Regarding the commit error, I've just discovered my mistake! I erroneously used load merge terminal. I corrected the error and the commit check outs.
Original Message:
Sent: 07-02-2024 12:15
From: Nikolay Semov
Subject: How to route via a given Default Gateway by originating VLAN
4) I speak from experience on this one. Feel free to link to the conflicting information so that we can see what the issue is. Also:
https://supportportal.juniper.net/s/article/SRX-Example-Configuring-SRX-with-a-DHCP-server-in-multiple-routing-instances?language=en_US
https://supportportal.juniper.net/s/article/SRX-How-to-configure-JDHCP-in-a-routing-instance?language=en_US
As for the commit error, just in case, check inheritance: show security zones | display inheritance
------------------------------
Nikolay Semov
Original Message:
Sent: 07-02-2024 05:26
From: EMTSU
Subject: How to route via a given Default Gateway by originating VLAN
@Nikolay Semov Thank you for your reply, I am very grateful.
- I had no idea about this one, thank you!
- I have created new zones, so I should be ok, fingers crossed :)
- I don't think I do, but thank you for the advice.
- Hmmm, I have seen conflicting information on this. Are you certain? Are you aware of any supporting documentation? I have searched, but not come up with anything sufficiently reassuring.
- If only I had a local device or vSRX to try it out on!* That's a great idea re: configuration groups :) I might look to give it a try, but I only have a simple (identical for both) outbound policy.
* I had an idea to test! However, when performing a commit check on my changes to implement my desired configuration I receive the following error:-
warning: L2 global mode is changed from non-l2 mode to switching mode. Please use the command request system reboot on current node or all nodes in case of HA cluster!
[edit security zones security-zone Untrust]
'interfaces ge-0/0/1.0'
Interface ge-0/0/1.0 must be in the same routing instance as other interfaces in the zone
error: configuration check-out failed
Confusingly, there are no other interfaces in the Untrust zone, and this interface falls under the default routing instance. What could be the problem here?
Original Message:
Sent: 07-01-2024 18:46
From: Nikolay Semov
Subject: How to route via a given Default Gateway by originating VLAN
1) Yes. Don't forget to add pp0.0 to the VLAN2_WAN2 routing instance.
2) Depends on the match criteria you used. Interfaces in different routing instances cannot be in the same zone; so if your NAT rules are matching on zone, you'll have to add more zones.
3) Not unless you specifically need it for something. Note that if you do need another loopback, it will still be lo0, but a different unit. Only 1 loopback per routing instance.
4) Yes, as well as the corresponding "access address-assignment" parts.
5) You will surely find out when you try to commit your new configuration. If you have a significant overlap in policies between LAN1 and LAN2, I recommend for your consideration using configuration groups. Example:
groups { trust-untrust-policies { security { policies { from-zone <*> to-zone <*> { #define here policies that happen to be common for LAN1 and LAN2 } } } }}security { policies { from-zone lan1 to-zone wan1 { apply-groups trust-untrust-policies; # define here more unique LAN1 policies if needed } from-zone lan2 to-zone wan2 { apply-groups trust-untrust-policies; # define here more unique LAN2 policies if needed } }}
------------------------------
Nikolay Semov
Original Message:
Sent: 07-01-2024 06:38
From: EMTSU
Subject: How to route via a given Default Gateway by originating VLAN
@spuluka Thank you for reply and explaining the differences. I have a few quick questions if you have a moment to assist further?
I have so far added the following to the config:-
routing-instances {
VLAN2_WAN2 {
interface irb.2;
instance-type virtual-router;
routing-options {
static {
route 0.0.0.0/0 next-hop pp0.0;
}
}
}
}
I have respective Trust and Untrust security-zones configured for VLAN2/WAN2.
I have created a NAT policy, which is essentially a copy of VLAN1/WAN1's policy, with just the name and source-address changed.
I have one loopback address in my config.
- Can I use the VLAN1/WAN1 requirement with the default routing instance and just create a second instance for VLAN2/WAN2? You seem to imply this.
- Does my VLAN2/WAN2 NAT policy require further modification?
- Is a second loopback address required?
- irb.2 has dhcp-local-server defined under System>Services, does this need to be moved now that routing-instances have been introduced?
- Have I missed anything else out in adding a second routing instance for my required setup?
Original Message:
Sent: 06-28-2024 16:04
From: spuluka
Subject: How to route via a given Default Gateway by originating VLAN
Yes, I would say that virtual router separation is easier than filter based forwarding for this use case as you want the two domains to be separate. And the virtual router makes this straight forward and creates two separate routing and mac tables. This creates two separate routers in the same physical box.
The filter based forwarding is more for the option where you want to control some routing based on source addresses or other criteria and still have communications between the LANs involved. The filters allow more specific or complex criteria to match and force the desired direction.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 06-28-2024 06:34
From: EMTSU
Subject: How to route via a given Default Gateway by originating VLAN
@spuluka Thank you Steve. For my needs, pretty simple as they are, would you say this is my best bet, in terms of 'ease' i.e. simplicity, elegance, and configuration and administrative effort, say when compared to Filter Based Forwarding?
Original Message:
Sent: 06-27-2024 19:55
From: spuluka
Subject: How to route via a given Default Gateway by originating VLAN
You could place the second WAN/LAN into a virtual router that would have a separate table and security policies. This kb has an example on how these are configured.
https://supportportal.juniper.net/s/article/SRX-Getting-Started-Custom-Virtual-Router-Configuration-Example?language=en_US
Since the two WAN/LAN are separate there is no need to leak routes between the primary and virtual routing instance. Just have those interfaces assigned to the new virtual router without any contact and it runs separately.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 06-27-2024 13:25
From: EMTSU
Subject: How to route via a given Default Gateway by originating VLAN
I have 2 WAN interfaces and 2 VLANS, and wish to route VLAN1's internet traffic out of WAN1 and VLAN2 out of WAN2. How can this be achieved please?
WAN1: via an IP address on ge-0/0/1.0
WAN2: via pp0.0
VLAN1: l3-interface irb.1 with IP 192.168.1.1. DHCP served by a local server.
VLAN2: l3-interface irb.2 with IP 192.168.2.1. DHCP served by the SRX (320), using the aforementioned IP address for the gateway in the pool.