SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Visitor
Posts: 4
Registered: ‎05-04-2016
0 Kudos
Accepted Solution

SRX240 Need Help with vlan Routing

[ Edited ]

I am new to the SRX and I am having problems routing between vlans and I hope someone can help.

 

This is a picture of my configuration:

 

firewall test setup drawing.jpg

 

 

I am trying to route traffic between vlan.10 and vlan.800 (between zones trust and untrust.

from the 192.168.100.2.  I cannot ping any address on the 10.1.8.0 network and from 10.1.8.71.  Also I cannot ping any address on the 192.168.100.0 network.  From the SRX240 I can ping everything.

 

Here is the configuration that I am using:

 

 

root@dpr-fw> show configuration 
## Last commit: 2017-01-14 00:05:23 UTC by root
version 12.3X48-D35.7;
system {
    host-name dpr-fw;
    root-authentication {
        encrypted-password "."; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    services {
        ssh;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.300;
            }
            https {
                system-generated-certificate;
                interface vlan.300;
            }
        }
    }                                   
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
security {
    screen {                            
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {   
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy untrust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone trust { 
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        default-policy {
            permit-all;
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;                
                }
            }
            interfaces {
                vlan.800 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            inactive: screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;                
                }
            }
            interfaces {
                vlan.10 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone fw-manage {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }                       
            }
            interfaces {
                vlan.300;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members utility;
                }
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan-untrust;
                }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan-untrust;
                }
            }
        }
    }
    ge-0/0/8 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan-trust;
                }
            }
        }                               
    }
    vlan {
        unit 10 {
            family inet {
                address 192.168.100.88/24;
            }
        }
        unit 300 {
            family inet {
                address 10.1.3.88/24;
            }
        }
        unit 800 {
            family inet {
                address 10.1.8.88/24;
            }
        }
    }
}
protocols {
    igmp {
        interface all;
    }                                   
    stp;
    igmp-snooping {
        vlan all;
    }
}
vlans {
    utility {
        vlan-id 300;
        l3-interface vlan.300;
    }
    vlan-trust {
        vlan-id 800;
        l3-interface vlan.800;
    }
    vlan-untrust {
        vlan-id 10;
        l3-interface vlan.10;
    }
}

 

If anybody can help me figure out what is wrong I would appreciate it.

 

 

 

 

 

 

 

 

 

Distinguished Expert
Posts: 642
Registered: ‎06-22-2011
0 Kudos

Re: SRX240 Need Help with vlan Routing

Do a flow traceoption to see how the traffic is being handled.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16110

Super Contributor
Posts: 151
Registered: ‎07-18-2012
0 Kudos

Re: SRX240 Need Help with vlan Routing

Hi Folks,

This example shows how to set up a new zone and add three application servers to that zone. Then you provide communication between a host (PC) in the trust zone to the servers in the newly created zone and also facilitate communication between two servers within the zone.

 

To meet this requirement, you need an interzone security policy to allow traffic between two zones and an intrazone policy to allow traffic between servers within a zone.

 

http://www.juniper.net/documentation/en_US/junos15.1x49/topics/example/security-srx-device-zone-and-...

-Python
#Please mark my solution as accepted if it helped, Kudos are appreciated as well.
Recognized Expert
Posts: 317
Registered: ‎01-18-2010
0 Kudos

Re: SRX240 Need Help with vlan Routing

Are all of your hosts using x.x.x.88 as their gateways?

Visitor
Posts: 4
Registered: ‎05-04-2016
0 Kudos

Re: SRX240 Need Help with vlan Routing

That was the problem. I had the gateway on each box pointed to the interface as the next-hop.  Once I changed the routing table to point the next-hop to the routable vlan interface on the SRX I could ping in both directions.  That was a stupid mistake!  Thanks so much for the help!

Highlighted
Recognized Expert
Posts: 317
Registered: ‎01-18-2010
0 Kudos

Re: SRX240 Need Help with vlan Routing

👍