• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1042
  • Last Modified:

Netscreen Firewall and Linksys Wireless - Getting both networks to talk to each other...

I have a Linksys wireless router connected to a Juniper 5GT firewall. The router gets it's IP from DHCP on the Trust interface. It, in turn, gives out its own DHCP address range to wireless clients (which gives me two networks). From workstations connected to either device, I can ping the respective gateway addresses of the other. But I cannot "see" any devices on the other networks respectively.

Take a look at this PDF. It lists figures 1-7 explaining what I can and cannot do:
Figure 1: The Linksys router Connection Status, notice it receives a DHCP address from the 5GT
Figure 2: The local network parameters of the Linksys wireless router
Figure 3: Routes I created on the Juniper firewall
Figure 4: Policies I created on the Juniper firewall
Figure 5: Successful PING from a wireless client to the WAN IP of the Linksys device (remember, this is a dynamic address)
Figure 6: Successful PING of the Juniper firewall itself, the gateway address
Figure 7: Unsuccessful PING of a workstation beyond the firewall gateway address


What I have here are two network ranges that cannot "see" each other. Workstations on both sides are able to get onto the Internet no problem. But they cannot "see" each other. What's missing?


juckyt FW-Wireless.pdf
0
juckyt
Asked:
juckyt
2 Solutions
 
jimmyray7Commented:
Sounds like you want a wireless access point, not a wireless router.  There are a few options -

-Look in the config on the Linksys - many routers have an "AP mode" where they do not route, they just act as an access point.  Wireless clients will get their addresses from the Juniper and everyone is on one network

-Disable the firewall on the Linksys, allowing all traffic in and out.  You may have to add a route on the Juniper for the wireless network.
0
 
als315Commented:
If your need 2 networks, you can't change Linksys mode to access point.
Your Linksys is working as NAT or as simple router? If as NAT - disable it.
It is better to set Linksys to static IP.
On 1-st network workstations (Juniper) add route to second network:
route add 10.85.81.0 MASK 255.255.255.0 192.168.1.201
0
 
juckytAuthor Commented:
"route add" doesn't work ...
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

 
als315Commented:
It will not work if NAT is enabled.
Try tracert from first network to second. You should get answer from linksys if route added and from juniper - if not
0
 
juckytAuthor Commented:
OK...here's what I get: (From the XP Pro machine on the 192.168.1.0/24 network)
tracert 10.85.81.100
1     1ms     <1ms     <1ms     192.168.1.1
2     *          *              *            Request timed out
etc

until it stops


I can get to the Juniper firewall but not past it...

0
 
juckytAuthor Commented:
Wait, a good thing just happened...

I switched the Trust interface to Route mode instead of NAT. As you predicted, I could PING 192.168.1.201

I still can't do it the other way around...but we're getting closer.




0
 
als315Commented:
You have no route from 192.168.0.* to 10.85.81.*:
"OK...here's what I get: (From the XP Pro machine on the 192.168.1.0/24 network)
tracert 10.85.81.100
1     1ms     <1ms     <1ms     192.168.1.1"

First point should be default gateway for 10.85.81.*. Route add command in my example should made it.
Do "route print" from command line on your computer in first network and show it here.
You can add "-p" in the end of route add command to make this route persistent.
0
 
juckytAuthor Commented:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>route print -p
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0d 56 67 9a ba ...... Broadcom 440x 10/100 Integrated Controller - Pac
ket Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1   192.168.1.202       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0    192.168.1.202   192.168.1.202       20
    192.168.1.202  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.1.255  255.255.255.255    192.168.1.202   192.168.1.202       20
        224.0.0.0        240.0.0.0    192.168.1.202   192.168.1.202       20
  255.255.255.255  255.255.255.255    192.168.1.202   192.168.1.202       1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None

C:\Documents and Settings\Administrator>a


0
 
juckytAuthor Commented:
Sorry,
This is better:

C:\Documents and Settings\Administrator>route print -p
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0d 56 67 9a ba ...... Broadcom 440x 10/100 Integrated Controller - Pac
ket Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1   192.168.1.202       20
       10.85.81.0  255.255.255.255    192.168.1.201   192.168.1.202       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0    192.168.1.202   192.168.1.202       20
    192.168.1.202  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.1.255  255.255.255.255    192.168.1.202   192.168.1.202       20
        224.0.0.0        240.0.0.0    192.168.1.202   192.168.1.202       20
  255.255.255.255  255.255.255.255    192.168.1.202   192.168.1.202       1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
       10.85.81.0  255.255.255.255    192.168.1.201       1

C:\Documents and Settings\Administrator>
0
 
als315Commented:
This is not correct:
10.85.81.0  255.255.255.255    192.168.1.201   192.168.1.202       1
You need:
10.85.81.0  255.255.255.0    192.168.1.201   192.168.1.202       1

Make:

route delete 10.85.81.0
and
route add 10.85.81.0 MASK 255.255.255.0 192.168.1.201 -p
0
 
juckytAuthor Commented:
OK, I added two routes yet still cannot ping past the 192.168.1.0 network.
C:\Documents and Settings\Administrator>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0d 56 67 9a ba ...... Broadcom 440x 10/100 Integrated Controller - Pac
ket Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1   192.168.1.202       20
       10.85.81.0    255.255.255.0    192.168.1.201   192.168.1.202       1
      10.85.81.10  255.255.255.255    192.168.1.102   192.168.1.202       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0    192.168.1.202   192.168.1.202       20
    192.168.1.202  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.1.255  255.255.255.255    192.168.1.202   192.168.1.202       20
        224.0.0.0        240.0.0.0    192.168.1.202   192.168.1.202       20
  255.255.255.255  255.255.255.255    192.168.1.202   192.168.1.202       1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
       10.85.81.0    255.255.255.0    192.168.1.201       1
      10.85.81.10  255.255.255.255    192.168.1.102       1
I'm getting stopped at the Linksys router. From the XP workstation, I can PING 192.168.1.102 (the DHCP address assigned from the Juniper firewall) but not devices the LAN side IP range, 10.85.81.0/24 (I don't even get a response from LAN side IP of the Wireless router, 10/85.81.10).
This is a consumer router so maybe it doesn't handle different DHCP traffic between two subnets very well. I'm going to try and assign it a static address and see what happens.
 
JT
0
 
SysExpertCommented:
DHCP or STATIC should not make a diference.

You may need to add static routes on the router also, and check the firewall config.

I hope this helps !
0
 
als315Commented:
There are two different tasks:
1. From 10.85.81.0 network access 192.168.1.0
2. From 192.168.1.0 network access 10.85.81.0
So:
1. Can you ping from 10.85.81.0 to any device in 192.168.1.0 network?
2. What is model of your Linksys device? I propose you need to divide your networks to parts, where one will not have access to second. If both networks should have same rights, why you like divide them? You have more then 250 computers?
0
 
juckytAuthor Commented:
I've got one logical network, period. Unfortunately, I've got two devices that don't integrate well.

1. A Netscreen 5GT -- used as a firewall protecting my home network from the Internet (a cable modem)
2. A Linksys WRV200 Wireless Router
 
The cable modem is connected the the UNTRUST port of the Juniper firewall. ANd the Linksys wireless router is connected to the TRUST switchport on the Juniper firewall.

The Juniper TRUST ports (four of them) are configured by its internal DHCP server with specific parameters:
a)  Gateway address = 192.168.1.1
b)  SNM = 255.255.255.0
c)  DHCP Scope = 192.168.1.200-219
d)  DHCP DNS = 66.76.87.122 | 66.76.88.122

The Linksys wireless router has an ethernet cable connected from its INTERNET port to the TRUST port on the Juniper firewall. It is current configured with an Internet connection type of "Automatic Configuration - DHCP"
in this case, 192.168.1.201 which it receives fromt he Juniper device.
I have to configure a different LAN IP for the Linksys device, so I set it to 10.85.81.10. It, in turn, serves IP addresses to wireless clients from its own DHCP server configured as follows:
a)  DHCP address range = 10.85.81.100-119
b)  SNM = 255.255.255.0
c)  Gateway address = 10.85.81.10
d)  DNS = uses the upstream router
 
I want a wired workstation connected to the TRUST port on the Juniper device to connect to a wireless client connected wirelessly to the Linksys device. To date, I've managed to PING the wired workstation from a wireless client, even remote desktop into it. But not the other way around...
EXCEPT...when I changed the Operation Mode on Linksys "Advanced Routing" tab from Gateway to Router. In this scenario, I can ping both directions, but now my wireless clients are no longer able to get out onto the Internet.
 
It's really cludged!
0
 
als315Commented:
I think you need change mode of Linksys to Access point, as was recommended in first comment (jimmyray7). All devices will be on one network. Your router must be set to "infrastructure mode". I can't find in Linksys manual this mode. May be you can do it. You can also (without changing mode) connect cable from Juniper to any LAN port of Linksys and disable DHCP in Linksys.
0
 
als315Commented:
Seems it can't be set to Access point mode.
So you can set LAN address of Linksys to any free address in 192.168.1.* network, disable DHCP on it, disconnect cable from WAN port of Linksys and connect it to LAN port.
0
 
juckytAuthor Commented:
The Linksys router was the real problem here. But I finally configured it as an access point for my local LAN, and it even acts as a DHCP relay for all my wireless clients.

Here's what I did:
I set the Linksys device to Router Mode (SETUP-->ADV ROUTING-->OPERATION MODE) and rebooted twice. Then, after ensuring the Internet Connection Type was set for "Automatic Configuration - DHCP", I disabled the local DHCP Server, changed the LAN IP address to 192.168.1.55 and connected a wired ethernet cable to the LAN switch-port on the Linksys device (which connects back to the LAN TRUST interface of the Juniper device).

Now the Linksys device is passively acting as a DHCP relay for the server service running on the Netscreen 5GT.  It actually passes the DHCP scope to its wireless clients upon WAP authentication.

It should be noted that, the Linksys device is no longer collecting a DHCP address from the Juniper server b/c its own LAN IP address is already on the same subnet.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now