I have vlan.3 in my trust zone, and hosts in vlan.3 get an IP from the vlan.3 DHCP server just fine, and they can even ping the public IP I've assigned to the untrust interface on my SRX-210B. However, members of trust zone cannot ping the gateway of my public IP. With my public IP being 1.1.1.71, trust members can ping 1.1.1.71, but they cannot ping 1.1.1.1. The SRX itself can ping anything.
Example configuration:
trust zone, vlan.3: 10.0.3.0/24
untrust zone, vlan.2: 1.1.1.71/24 (using all 1s instead of my real public IP)
If I ping 8.8.8.8 from the SRX, I get a response:
will@gw1> ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=59 time=10.983 ms ^C --- 8.8.8.8 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max/stddev = 10.983/10.983/10.983/0.000 ms will@gw1> ping 8.8.8.8 source 1.1.1.71 PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=59 time=18.858 ms ^C --- 8.8.8.8 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max/stddev = 18.858/18.858/18.858/0.000 ms
If I ping 8.8.8.8 from my vlan.3 router, I get nothing:
will@gw1> ping 8.8.8.8 source 10.0.3.1 PING 8.8.8.8 (8.8.8.8): 56 data bytes ^C --- 8.8.8.8 ping statistics --- 11 packets transmitted, 0 packets received, 100% packet loss
My VLAN config:
will@gw1> show configuration vlans
vlan-trust {
vlan-id 3;
l3-interface vlan.3;
}
vlan-untrust {
vlan-id 2;
l3-interface vlan.2;
}
Here's my DHCP config:
address-assignment {
pool vlan3pool {
family inet {
network 10.0.3.0/24;
range DHCPCLIENTS {
low 10.0.3.100;
high 10.0.3.199;
}
dhcp-attributes {
router {
10.0.3.1;
}
propagate-settings vlan.3;
}
}
}
}
Here are my interface settings:
will@gw1# show interfaces
fe-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/6 {
fastether-options {
802.3ad ae0;
}
}
fe-0/0/7 {
fastether-options {
802.3ad ae0;
}
}
ae0 {
aggregated-ether-options {
lacp {
active;
periodic slow;
}
}
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members vlan-untrust;
}
native-vlan-id 2;
}
}
}
vlan {
unit 2 {
family inet {
address 1.1.1.71/24;
}
}
unit 3 {
family inet {
address 10.0.3.1/24;
}
}
}
I have a default static route:
will@gw1> show configuration routing-options
static {
route 0.0.0.0/0 next-hop 1.1.1.1;
}
will@gw1> show route
inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 4d 02:36:18
> to 1.1.1.1 via vlan.2
10.0.3.0/24 *[Direct/0] 2d 01:30:23> via vlan.3
10.0.3.1/32 *[Local/0] 5d 01:42:21
Local via vlan.3
10.0.3.11/32 *[Access-internal/12] 00:17:39> to 10.0.3.1 via vlan.3
10.0.3.100/32 *[Access-internal/12] 5d 01:41:50> to 10.0.3.1 via vlan.3
1.1.1.0/24 *[Direct/0] 4d 02:36:18> via vlan.2
1.1.1.71/32 *[Local/0] 5d 01:42:21
Local via vlan.2
And relevant interface output:
will@gw1# run show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up aenet --> ae1.0 fe-0/0/4 up up fe-0/0/4.0 up up eth-switch fe-0/0/6 up up fe-0/0/6.0 up up aenet --> ae0.0 fe-0/0/7 up down fe-0/0/7.0 up down aenet --> ae0.0 ae0 up up ae0.0 up up eth-switch vlan up up vlan.2 up up inet 1.1.1.71/24 vlan.3 up up inet 10.0.3.1/24
Perhaps something is wrong in my forwarding table?
