Hi Steve
Thanks for your answer! I have posted a piece of the config below (with i think all relevant info) cause I can't get it to work.
Note: as you can see the exchnage is in LAN A in vrouter trust in it's own zone. LAN B in vrouter trust (in it's own zone) needs to communicate over the VIP in vrouter untrust (in it's own zone). Any more clues? Sorry for any obsolete config.
Thanks in advance!
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
set zone "Trust" vrouter "trust-vr"
set zone id 102 "OTH_WIFI"
set zone id 105 "ISP"
set zone "ISP" vrouter "untrust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
unset zone "VLAN" tcp-rst
unset zone "OTH_WIFI" tcp-rst
set zone "MGT_WIFI" block
unset zone "MGT_WIFI" tcp-rst
set zone "ISP" block
unset zone "ISP" tcp-rst
set interface "ethernet0/0" zone "Null"
set interface "ethernet0/1" zone "Trust"
set interface "ethernet0/2" zone "HOTSPOT_ZONE"
set interface "ethernet0/3" zone "MGT_WIFI"
set interface "ethernet0/3.1" tag 21 zone "OTH_WIFI"
set interface "ethernet0/3.2" tag 22 zone "CORP_WIFI"
set interface "ethernet0/4" zone "ISP"
set interface "bgroup0" zone "Null"
unset interface vlan1 ip
set interface ethernet0/1 ip 192.168.20.254/24
set interface ethernet0/1 nat
set interface ethernet0/2 ip 192.168.23.254/24
set interface ethernet0/2 route
set interface ethernet0/3 ip 192.168.24.254/24
set interface ethernet0/3 route
set interface ethernet0/3.1 ip 192.168.21.254/24
set interface ethernet0/3.1 route
set interface ethernet0/3.2 ip 192.168.22.254/24
set interface ethernet0/3.2 route
set interface ethernet0/4 ip 1.2.3.98/28
set interface ethernet0/4 route
set interface ethernet0/3.1 mtu 1500
set interface ethernet0/3.2 mtu 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/4 vip 1.2.3.99 443 "HTTPS" 192.168.20.4
set address "Trust" "192.168.20.32/32" 192.168.20.32 255.255.255.255
set address "Trust" "CORP_LAN_20" 192.168.20.0 255.255.255.0
set address "OTH_WIFI" "OTH_LAN_21" 192.168.21.0 255.255.255.0
set address "ISP" "ethernet0/4-1.2.3.98" 1.2.3.98 255.255.255.255
set address "ISP" "ethernet0/4-1.2.3.99" 1.2.3.99 255.255.255.255
set policy id 17 from "Trust" to "ISP" "CORP_LAN_20" "Any" "DNS" nat src permit log
set service "FTP"
set service "HTTP"
set service "HTTPS"
set service "NTP"
set service "PING"
exit
set policy id 33 from "ISP" to "Trust" "Any" "VIP(1.2.3.99)" "HTTP" permit log
set policy id 33
set service "HTTPS"
exit
set policy id 42 from "OTH_WIFI" to "ISP" "Any" "ethernet0/4-1.2.3.99" "HTTPS" nat src permit log
set policy id 42
exit
set policy id 35 from "OTH_WIFI" to "ISP" "OTH_LAN_21" "Any" "DNS" nat src permit log
set policy id 35
set service "FTP"
set service "HTTP"
set service "HTTPS"
set service "IMAP"
set service "NTP"
set service "PING"
exit
set vrouter "untrust-vr"
set route 0.0.0.0/0 interface ethernet0/4 gateway 1.2.3.97 permanent
set route 192.168.20.0/24 vrouter "trust-vr" preference 20 metric 1
set route 192.168.21.0/24 vrouter "trust-vr" preference 20 metric 1
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 vrouter "untrust-vr" preference 20 metric 1
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit