juckyt
asked on
Netscreen Firewall and Linksys Wireless - Getting both networks to talk to each other...
I have a Linksys wireless router connected to a Juniper 5GT firewall. The router gets it's IP from DHCP on the Trust interface. It, in turn, gives out its own DHCP address range to wireless clients (which gives me two networks). From workstations connected to either device, I can ping the respective gateway addresses of the other. But I cannot "see" any devices on the other networks respectively.
Take a look at this PDF. It lists figures 1-7 explaining what I can and cannot do:
Figure 1: The Linksys router Connection Status, notice it receives a DHCP address from the 5GT
Figure 2: The local network parameters of the Linksys wireless router
Figure 3: Routes I created on the Juniper firewall
Figure 4: Policies I created on the Juniper firewall
Figure 5: Successful PING from a wireless client to the WAN IP of the Linksys device (remember, this is a dynamic address)
Figure 6: Successful PING of the Juniper firewall itself, the gateway address
Figure 7: Unsuccessful PING of a workstation beyond the firewall gateway address
What I have here are two network ranges that cannot "see" each other. Workstations on both sides are able to get onto the Internet no problem. But they cannot "see" each other. What's missing?
juckyt FW-Wireless.pdf
Take a look at this PDF. It lists figures 1-7 explaining what I can and cannot do:
Figure 1: The Linksys router Connection Status, notice it receives a DHCP address from the 5GT
Figure 2: The local network parameters of the Linksys wireless router
Figure 3: Routes I created on the Juniper firewall
Figure 4: Policies I created on the Juniper firewall
Figure 5: Successful PING from a wireless client to the WAN IP of the Linksys device (remember, this is a dynamic address)
Figure 6: Successful PING of the Juniper firewall itself, the gateway address
Figure 7: Unsuccessful PING of a workstation beyond the firewall gateway address
What I have here are two network ranges that cannot "see" each other. Workstations on both sides are able to get onto the Internet no problem. But they cannot "see" each other. What's missing?
juckyt FW-Wireless.pdf
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
"route add" doesn't work ...
It will not work if NAT is enabled.
Try tracert from first network to second. You should get answer from linksys if route added and from juniper - if not
Try tracert from first network to second. You should get answer from linksys if route added and from juniper - if not
ASKER
OK...here's what I get: (From the XP Pro machine on the 192.168.1.0/24 network)
tracert 10.85.81.100
1 1ms <1ms <1ms 192.168.1.1
2 * * * Request timed out
etc
until it stops
I can get to the Juniper firewall but not past it...
tracert 10.85.81.100
1 1ms <1ms <1ms 192.168.1.1
2 * * * Request timed out
etc
until it stops
I can get to the Juniper firewall but not past it...
ASKER
Wait, a good thing just happened...
I switched the Trust interface to Route mode instead of NAT. As you predicted, I could PING 192.168.1.201
I still can't do it the other way around...but we're getting closer.
I switched the Trust interface to Route mode instead of NAT. As you predicted, I could PING 192.168.1.201
I still can't do it the other way around...but we're getting closer.
You have no route from 192.168.0.* to 10.85.81.*:
"OK...here's what I get: (From the XP Pro machine on the 192.168.1.0/24 network)
tracert 10.85.81.100
1 1ms <1ms <1ms 192.168.1.1"
First point should be default gateway for 10.85.81.*. Route add command in my example should made it.
Do "route print" from command line on your computer in first network and show it here.
You can add "-p" in the end of route add command to make this route persistent.
"OK...here's what I get: (From the XP Pro machine on the 192.168.1.0/24 network)
tracert 10.85.81.100
1 1ms <1ms <1ms 192.168.1.1"
First point should be default gateway for 10.85.81.*. Route add command in my example should made it.
Do "route print" from command line on your computer in first network and show it here.
You can add "-p" in the end of route add command to make this route persistent.
ASKER
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator>rou te print -p
========================== ========== ========== ========== ========== =========
Interface List
0x1 .......................... . MS TCP Loopback interface
0x2 ...00 0d 56 67 9a ba ...... Broadcom 440x 10/100 Integrated Controller - Pac
ket Scheduler Miniport
========================== ========== ========== ========== ========== =========
========================== ========== ========== ========== ========== =========
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.202 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.202 192.168.1.202 20
192.168.1.202 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.202 192.168.1.202 20
224.0.0.0 240.0.0.0 192.168.1.202 192.168.1.202 20
255.255.255.255 255.255.255.255 192.168.1.202 192.168.1.202 1
Default Gateway: 192.168.1.1
========================== ========== ========== ========== ========== =========
Persistent Routes:
None
C:\Documents and Settings\Administrator>a
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator>rou
==========================
Interface List
0x1 ..........................
0x2 ...00 0d 56 67 9a ba ...... Broadcom 440x 10/100 Integrated Controller - Pac
ket Scheduler Miniport
==========================
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.202 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.202 192.168.1.202 20
192.168.1.202 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.202 192.168.1.202 20
224.0.0.0 240.0.0.0 192.168.1.202 192.168.1.202 20
255.255.255.255 255.255.255.255 192.168.1.202 192.168.1.202 1
Default Gateway: 192.168.1.1
==========================
Persistent Routes:
None
C:\Documents and Settings\Administrator>a
ASKER
Sorry,
This is better:
C:\Documents and Settings\Administrator>rou te print -p
========================== ========== ========== ========== ========== =========
Interface List
0x1 .......................... . MS TCP Loopback interface
0x2 ...00 0d 56 67 9a ba ...... Broadcom 440x 10/100 Integrated Controller - Pac
ket Scheduler Miniport
========================== ========== ========== ========== ========== =========
========================== ========== ========== ========== ========== =========
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.202 20
10.85.81.0 255.255.255.255 192.168.1.201 192.168.1.202 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.202 192.168.1.202 20
192.168.1.202 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.202 192.168.1.202 20
224.0.0.0 240.0.0.0 192.168.1.202 192.168.1.202 20
255.255.255.255 255.255.255.255 192.168.1.202 192.168.1.202 1
Default Gateway: 192.168.1.1
========================== ========== ========== ========== ========== =========
Persistent Routes:
Network Address Netmask Gateway Address Metric
10.85.81.0 255.255.255.255 192.168.1.201 1
C:\Documents and Settings\Administrator>
This is better:
C:\Documents and Settings\Administrator>rou
==========================
Interface List
0x1 ..........................