will@gw1> show route forwarding-table Routing table: default.inet Internet: Destination Type RtRef Next hop Type Index NhRef Netif default user 1 0:0:c:7:ac:9a ucst 1338 4 vlan.2 default perm 0 rjct 36 1 0.0.0.0/32 perm 0 dscd 34 1 10.0.3.0/24 intf 0 rslv 1320 1 vlan.3 10.0.3.0/32 dest 0 10.0.3.0 recv 1318 1 vlan.3 10.0.3.1/32 intf 0 10.0.3.1 locl 1319 2 10.0.3.1/32 dest 0 10.0.3.1 locl 1319 2 10.0.3.9/32 dest 0 0:1e:4f:14:aa:5c ucst 1328 1 vlan.3 10.0.3.10/32 dest 0 0:1d:9:29:1:7c ucst 1348 1 vlan.3 10.0.3.11/32 dest 0 0:c:29:53:3d:7a ucst 1329 1 vlan.3 10.0.3.100/32 dest 0 0:23:ae:14:72:3 ucst 1336 1 vlan.3 10.0.3.255/32 dest 0 10.0.3.255 bcst 1317 1 vlan.3 1.1.1.0/24 intf 0 rslv 1316 1 vlan.2 1.1.1.0/32 dest 0 1.1.1.0 recv 1314 1 vlan.2 1.1.1.1/32 dest 0 0:0:c:7:ac:9a ucst 1338 4 vlan.2 1.1.1.71/32 intf 0 1.1.1.71 locl 1315 2 1.1.1.71/32 dest 0 1.1.1.71 locl 1315 2 1.1.1.117/32 dest 0 0:d0:68:c:c2:4f ucst 1352 1 vlan.2 1.1.1.251/32 dest 0 0:1d:e5:a6:d6:46 ucst 1342 1 vlan.2 1.1.1.252/32 dest 0 0:23:ea:c0:55:c6 ucst 1346 1 vlan.2 1.1.1.253/32 dest 0 0:e0:81:32:5f:c3 ucst 1340 1 vlan.2 1.1.1.255/32 dest 0 1.1.1.255 bcst 1313 1 vlan.2 224.0.0.0/4 perm 0 mdsc 35 1 224.0.0.1/32 perm 0 224.0.0.1 mcst 31 1 255.255.255.255/32 perm 0 bcst 32 1
Relevant security zones:
will@gw1> show configuration security zones
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.3;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ping;
ssh;
ftp;
}
}
interfaces {
vlan.2;
}
}Relevant security policy:
will@gw1> show configuration security policies
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone trust {
policy intra-zone {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone junos-host {
policy mgmt-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy mgmt-untrust {
match {
source-address allowed_admins;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
policy denyall {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
}
}
from-zone untrust to-zone junos-host {
policy mgmt-untrust {
match {
source-address allowed_admins;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
policy ping-untrust {
match {
source-address any;
destination-address any;
application junos-icmp-all;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
policy denyall {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
}
}Pings from the host plugged into fe-0/0/4:
C:\Users\Owner>ping 10.0.3.10
Pinging 10.0.3.10 with 32 bytes of data:
Reply from 10.0.3.10: bytes=32 time=1ms TTL=64
Ping statistics for 10.0.3.10:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
Control-C
^C
C:\Users\Owner>ping 10.0.3.1
Pinging 10.0.3.1 with 32 bytes of data:
Reply from 10.0.3.1: bytes=32 time=1ms TTL=64
Ping statistics for 10.0.3.1:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
Control-C
^C
C:\Users\Owner>ping 1.1.1.71
Pinging 1.1.1.71 with 32 bytes of data:
Reply from 1.1.1.71: bytes=32 time=2ms TTL=64
Ping statistics for 1.1.1.71:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 2ms, Average = 2ms
Control-C
^C
C:\Users\Owner>ping 1.1.1.1
Pinging 1.1.1.1 with 32 bytes of data:
Request timed out.
Request timed out.
Ping statistics for 1.1.1.1:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss)
Control-C
^C
C:\Users\Owner>ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Request timed out.
Ping statistics for 8.8.8.8:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss)
Control-C
^C
I can't for the life of me find out why nothing on 10.0.3.0/24 can get past 1.1.1.71!!