This article will explain how to add a security zone with a dedicated VLan, DHCP scope and DNS proxy rule.
For the purpose of this example, we will add a guest zone with the following parameters :
- VLan ID : 40
- Subnet : 10.10.40.0/24
- Gateway IP (layer 3 interface) : 10.10.40.1
- DHCP Scope : 10.10.40.128/25
- Policy : Allow http, https, ping, traceroute, dns, dhcp
- Allowed interface : ge-0/0/2
1. Define the VLan :
set vlans v40 description "Guest LAN" set vlans v40 vlan-id 40
2. Define the layer 3 interface and gateway IP on VLan 40 :
set vlans v40 l3-interface irb.40 set interfaces irb unit 40 family inet address 10.10.40.1/24
3. Configure the DHCP server and scope :
set access address-assignment pool DHCP_Grp_GUEST_Pool1 family inet network 10.10.40.0/24 set access address-assignment pool DHCP_Grp_GUEST_Pool1 family inet range DHCP_Grp_GUEST_Pool1_Range1 low 10.10.40.129 set access address-assignment pool DHCP_Grp_GUEST_Pool1 family inet range DHCP_Grp_GUEST_Pool1_Range1 high 10.10.40.254 set access address-assignment pool DHCP_Grp_GUEST_Pool1 family inet dhcp-attributes name-server 10.10.40.1 set access address-assignment pool DHCP_Grp_GUEST_Pool1 family inet dhcp-attributes router 10.10.40.1 set system services dhcp-local-server group DHCP_Grp_GUEST interface irb.40
4. Configure the DNS proxy :
set system services dns dns-proxy interface irb.40
5. Configure the security zone and allow all outbound traffic :
set security zones security-zone GUEST interfaces irb.40 host-inbound-traffic protocols all
6. Add the desired interface to VLan 40 :
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members v40
Note : Add as many interface as needed, also make sure that all interface either have the proper mode (access, trunk), and additionally, native-vlan-id if required.
7. Define the allowed outbound services for the security zone :
set security zones security-zone GUEST interfaces irb.40 host-inbound-traffic system-services ping set security zones security-zone GUEST interfaces irb.40 host-inbound-traffic system-services dhcp set security zones security-zone GUEST interfaces irb.40 host-inbound-traffic system-services dns set security zones security-zone GUEST interfaces irb.40 host-inbound-traffic system-services http set security zones security-zone GUEST interfaces irb.40 host-inbound-traffic system-services https set security zones security-zone GUEST interfaces irb.40 host-inbound-traffic system-services traceroute
Note : You may also allow all services for some specific cases, but not recommended for a guest zone :
set security zones security-zone GUEST interfaces irb.40 host-inbound-traffic system-services all