SRX

Hi,

I have an SRX 210 with 3 WAPS and a bridge to another Router which holds the primary internet connection. I want to connect one of the WAPs default IP address through VLAN 100 but cant seem to get it working. I can ping and SSH to WAP from the SRX but cant ping if i do 'ping 169.254.1.1 source 192.168.20.1'. Can someone take a look over config and see what im doing wrong? fe-0/0/4 is the port which i have the WAP in question on. WAP IP is 169.254.1.1/16

set system services dhcp-local-server group LAN interface vlan.100
set interfaces ge-0/0/0 mtu 2000
set interfaces ge-0/0/0 unit 0 description WAN
set interfaces ge-0/0/0 unit 0 family inet address 27.124.100.178/30
set interfaces ge-0/0/1 unit 0 description UNIFI_AP
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members VLAN100
set interfaces fe-0/0/2 unit 0 description NETCOMM
set interfaces fe-0/0/2 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members VLAN100
set interfaces ge-0/0/2 mtu 2000
set interfaces fe-0/0/3 unit 0 family inet address 10.1.1.1/30
set interfaces fe-0/0/4 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members EPMP
set interfaces lo0 unit 1 family inet address 3.3.3.3/32
set interfaces vlan unit 10 family inet address 169.254.1.10/16
set interfaces vlan unit 100 description LAN
set interfaces vlan unit 100 family inet policer input 20m
set interfaces vlan unit 100 family inet address 192.168.20.1/24
set snmp trap-group FAILOVER version all
set snmp trap-group FAILOVER categories services
set snmp trap-group FAILOVER targets 192.168.20.253
set routing-options static route 0.0.0.0/0 next-hop 10.1.1.2
set class-of-service host-outbound-traffic ieee-802.1
set security nat source rule-set rs1 from zone trust
set security nat source rule-set rs1 to zone untrust
set security nat source rule-set rs1 rule r1 match source-address 192.168.20.0/24
set security nat source rule-set rs1 rule r1 match destination-address 0.0.0.0/0
set security nat source rule-set rs1 rule r1 then source-nat interface
set security policies from-zone trust to-zone untrust policy internet-access match source-address any
set security policies from-zone trust to-zone untrust policy internet-access match destination-address any
set security policies from-zone trust to-zone untrust policy internet-access match application any
set security policies from-zone trust to-zone untrust policy internet-access then permit
set security policies from-zone trust to-zone untrust policy internet-access then log session-init
set security policies from-zone trust to-zone untrust policy internet-access then log session-close
set security policies from-zone trust to-zone untrust policy internet-access then count
set security policies from-zone trust to-zone trust policy internet-access match source-address any
set security policies from-zone trust to-zone trust policy internet-access match destination-address any
set security policies from-zone trust to-zone trust policy internet-access match application any
set security policies from-zone trust to-zone trust policy internet-access then permit
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone trust host-inbound-traffic system-services ftp
set security zones security-zone trust interfaces vlan.100 host-inbound-traffic system-services all
set security zones security-zone trust interfaces vlan.100 host-inbound-traffic system-services dhcp
set security zones security-zone trust interfaces vlan.100 host-inbound-traffic system-services ssh
set security zones security-zone trust interfaces vlan.100 host-inbound-traffic protocols all
set security zones security-zone trust interfaces fe-0/0/3.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces fe-0/0/3.0 host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.10 host-inbound-traffic system-services all
set security zones security-zone trust interfaces vlan.10 host-inbound-traffic protocols all
set firewall policer 20m if-exceeding bandwidth-limit 20m
set firewall policer 20m if-exceeding burst-size-limit 2m
set firewall policer 20m then discard
set access address-assignment pool LAN family inet network 192.168.20.0/24
set access address-assignment pool LAN family inet range inside low 192.168.20.10
set access address-assignment pool LAN family inet range inside high 192.168.20.254
set access address-assignment pool LAN family inet dhcp-attributes maximum-lease-time 86400
set access address-assignment pool LAN family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool LAN family inet dhcp-attributes name-server 8.8.4.4
set access address-assignment pool LAN family inet dhcp-attributes router 192.168.20.1
set vlans EPMP vlan-id 10
set vlans EPMP l3-interface vlan.10
set vlans VLAN100 vlan-id 100
set vlans VLAN100 l3-interface vlan.100

Thanks.

Did you check if destination (WAP IP is 169.254.1.1) has a return route for 192.168.20.1 pointing to SRX?

Run "show security flow session destination-prefix 169.254.1.1 protocol icmp" after running a Ping and check if you see a valid session.

If you see a session with packets going out and nothing in return then its a route issue on destination

If you dont see a session itself, then run a flow traceoptions.

Think you might be on to it. WAP doesnt have a default gateway set back to router to send ICMP replies. DUHH.

Thanks.