VLAN Routing between different zones

Hello,

three days ago I try to configure VLAN Routing between different zones on SRX 100.

The Szenario:

four zones - internal-trust, internal-developer, guest, mgmt

The zone internal-trust use vlan trust (ID2) and is mapped on virtual interface vlan.2, no physical interface

Zone internal developer use vlan developer and is mapped on virtual interface vlan.5, no physical interface

Internal-trust allowed to communicate with internal-developer (any, any). In antoher direction later we want open ports only used for active directory, gpo and so on, but at the moment all is any to any.

My issue is now,...

in the zone internal-trust is the Domaincontroller with dhcp. If i connect with internal-trust and vlan.2 I get an IP address from DC (subnetz 50.0). But not in internal-developer with vlan.5 (subnet 5.0).

## Last changed: 2016-10-21 14:32:08 GMT+1
version 12.1X44-D35.5;
system {
host-name trial;
time-zone GMT+1;
root-authentication {
encrypted-password "$1$pRoSEIAi$b7jB.Dbt3jP2xUxRhARYn.";
}
name-server {
208.67.222.222;
208.67.220.220;
}
name-resolution {
no-resolve-on-input;
}
services {
ssh;
telnet;
web-management {
http {
interface [ fe-0/0/1.0 fe-0/0/2.0 fe-0/0/7.0 ];
}
https {
system-generated-certificate;
interface [ fe-0/0/1.0 fe-0/0/2.0 fe-0/0/7.0 ];
}
session {
idle-timeout 60;
}
}
dhcp {
pool 10.10.10.0/24 {
address-range low 10.10.10.21 high 10.10.10.50;
name-server {
217.237.148.70;
}
router {
10.10.10.254;
}
propagate-settings vlan.0;
}
pool 192.168.10.0/24 {
address-range low 192.168.10.80 high 192.168.10.200;
name-server {
217.237.148.70;
}
router {
192.168.10.254;
}
propagate-settings vlan.10;
}
propagate-settings fe-0/0/0;
propagate-ppp-settings pp0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server us.ntp.pool.org;
}
}
interfaces {
interface-range interfaces-vlan2 {
member fe-0/0/1;
}
interface-range interfaces-vlan5 {
member fe-0/0/2;
}
interface-range interfaces-vlan10 {
member fe-0/0/3;
}
fe-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
fe-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members trust;
}
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members developer;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members guest;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members trust;
}
}
}
}
fe-0/0/5 {
unit 0 {
encapsulation ppp-over-ether;
}
}
fe-0/0/7 {
unit 0 {
family inet {
address 10.10.10.254/24;
}
}
}
pp0 {
unit 0 {
apply-macro Telekom;
ppp-options {
chap {
default-chap-secret "$9$rbPvX7YgoJUjdVP5zF/9Lx7-24";
local-name "0019483619005502645536260001@t-online.de";
no-rfc2486;
passive;
}
pap {
local-name "0019483619005502645536260001@t-online.de";
no-rfc2486;
local-password "$9$40ZikQFn/ApmPRhyrvMjHk.z3";
passive;
}
}
pppoe-options {
underlying-interface fe-0/0/5.0;
}
family inet {
negotiate-address;
}
}
}
vlan {
unit 0 {
family inet {
address 10.10.10.254/24;
}
}
unit 2 {
family inet {
address 192.168.50.20/24;
}
}
unit 5 {
family inet {
address 192.168.5.254/24;
}
}
unit 10 {
family inet {
address 192.168.10.254/24;
}
}
}
}
forwarding-options {
helpers {
bootp {
relay-agent-option;
maximum-hop-count 8;
minimum-wait-time 10000;
client-response-ttl 255;
interface {
vlan.2;
vlan.5;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 {
qualified-next-hop pp0.0 {
metric 1;
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set nsw_srcnat {
from zone [ internal-developer internal-guest internal-trust mgmt ];
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone internal-trust to-zone Internet {
policy All_internal-trust_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone internal-developer to-zone Internet {
policy All_internal-developer_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone internal-guest to-zone Internet {
policy All_internal-guest_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone mgmt to-zone Internet {
policy All_mgmt_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone internal-trust to-zone internal-developer {
policy All_internal-trust_internal-developer {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone internal-trust to-zone internal-guest {
policy All_internal-trust_internal-guest {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
from-zone internal-guest to-zone internal-trust {
policy All_internal-trust_internal-guest {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
from-zone internal-trust to-zone mgmt {
policy All_internal-trust_mgmt {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone mgmt to-zone internal-trust {
policy All_internal-trust_mgmt {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone internal-developer to-zone internal-guest {
policy All_internal-developer_internal-guest {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone mgmt to-zone internal-developer {
policy All_mgmt_internal-developer {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone mgmt to-zone internal-guest {
policy All_mgmt_internal-guest {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone internal-developer to-zone internal-trust {
policy DC-AuthforDev {
match {
source-address any-ipv4;
destination-address Sempa-DC;
application [ junos-ntp junos-ldap junos-printer junos-ms-rpc-tcp junos-dns-tcp ];
}
then {
permit;
}
}
}
}
zones {
security-zone internal-trust {
address-book {
address trial-DC 192.168.50.227/32;
}
interfaces {
vlan.2 {
host-inbound-traffic {
system-services {
dhcp;
dns;
http;
https;
ping;
ntp;
}
}
}
}
}
security-zone internal-developer {
interfaces {
vlan.5 {
host-inbound-traffic {
system-services {
dhcp;
dns;
http;
https;
ping;
ntp;
}
}
}
}
}
security-zone internal-guest {
interfaces {
vlan.10 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone mgmt {
interfaces {
fe-0/0/7.0 {
host-inbound-traffic {
system-services {
ping;
dhcp;
http;
https;
ssh;
telnet;
}
}
}
vlan.0 {
host-inbound-traffic {
system-services {
dhcp;
dns;
ftp;
tftp;
http;
https;
ping;
snmp;
snmp-trap;
ssh;
telnet;
}
}
}
}
}
security-zone Internet {
interfaces {
fe-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
pp0.0;
fe-0/0/5.0;
}
}
}
}
vlans {
developer {
vlan-id 5;
l3-interface vlan.5;
}
guest {
vlan-id 10;
l3-interface vlan.10;
}
mgmt {
vlan-id 20;
l3-interface vlan.0;
}
trust {
vlan-id 2;
l3-interface vlan.2;
}
}

Whats wrong?

kindly regards

Denis