SRX Services Gateway
SRX Services Gateway

Configure default route when Untrust interface is a DHCP client

‎05-20-2020 03:16 PM

My SRX is a DHCP client for the Untrust interface, and gets the default ( from our ISP, which shows up in inet.0.


I have a VPN setup to our corporate office, and I would like all outgoing traffic to use it.

How can I ignore the default route obtained from ISP, and instead configure the VPN interface as next hop?

SRX Services Gateway

Re: Configure default route when Untrust interface is a DHCP client

[ Edited ]
‎05-20-2020 08:41 PM



You need to use one of the below methods:

1/ isolate Your untrust interface into a separate virtual router routing-instance


2/ isolate Your clients' interfaces into a separate  virtual router routing-instance or instances.


The example config for method # 1 should look like:


set routing-instances UNTRUST-vr instance-type virtual-router
set routing-instances UNTRUST-vr interface ge-0/0/0.0 ## Your ISP-facing untrust interface
set interfaces st0.0 family inet
## Add route-based IPSEC VPN configuration as You need
set routing-options static route next-hop st0.0
## Add security config as You need



When the 0/0 route disappears from inet.0 because i.e. IPSEC VPN went down, there would be no other route to take Your clients traffic. This may be advantage or disadvantage depending on Your point of view.

The advantage is that Your sensitive traffic is not leaked to wider internet if Your IPSEC VPN is down.

The disadvantage is that Your human clients are going to be frustrated because their fav etc watching/posting does not work when Your IPSEC VPN is down.  






Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements


Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !