Juniper Netscreen Question
January 19, 2010 7:43 AM

I need to have 2 subnets (/29s) on the external/untrust interface on my netscreen firewall. It will be NATing and I'll need to use VIPs from both subnets.

We're replacing an OpenBSD firewall with a pair of netscreens. On OpenBSD, we could easily add aliases from different subnets to the same interface and it was smart enough to figure everything out, even though the default gateway was only in one of the subnets. Unfortunately, do to the fact that the company is growing we need equipment with corporate support and we've standardized on Juniper. They're fantastic devices overall.

Is there any other way to do this other than using two ports in the untrust interface? How would I deal with the fact that only one subnet has a default gateway? VRs and some internal routing or something?

I'm using screenos 6.3 and these are SSG20s in an active/standby setup.
posted by hylaride to Computers & Internet (5 answers total) 2 users marked this as a favorite
Is there any other way to do this other than using two ports in the untrust interface?

This is what VLANS and sub-interfaces are for, assuming the rest of your lan supports vlan tagging.

How would I deal with the fact that only one subnet has a default gateway?

They would both have a default gateway, or else that segment wouldn't talk to anything outside itself. Sounds like the old device hid all that from you.
posted by anti social order at 11:35 AM on January 19, 2010


@anti social order
The openbsd firewall sent the packets to the upstream gateway which had the IP of one of the subnets for both subnets. It did some trickery there, though it broke the rules of IP (else the OpenBSD firewall did some internal routing?)
posted by hylaride at 12:19 PM on January 19, 2010


If I get what you are asking, the OpenBSD box probably had some session tagging and next-hop settings in the pf rules depending on those tags in order to route return traffic that came in via a RDR (incoming nat) rule back to the correct gateway (overriding the system default routing table). You had things set up so a service could be accessed via multiple ISPs, and reply traffic would be confined to that ISP.

I don't have the answer for netscreens - I've been wondering that myself - but from personal experience, the solution to this relatively simple sounding scenario is generally not that straightforward (I've often used it as an interview question for potential network engineers)
posted by TravellingDen at 10:37 AM on January 20, 2010


I thought that you could set a gateway for each one.

What I do know is that Juniper is often VERY helpful with pre-sales support. If they know you're on the fence about buying something like that, they will bend over backwards to help you (and them) get the products into your environment. At the time, support was handled by IBM Global Services, and they were FANTASTIC.

Check with your VAR and ask them about that. I did this in the SF Bay Area and had one of their senior support engineers come on site and help us set it up for the cost of a sandwich. It's certainly work asking about.
posted by drstein at 3:16 PM on January 20, 2010


FYI, a loopback interface in the untrust zone with the second subnet solved it. The netscreen then did the proper routing (i guess similar to how openbsd/linux does it).
posted by hylaride at 1:11 PM on January 24, 2010


« Older Are we entitled to our security deposit?   |   “I’ll take MOLD GOLD for 200 Alex…” Newer »
This thread is closed to new comments.