Link to home
Start Free TrialLog in
Avatar of juckyt
juckytFlag for United States of America

asked on

Netscreen Firewall and Linksys Wireless - Getting both networks to talk to each other...

I have a Linksys wireless router connected to a Juniper 5GT firewall. The router gets it's IP from DHCP on the Trust interface. It, in turn, gives out its own DHCP address range to wireless clients (which gives me two networks). From workstations connected to either device, I can ping the respective gateway addresses of the other. But I cannot "see" any devices on the other networks respectively.

Take a look at this PDF. It lists figures 1-7 explaining what I can and cannot do:
Figure 1: The Linksys router Connection Status, notice it receives a DHCP address from the 5GT
Figure 2: The local network parameters of the Linksys wireless router
Figure 3: Routes I created on the Juniper firewall
Figure 4: Policies I created on the Juniper firewall
Figure 5: Successful PING from a wireless client to the WAN IP of the Linksys device (remember, this is a dynamic address)
Figure 6: Successful PING of the Juniper firewall itself, the gateway address
Figure 7: Unsuccessful PING of a workstation beyond the firewall gateway address


What I have here are two network ranges that cannot "see" each other. Workstations on both sides are able to get onto the Internet no problem. But they cannot "see" each other. What's missing?


juckyt FW-Wireless.pdf
ASKER CERTIFIED SOLUTION
Avatar of jimmyray7
jimmyray7
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of als315
If your need 2 networks, you can't change Linksys mode to access point.
Your Linksys is working as NAT or as simple router? If as NAT - disable it.
It is better to set Linksys to static IP.
On 1-st network workstations (Juniper) add route to second network:
route add 10.85.81.0 MASK 255.255.255.0 192.168.1.201
Avatar of juckyt

ASKER

"route add" doesn't work ...
It will not work if NAT is enabled.
Try tracert from first network to second. You should get answer from linksys if route added and from juniper - if not
Avatar of juckyt

ASKER

OK...here's what I get: (From the XP Pro machine on the 192.168.1.0/24 network)
tracert 10.85.81.100
1     1ms     <1ms     <1ms     192.168.1.1
2     *          *              *            Request timed out
etc

until it stops


I can get to the Juniper firewall but not past it...

Avatar of juckyt

ASKER

Wait, a good thing just happened...

I switched the Trust interface to Route mode instead of NAT. As you predicted, I could PING 192.168.1.201

I still can't do it the other way around...but we're getting closer.




You have no route from 192.168.0.* to 10.85.81.*:
"OK...here's what I get: (From the XP Pro machine on the 192.168.1.0/24 network)
tracert 10.85.81.100
1     1ms     <1ms     <1ms     192.168.1.1"

First point should be default gateway for 10.85.81.*. Route add command in my example should made it.
Do "route print" from command line on your computer in first network and show it here.
You can add "-p" in the end of route add command to make this route persistent.
Avatar of juckyt

ASKER

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>route print -p
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0d 56 67 9a ba ...... Broadcom 440x 10/100 Integrated Controller - Pac
ket Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1   192.168.1.202       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0    192.168.1.202   192.168.1.202       20
    192.168.1.202  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.1.255  255.255.255.255    192.168.1.202   192.168.1.202       20
        224.0.0.0        240.0.0.0    192.168.1.202   192.168.1.202       20
  255.255.255.255  255.255.255.255    192.168.1.202   192.168.1.202       1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None

C:\Documents and Settings\Administrator>a


Avatar of juckyt

ASKER

Sorry,
This is better:

C:\Documents and Settings\Administrator>route print -p
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0d 56 67 9a ba ...... Broadcom 440x 10/100 Integrated Controller - Pac
ket Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1   192.168.1.202       20
       10.85.81.0  255.255.255.255    192.168.1.201   192.168.1.202       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0    192.168.1.202   192.168.1.202       20
    192.168.1.202  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.1.255  255.255.255.255    192.168.1.202   192.168.1.202       20
        224.0.0.0        240.0.0.0    192.168.1.202   192.168.1.202       20
  255.255.255.255  255.255.255.255    192.168.1.202   192.168.1.202       1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
       10.85.81.0  255.255.255.255    192.168.1.201       1

C:\Documents and Settings\Administrator>
This is not correct:
10.85.81.0  255.255.255.255    192.168.1.201   192.168.1.202       1
You need:
10.85.81.0  255.255.255.0    192.168.1.201   192.168.1.202       1

Make:

route delete 10.85.81.0
and
route add 10.85.81.0 MASK 255.255.255.0 192.168.1.201 -p
Avatar of juckyt

