I've completely removed the virtual-routers from the equation to try and simplify this and figure it out as quickly as possible, but you were probably right about the route leaking back into inet.0.
Here is security nat source, now:
pool Vendors {
address {
x.x.x.154/32;
}
}
pool Guests {
address {
x.x.x..158/32;
}
}
rule-set nat-rules {
from zone trust;
to zone untrust;
rule vendor-nat {
match {
source-address 10.20.0.0/16;
application any;
}
then {
source-nat {
pool {
Vendors;
}
}
}
}
rule guest-nat {
match {
source-address 10.30.0.0/16;
application any;
}
then {
source-nat {
pool {
Guests;
}
}
}
}
}
and the zones (been simplying things): vlan 450 is the APs and 803 is management
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.803;
irb.450;
irb.453;
irb.454;
}
}
security-zone untrust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.451;
irb.452;
}
}
Policy is basic from zone trust to zone untrust permit all.
Showing translation hits with * run show security nat source pool all && run show security flow session nat
Still can't ping externally.