Hi Nik_MH
See article: https://kb.juniper.net/InfoCenter/index?page=content&id=KB26775
I believe the issue is you have two interfaces in the same routing instance but in different security zones.
From your config:
1. you create reth0.100 and reth0.105 which are by default in the 'global' routing instance;
- both interfaces in the same routing instance: OK
2. next you place both reth0.100 and reth0.105 into the 'Untrust ' security zone;
- both interfaces in the same security zone: OK
3. you then move reth0.100 to the 'Untrust' routing instance (which you obviously created);
- both interfaces in different routing instances but same security zone: NOT OK
JUNOS does not allow an interface to be in more than one security zone, and it does not allow one security zone to be associated (by it's member interfaces) with more than one routing instance.
I believe this is your problem.
You must follow the one-to-many rule of association between interfaces, zones and v-routers:
> 1-to-Many: one routing instance to one or more security zones (1:*)
> 1-to-Many: one security zone to one or more [sub-]interfaces (1:*)
By derivation, we then have:
> 1-to-Many: one routing instance to one or more [sub-]interfaces (1:*)
Another way of stating it is:
- an interface may be a member of one and only one security zone, and a security zone may be a member of one and only one routing instance, therefore an interface may be a member of one and only one routing instance.
Please let us know if that solves your problem 🙂
As a side note, I would recommend having a naming convention that differentiates between routing instances and security zones, which will help reduce confusion when viewing the config.
Hope that helps.