I have a SRX210 (low memory) that I updated to 12.2r4.7 last night. The upgrade went fine.
I then added a new VLAN to test something. I currently have:
vlan2 = DMZ
vlan3 = Admin (NAS)
vlan4 = Internal (all the non-DMZ devices)
vlan6 = New Test VLAN
I have the following zones:
internet - encompasses the port my internet connection is conected to. Limited incoming traffic routed to the dmz zone. Inbound traffic denied to all other zones.
dmz - encompasses vlan2. Limited incoming access from internet. Limited outbound to admin. Full outbound access to test and internet zones. Access to internal zone is denied.
admin - Limited incoming access to and from dmz zone. Limited incoming access from internal zone. Access to/from test and internet zones is denied.
internal - Limited access to dmz and admin zones. Full access to internet zone. Access to test zone is denied.
test - Full access to dmz and internet zones. All other zones are denied.
The issue is that the computer I connected to the new VLAN works as expected with my networks, but all my outbound internet traffic seems to be getting dropped. I believe I set it all up (tweaking policy rules aside) exactly like my other VLANs, so I'm at a loss as to what I've missed.
Here are the (I believe) relevant portions of my configuration. Any input is appreciated.
P.S. I'm running this at home for the learning experience and while technically able I am a network idiot. So please use small words 😉
Physical Interface:
# show interfaces fe-0/0/6
description "Test";
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan6;
}
}
}
VLAN Interface:
# show interfaces vlan unit 6
description "Test VLAN";
family inet {
address 10.0.6.1/24;
}
DHCP:
# show system services dhcp pool 10.0.6.1/24
address-range low 10.0.6.2 high 10.0.6.2;
name-server {
X.X.X.X;
Y.Y.Y.Y;
Z.Z.Z.Z;
}
router {
10.0.6.1;
}
VLAN:
# show vlans vlan6
description "Test VLAN";
vlan-id 6;
l3-interface vlan.6;
Zone:
# show security zones security-zone test
tcp-rst;
address-book {
address server 10.0.6.2/32;
}
interfaces {
vlan.6 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
Rules:
from-zone test to-zone internal {
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
from-zone test to-zone admin {
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
from-zone test to-zone dmz {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone test to-zone internet {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone internet to-zone test {
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
from-zone internal to-zone test {
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
from-zone admin to-zone test {
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
from-zone dmz to-zone test {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}