EDIT 2025-07-08: I was able to solve most issues. Please see below.
I am trying to implement a simple config I have on a virtual VyOS router on a SRX300. While I initially thought that this would be a rather easy task, it turns out to be very frustrating. First things, first. Here is the VyOS configuration:
firewall {
ipv4 {
name ACCEPT_ALL {
default-action "accept"
}
name ACCEPT_ICMP_AND_STATE {
default-action "drop"
rule 5 {
action "accept"
description "Allow EST/Related Traffic"
state "established"
state "related"
}
rule 20 {
action "accept"
description "Allow ICMP"
protocol "icmp"
state "new"
}
}
name ACCEPT_TRAFFIC_LAN_IoT {
default-action "drop"
rule 5 {
action "accept"
description "Allow LAN to IoT"
destination {
address "192.168.20.0/24"
}
source {
address "192.168.10.0/24"
}
}
}
}
zone GUEST {
default-action "drop"
from ROUTER {
firewall {
name "ACCEPT_ALL"
}
}
from WAN {
firewall {
name "ACCEPT_ICMP_AND_STATE"
}
}
interface "eth0.30"
}
zone IoT {
default-action "drop"
from LAN {
firewall {
name "ACCEPT_TRAFFIC_LAN_IoT"
}
}
from ROUTER {
firewall {
name "ACCEPT_ALL"
}
}
from WAN {
firewall {
name "ACCEPT_ICMP_AND_STATE"
}
}
interface "eth0.20"
}
zone LAN {
default-action "drop"
from IoT {
firewall {
name "ACCEPT_ICMP_AND_STATE"
}
}
from ROUTER {
firewall {
name "ACCEPT_ALL"
}
}
from WAN {
firewall {
name "ACCEPT_ICMP_AND_STATE"
}
}
interface "eth0"
}
zone ROUTER {
default-action "drop"
from GUEST {
firewall {
name "ACCEPT_ALL"
}
}
from IoT {
firewall {
name "ACCEPT_ALL"
}
}
from LAN {
firewall {
name "ACCEPT_ALL"
}
}
from WAN {
firewall {
name "ACCEPT_ICMP_AND_STATE"
}
}
from WORK {
firewall {
name "ACCEPT_ALL"
}
}
local-zone
}
zone WAN {
default-action "drop"
from GUEST {
firewall {
name "ACCEPT_ALL"
}
}
from IoT {
firewall {
name "ACCEPT_ALL"
}
}
from LAN {
firewall {
name "ACCEPT_ALL"
}
}
from ROUTER {
firewall {
name "ACCEPT_ALL"
}
}
from WORK {
firewall {
name "ACCEPT_ALL"
}
}
interface "eth0.99"
}
zone WORK {
default-action "drop"
from ROUTER {
firewall {
name "ACCEPT_ALL"
}
}
from WAN {
firewall {
name "ACCEPT_ICMP_AND_STATE"
}
}
interface "eth0.40"
}
}
interfaces {
ethernet eth0 {
address "192.168.10.1/24"
address "192.168.1.110/24"
description "LAN"
hw-id "bc:24:11:78:b3:56"
vif 20 {
address "192.168.20.1/24"
description "IoT"
}
vif 30 {
address "192.168.30.1/24"
description "GUEST"
}
vif 40 {
address "192.168.40.1/29"
description "WORK"
}
vif 99 {
address "dhcp"
description "WAN"
}
}
loopback lo {
}
}
nat {
source {
rule 100 {
outbound-interface {
name "eth0.99"
}
source {
address "192.168.10.0/24"
}
translation {
address "masquerade"
}
}
rule 200 {
outbound-interface {
name "eth0.99"
}
source {
address "192.168.20.0/24"
}
translation {
address "masquerade"
}
}
rule 300 {
outbound-interface {
name "eth0.99"
}
source {
address "192.168.30.0/24"
}
translation {
address "masquerade"
}
}
rule 400 {
outbound-interface {
name "eth0.99"
}
source {
address "192.168.40.0/29"
}
translation {
address "masquerade"
}
}
}
}
service {
dhcp-server {
shared-network-name GUEST {
subnet 192.168.30.0/24 {
default-router "192.168.30.1"
name-server "1.1.1.1"
range 0 {
start "192.168.30.2"
stop "192.168.30.99"
}
}
}
shared-network-name IoT {
subnet 192.168.20.0/24 {
default-router "192.168.20.1"
name-server "1.1.1.1"
range 0 {
start "192.168.20.2"
stop "192.168.20.99"
}
}
}
shared-network-name LAN {
subnet 192.168.10.0/24 {
default-router "192.168.10.1"
name-server "1.1.1.1"
range 0 {
