So I have been pulling my hair out trying to get this to work. From alot of reading, I gathered the following to be true
the OVA file deployed added 3 nics
Nic1 = fxp0
Nic2 = Ge-0/0/0
Nic3 = Ge-0/0/1
So Online.net failover IPs ( as the primary gets installed as the esxi management ip ) does a wonderful here used this slash 32 ip and point the gatewayto this other ip address that not even in the same /8 .
Now I used them fora long time and know this works as they white list the mac of the network interface that is getting the wan ip.
This has worked with out issues in Linux ( untangle ) and BSD with PfSense/Opnsense as goofy as it may seem.
So I have my interfaces setup as following
fxp0.0 = dhcp 10.0.8.21
Ge-0/0/0.0 10.0.10.1/24 (LAN / trusted zone )
Ge-0/0/1.0 212.129.44.5/32 ( Wan / untrusted )
config still very basic but show route will not show my static from 212.129.44.5 to 62.210.0.1 or that 62.210.0.1 to 0.0.0.0
## Last changed: 2019-07-12 23:08:15 UTC
version 20190606.224121_builder.r1033375;
system {
host-name SiptologySRX;
root-authentication {
encrypted-password "$6$W80.HFlK$vtuWt7eyhfxHnqlqNh4BfmxgA0k/n.J4nnn2Ihs6HPE6PN1lAXFcCRRcJWO3VyEcNspehI4i0FrRXNcwGqXrs/";
}
services {
ssh;
xnm-clear-text;
web-management {
http {
interface fxp0.0;
}
}
}
backup-router 10.0.8.1;
time-zone UTC;
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 178.32.220.152 prefer;
}
}
security {
alg {
dns maximum-message-length 512;
msrpc group-max-usage 80 map-entry-timeout 480;
sunrpc group-max-usage 80 map-entry-timeout 480;
sccp disable;
sip disable;
ike-esp-nat {
esp-gate-timeout 5;
esp-session-timeout 1800;
state-timeout 14400;
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set Outbound {
from interface [ ge-0/0/0.0 fxp0.0 ];
to interface ge-0/0/1.0;
rule Outbound {
match {
source-address 10.0.10.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
tcp-rst;
interfaces {
ge-0/0/0.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/1.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.0.10.1/24;
}
}
}
ge-0/0/1 {
description WAN;
gigether-options {
auto-negotiation;
}
unit 0 {
description wanlink;
family inet {
address 212.129.44.5/32 {
web-authentication {
http;
https;
}
}
}
}
}
fxp0 {
unit 0 {
family inet {
address 10.0.8.21/24;
}
}
}
}
routing-options {
static {
route 10.3.0.0/16 next-hop 10.0.8.1;
route 62.210.0.0/24 next-hop 212.129.44.5;
route 0.0.0.0/0 {
next-hop 62.210.0.1;
resolve;
}
}
}