ASKER

OK, I added two routes yet still cannot ping past the 192.168.1.0 network.
C:\Documents and Settings\Administrator>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0d 56 67 9a ba ...... Broadcom 440x 10/100 Integrated Controller - Pac
ket Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1   192.168.1.202       20
       10.85.81.0    255.255.255.0    192.168.1.201   192.168.1.202       1
      10.85.81.10  255.255.255.255    192.168.1.102   192.168.1.202       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0    192.168.1.202   192.168.1.202       20
    192.168.1.202  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.1.255  255.255.255.255    192.168.1.202   192.168.1.202       20
        224.0.0.0        240.0.0.0    192.168.1.202   192.168.1.202       20
  255.255.255.255  255.255.255.255    192.168.1.202   192.168.1.202       1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
       10.85.81.0    255.255.255.0    192.168.1.201       1
      10.85.81.10  255.255.255.255    192.168.1.102       1
I'm getting stopped at the Linksys router. From the XP workstation, I can PING 192.168.1.102 (the DHCP address assigned from the Juniper firewall) but not devices the LAN side IP range, 10.85.81.0/24 (I don't even get a response from LAN side IP of the Wireless router, 10/85.81.10).
This is a consumer router so maybe it doesn't handle different DHCP traffic between two subnets very well. I'm going to try and assign it a static address and see what happens.
 
JT
DHCP or STATIC should not make a diference.

You may need to add static routes on the router also, and check the firewall config.

I hope this helps !
There are two different tasks:
1. From 10.85.81.0 network access 192.168.1.0
2. From 192.168.1.0 network access 10.85.81.0
So:
1. Can you ping from 10.85.81.0 to any device in 192.168.1.0 network?
2. What is model of your Linksys device? I propose you need to divide your networks to parts, where one will not have access to second. If both networks should have same rights, why you like divide them? You have more then 250 computers?
Avatar of juckyt

ASKER

I've got one logical network, period. Unfortunately, I've got two devices that don't integrate well.

1. A Netscreen 5GT -- used as a firewall protecting my home network from the Internet (a cable modem)
2. A Linksys WRV200 Wireless Router
 
The cable modem is connected the the UNTRUST port of the Juniper firewall. ANd the Linksys wireless router is connected to the TRUST switchport on the Juniper firewall.

The Juniper TRUST ports (four of them) are configured by its internal DHCP server with specific parameters:
a)  Gateway address = 192.168.1.1
b)  SNM = 255.255.255.0
c)  DHCP Scope = 192.168.1.200-219
d)  DHCP DNS = 66.76.87.122 | 66.76.88.122

The Linksys wireless router has an ethernet cable connected from its INTERNET port to the TRUST port on the Juniper firewall. It is current configured with an Internet connection type of "Automatic Configuration - DHCP"
in this case, 192.168.1.201 which it receives fromt he Juniper device.
I have to configure a different LAN IP for the Linksys device, so I set it to 10.85.81.10. It, in turn, serves IP addresses to wireless clients from its own DHCP server configured as follows:
a)  DHCP address range = 10.85.81.100-119
b)  SNM = 255.255.255.0
c)  Gateway address = 10.85.81.10
d)  DNS = uses the upstream router
 
I want a wired workstation connected to the TRUST port on the Juniper device to connect to a wireless client connected wirelessly to the Linksys device. To date, I've managed to PING the wired workstation from a wireless client, even remote desktop into it. But not the other way around...
EXCEPT...when I changed the Operation Mode on Linksys "Advanced Routing" tab from Gateway to Router. In this scenario, I can ping both directions, but now my wireless clients are no longer able to get out onto the Internet.
 
It's really cludged!
I think you need change mode of Linksys to Access point, as was recommended in first comment (jimmyray7). All devices will be on one network. Your router must be set to "infrastructure mode". I can't find in Linksys manual this mode. May be you can do it. You can also (without changing mode) connect cable from Juniper to any LAN port of Linksys and disable DHCP in Linksys.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of juckyt

ASKER

The Linksys router was the real problem here. But I finally configured it as an access point for my local LAN, and it even acts as a DHCP relay for all my wireless clients.

Here's what I did:
I set the Linksys device to Router Mode (SETUP-->ADV ROUTING-->OPERATION MODE) and rebooted twice. Then, after ensuring the Internet Connection Type was set for "Automatic Configuration - DHCP", I disabled the local DHCP Server, changed the LAN IP address to 192.168.1.55 and connected a wired ethernet cable to the LAN switch-port on the Linksys device (which connects back to the LAN TRUST interface of the Juniper device).

Now the Linksys device is passively acting as a DHCP relay for the server service running on the Netscreen 5GT.  It actually passes the DHCP scope to its wireless clients upon WAP authentication.

It should be noted that, the Linksys device is no longer collecting a DHCP address from the Juniper server b/c its own LAN IP address is already on the same subnet.