I change the mode of firewall to the switching mode and with the configuration above everything work perfect. Thank you.
Original Message:
Sent: 08-12-2024 20:17
From: spuluka
Subject: Juniper SRX300 doesnt route from L2 to L3 zone
Seems like you would need to remove mixed mode and go back to standard L3 mode operations.
You don't seem to need L2 mode for firewall services anyway.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 08-11-2024 18:17
From: Mirza Dzafic
Subject: Juniper SRX300 doesnt route from L2 to L3 zone
Hello,
Thank you for your help. I remove like you said that command. Now i have this configuration:
set interfaces ge-0/0/3 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members 10
set interfaces ge-0/0/4 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members 10
set interfaces irb unit 10 family inet address 192.168.97.121/29
set vlans vlan-10 vlan-id 10
set vlans vlan-10 l3-interface irb.10
But when i try to add irb.10 to the security zone i get this error:
'interfaces irb.10'
Interface irb is not allowed in mix mode
error: configuration check-out failed
Can you help, thank you.
------------------------------
Mirza Dzafic
Original Message:
Sent: 08-10-2024 09:56
From: spuluka
Subject: Juniper SRX300 doesnt route from L2 to L3 zone
Simply remove all the L2 zone commands. They are not needed.
Only the L3 interface needs to be added to the zone. No zone configuration at all is needed on the access ports.
delete security zones security-zone L2 interfaces ge-0/0/3.0
delete security zones security-zone L2 interfaces ge-0/0/4.0
delete security zones security-zone L2 host-inbound-traffic system-services any-service
delete security zones security-zone L2 host-inbound-traffic protocols all
Place the irb.10 into a L3 zone.
Then create policies L3 to L3 from there.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 08-09-2024 23:00
From: Mirza Dzafic
Subject: Juniper SRX300 doesnt route from L2 to L3 zone
Hello,
Thank you for your answer. But i need that this 2 pc connected on port ge0/0/3 and ge0/0/4 be in same subnet for example 10.10.10.0/24. Below you can find configuration. What i need to change?
set interfaces ge-0/0/3 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members 10
set interfaces ge-0/0/4 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members 10
set interfaces irb unit 10 family inet address 10.10.10.1/24
set security zones security-zone L2 interfaces ge-0/0/3.0
set security zones security-zone L2 interfaces ge-0/0/4.0
set vlans vlan-10 vlan-id 10
set vlans vlan-10 l3-interface irb.10
set security zones security-zone L2 host-inbound-traffic system-services any-service
set security zones security-zone L2 host-inbound-traffic protocols all
Thank you
------------------------------
Mirza Dzafic
Original Message:
Sent: 08-09-2024 19:16
From: spuluka
Subject: Juniper SRX300 doesnt route from L2 to L3 zone
You should create the irb interface zone as a layer 3 zone. These are interfaces are allowed as layer 3 zone members. There is no need for L2 zone in this configuration.
Typically the L2 zones are used when the SRX needs to be inserted into a line between a device at layer 2 on both sides. This allows the use of a firewall without any ip address changes and you literally disconnect the line from a device and insert the SRX between the protected device and its normal patch/router port. No physical or ip changes needed.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 08-09-2024 14:04
From: Mirza Dzafic
Subject: Juniper SRX300 doesnt route from L2 to L3 zone
Hello,
I have Juniper SRX300. One interface is WAN L3 interface with IP address in untrusted zone. 2 interface is for 2 pc in vlan10 and have irb interface as gateway. That 2 interface is in trust zone.When i want to create security policy from trust to untrust zone i got this error: From zone and to zone must be L2 or L3 zones. I just want that my 2 pc is connected on srx firewall, be in same vlan and can cross via wan l3 interface to the outside.
Can you give me some advices.
Thank you
------------------------------
Mirza Dzafic
------------------------------