start "192.168.10.2"
stop "192.168.10.99"
}
}
}
shared-network-name WORK {
subnet 192.168.40.0/29 {
default-router "192.168.40.1"
name-server "1.1.1.1"
range 0 {
start "192.168.40.2"
stop "192.168.40.6"
}
}
}
}
dns {
forwarding {
allow-from "192.168.10.0/24"
allow-from "192.168.20.0/24"
allow-from "192.168.30.0/24"
allow-from "192.168.40.0/29"
cache-size "0"
listen-address "192.168.10.1"
listen-address "192.168.20.1"
listen-address "192.168.30.1"
listen-address "192.168.40.1"
name-server 1.1.1.1 {
}
}
}
ntp {
allow-client {
address "127.0.0.0/8"
address "169.254.0.0/16"
address "10.0.0.0/8"
address "172.16.0.0/12"
address "192.168.0.0/16"
address "::1/128"
address "fe80::/10"
address "fc00::/7"
}
server time1.vyos.net {
}
server time2.vyos.net {
}
server time3.vyos.net {
}
}
ssh
}
system {
config-management {
commit-revisions "100"
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed "115200"
}
}
host-name "vyos"
login {
user vyos {
authentication {
encrypted-password "REDACTED"
plaintext-password ""
}
}
}
name-server "192.168.10.1"
syslog {
global {
facility all {
level "info"
}
facility local7 {
level "debug"
}
}
}
}
// Warning: Do not remove the following line.
// vyos-config-version: "bgp@6:broadcast-relay@1:cluster@2:config-management@1:conntrack@5:conntrack-sync@2:container@2:dhcp-relay@2:dhcp-server@8:dhcpv6-server@1:dns-dynamic@4:dns-forwarding@4:firewall@15:flow-accounting@1:https@6:ids@1:interfaces@32:ipoe-server@3:ipsec@13:isis@3:l2tp@9:lldp@2:mdns@1:monitoring@1:nat@8:nat66@3:ntp@3:openconnect@3:ospf@2:pim@1:policy@8:pppoe-server@10:pptp@5:qos@2:quagga@11:reverse-proxy@1:rip@1:rpki@2:salt@1:snmp@3:ssh@2:sstp@6:system@27:vrf@3:vrrp@4:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2"
// Release version: 1.4.2
Since this is a virtualized router, the WAN interface is on VLAN 99. On the SRX this is supposed to be on interface ge-0/0/0 (so no need for VLAN 99 in the new configuration anymore)
And here it starts to get tricky:
I want interface ge-0/0/1 to be a trunk port that carries:
1) NATIVE-VLAN (e.g. all untagged traffic, accessible by all devices that do not have any VLAN ID set), as you can see from the above VyOS config this would be the physical interface.
2) VLAN 20
3) VLAN 30
4) VLAN 40
What I have tried so far:
## Last commit: 2025-07-06 23:28:21 UTC by root
version 23.4R2-S3.9;
system {
root-authentication {
encrypted-password "REDACTED"; ## SECRET-DATA
}
}
interfaces {
ge-0/0/1 {
native-vlan-id 1;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members [ IoT LAN ];
}
}
}
}
irb {
unit 1 {
family inet
address 192.168.10.1/24;
}
}
unit 20 {
family inet {
address 192.168.20.1/24;
}
}
}
}
vlans {
IoT {
vlan-id 20;
l3-interface irb.20;
}
LAN {
vlan-id 1;
l3-interface irb.1;
}
}
protocols {
l2-learning {
global-mode switching;
}
}
With this basic configuration I would expect a device connected to ge-0/0/1 and configured with an IP of 192.168.10.100/24 and the GW address of 192.168.10.1 to be able to reach 192.168.10.1 - but it simply does not work. What does work, however, is the ability to ping 192.168.20.1 from the SRX300 itself
So what's the first goal here?
1) ge-0/0/1 needs to be configured as a trunk port which carries 3VLANS and one NATIVE VLAN (UNTAGGED)
2) VLANs need to be routable on the SRX itself (so probably requires irb interfaces)
Thanks in advance for your help !
------------------------------
Eric Akimoto
------------------------------