 0-based or 1-based. Anyway, it turns out that it's not the safer bet.

So that actually did quite a bit. Thanks. But I'm not there yet:

root@router> ping count 3 www.google.com 
PING6(56=40+8+8 bytes) :: --> 2a00:1450:400c:c05::6a
ping: sendmsg: No route to host
ping6: wrote www.google.com 16 chars, ret=-1
ping: sendmsg: No route to host
ping6: wrote www.google.com 16 chars, ret=-1
ping: sendmsg: No route to host
ping6: wrote www.google.com 16 chars, ret=-1

--- www.google.com ping6 statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

 but:

root@router> ping inet count 3 www.google.com 
PING www.google.com (173.194.66.105): 56 data bytes
64 bytes from 173.194.66.105: icmp_seq=0 ttl=50 time=26.666 ms
64 bytes from 173.194.66.105: icmp_seq=1 ttl=50 time=20.896 ms
64 bytes from 173.194.66.105: icmp_seq=2 ttl=50 time=20.587 ms

--- www.google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 20.587/22.716/26.666/2.796 ms

and again:

root@router> ping count 3 173.194.66.105         
PING 173.194.66.105 (173.194.66.105): 56 data bytes
64 bytes from 173.194.66.105: icmp_seq=0 ttl=50 time=21.193 ms
64 bytes from 173.194.66.105: icmp_seq=1 ttl=50 time=20.625 ms
64 bytes from 173.194.66.105: icmp_seq=2 ttl=50 time=20.853 ms

--- 173.194.66.105 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 20.625/20.890/21.193/0.233 ms

like it's using ipv6 for the DNS. Don't know what to make of it.

Could be the expected behavior, but then there is something else going on, because from my computer I can ping the IP address, but if I ping the host name I get "unknown host"

---

muttbarker wrote:

Finally, just as an fyi - under your security zone untrust, system services you show dns. This will not be used within this config anywhere. As you have system services defined in the zone for each of the specific I/F's please note that there is NO inheritance. They just get what is specified for each I/F - no real impact - just wanted to point it out.

 

---

I'm not sure of what you mean. Are you saying I should remove the dns? Could be; I put it in because I'm concerned I might reject something I shouldn't, as I said. I'll take it out.

1. Security zone settings DNS @ top - does nothing - you have under the I/F's so that is what will allow that traffic to come into the box on those I/F's

2. DNS is not propogating. Try setting a specific name server "set system services name-server 8.8.8.8" or whatever under dhcp 

Actually change your dhcp propgate settings to at-2/0/0 so you propogate from the ISP. Just saw that it is set to propogate ge-0/0/0 and you aren't getting DHCP from there. 

One major thing you did wrong. The default config uses ge-0/0/0 as the default untrust gateway I/F. Your default untrust gateway I/F is at-2/0/0 - so from the context of the config if you had setup at-2/0/0 where ge-0/0/0 was you would have been further ahead from begining.  IE replace pattern ge-0/0/0 with at-2/0/0  

But you really have to know JUNOS and SRX to know to do that.

---

@muttbarker wrote:

@1. Security zone settings DNS @ top - does nothing - you have under the I/F's so that is what will allow that traffic to come into the box on those I/F's

---

ok. Removed. I actually completely removed it.

---

@muttbarker wrote:

2. DNS is not propogating. Try setting a specific name server "set system services name-server 8.8.8.8" or whatever under dhcp 

---

yes, I noticed that it works

---

muttbarker wrote:

Actually change your dhcp propgate settings to at-2/0/0 so you propogate from the ISP. Just saw that it is set to propogate ge-0/0/0 and you aren't getting DHCP from there. 

---

yes! That was it, thanks. It was actually at-2/0/0.0. Great. It works. Wouldn't really know what that propagate thing does without your post.

For the record, the ipv6 thing with the router is by design:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB25265

---

@muttbarker wrote:

One major thing you did wrong. The default config uses ge-0/0/0 as the default untrust gateway I/F. Your default untrust gateway I/F is at-2/0/0 - so from the context of the config if you had setup at-2/0/0 where ge-0/0/0 was you would have been further ahead from begining.  IE replace pattern ge-0/0/0 with at-2/0/0  

 

But you really have to know JUNOS and SRX to know to do that.

---

That might take a while

The configuration has changed a bit, so it should be okay, at least to get started. I'll have to configure the zones and the pools better.

Thanks for the answer. Hopefully I'll be fine now.

My final (sort of) config:

## Last changed: 2013-09-24 12:55:58 CEST
version 11.2R4.3;
system {
    host-name router;
    domain-name ---;
    time-zone Europe/Amsterdam;
    root-authentication {
        encrypted-password ---;
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
            }
            propagate-settings at-2/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet;
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    at-2/0/0 {
        encapsulation ethernet-over-atm;
        atm-options {
            vpi 0;
        }
        dsl-options {
            operating-mode auto;
        }
        unit 0 {
            encapsulation ether-over-atm-llc;
            vci 0.34;
            family inet {
                dhcp {
                    update-server;
                }
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
protocols {
    stp;
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone trust {
            policy trust-permit-all {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                ge-0/0/2.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                ge-0/0/3.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                ge-0/0/4.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                ge-0/0/5.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                ge-0/0/6.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                ge-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                protocols {
                    router-discovery;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                        }
                    }
                }
                at-2/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                        }
                        protocols {
                            router-discovery;
                        }
                    }
                }
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

Glad that things are working now. So here are some things for you to contemplate, test, . . . . 

1. You still have ge-0/0/0 in your untrust security zone. Why? Does that help you? Do you use it?

2. Security zones contain interfaces. They are then used in policy definitions to control transit traffic flows. They also let self traffic in via the host-inbound command.

So - knowing that, you have defined a vlan (vlan-trust) and you have placed your ge-0/0/1-ge-0/0/7 I/F's into that vlan.

In your trust security zone you have a top level definition of host-inbound. You also list each of your I/F's (ge. . . ) and your RVI (vlan.0) I/F. 

Can you tighten up this config? Make it shorter? Are some lines redundant? Do you need to specifiy both the ge and vlan I/F's? 

This  is the teacher in me coming out - Just some questions to get you thinkng about Junos . . . . Have fun!