0x2 ...00 0d 56 67 9a ba ...... Broadcom 440x 10/100 Integrated Controller - Pac
ket Scheduler Miniport
==========================
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.202 20
10.85.81.0 255.255.255.255 192.168.1.201 192.168.1.202 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.202 192.168.1.202 20
192.168.1.202 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.202 192.168.1.202 20
224.0.0.0 240.0.0.0 192.168.1.202 192.168.1.202 20
255.255.255.255 255.255.255.255 192.168.1.202 192.168.1.202 1
Default Gateway: 192.168.1.1
==========================
Persistent Routes:
Network Address Netmask Gateway Address Metric
10.85.81.0 255.255.255.255 192.168.1.201 1
C:\Documents and Settings\Administrator>
This is not correct:
10.85.81.0 255.255.255.255 192.168.1.201 192.168.1.202 1
You need:
10.85.81.0 255.255.255.0 192.168.1.201 192.168.1.202 1
Make:
route delete 10.85.81.0
and
route add 10.85.81.0 MASK 255.255.255.0 192.168.1.201 -p
10.85.81.0 255.255.255.255 192.168.1.201 192.168.1.202 1
You need:
10.85.81.0 255.255.255.0 192.168.1.201 192.168.1.202 1
Make:
route delete 10.85.81.0
and
route add 10.85.81.0 MASK 255.255.255.0 192.168.1.201 -p
ASKER
OK, I added two routes yet still cannot ping past the 192.168.1.0 network.
This is a consumer router so maybe it doesn't handle different DHCP traffic between two subnets very well. I'm going to try and assign it a static address and see what happens.
JT
C:\Documents and Settings\Administrator>rouI'm getting stopped at the Linksys router. From the XP workstation, I can PING 192.168.1.102 (the DHCP address assigned from the Juniper firewall) but not devices the LAN side IP range, 10.85.81.0/24 (I don't even get a response from LAN side IP of the Wireless router, 10/85.81.10).te print
==================================== ========== ========== ========== =========
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0d 56 67 9a ba ...... Broadcom 440x 10/100 Integrated Controller - Pac
ket Scheduler Miniport
==================================== ========== ========== ========== =========
==================================== ========== ========== ========== =========
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.202 20
10.85.81.0 255.255.255.0 192.168.1.201 192.168.1.202 1
10.85.81.10 255.255.255.255 192.168.1.102 192.168.1.202 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.202 192.168.1.202 20
192.168.1.202 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.202 192.168.1.202 20
224.0.0.0 240.0.0.0 192.168.1.202 192.168.1.202 20
255.255.255.255 255.255.255.255 192.168.1.202 192.168.1.202 1
Default Gateway: 192.168.1.1
==================================== ========== ========== ========== =========
Persistent Routes:
Network Address Netmask Gateway Address Metric
10.85.81.0 255.255.255.0 192.168.1.201 1
10.85.81.10 255.255.255.255 192.168.1.102 1
This is a consumer router so maybe it doesn't handle different DHCP traffic between two subnets very well. I'm going to try and assign it a static address and see what happens.
JT
DHCP or STATIC should not make a diference.
You may need to add static routes on the router also, and check the firewall config.
I hope this helps !
You may need to add static routes on the router also, and check the firewall config.
I hope this helps !
There are two different tasks:
1. From 10.85.81.0 network access 192.168.1.0
2. From 192.168.1.0 network access 10.85.81.0
So:
1. Can you ping from 10.85.81.0 to any device in 192.168.1.0 network?
2. What is model of your Linksys device? I propose you need to divide your networks to parts, where one will not have access to second. If both networks should have same rights, why you like divide them? You have more then 250 computers?
1. From 10.85.81.0 network access 192.168.1.0
2. From 192.168.1.0 network access 10.85.81.0
So:
1. Can you ping from 10.85.81.0 to any device in 192.168.1.0 network?
2. What is model of your Linksys device? I propose you need to divide your networks to parts, where one will not have access to second. If both networks should have same rights, why you like divide them? You have more then 250 computers?
ASKER
I've got one logical network, period. Unfortunately, I've got two devices that don't integrate well.
1. A Netscreen 5GT -- used as a firewall protecting my home network from the Internet (a cable modem)
2. A Linksys WRV200 Wireless Router
The cable modem is connected the the UNTRUST port of the Juniper firewall. ANd the Linksys wireless router is connected to the TRUST switchport on the Juniper firewall.
The Juniper TRUST ports (four of them) are configured by its internal DHCP server with specific parameters:
a) Gateway address = 192.168.1.1
b) SNM = 255.255.255.0
c) DHCP Scope = 192.168.1.200-219
d) DHCP DNS = 66.76.87.122 | 66.76.88.122
The Linksys wireless router has an ethernet cable connected from its INTERNET port to the TRUST port on the Juniper firewall. It is current configured with an Internet connection type of "Automatic Configuration - DHCP"
in this case, 192.168.1.201 which it receives fromt he Juniper device.
I have to configure a different LAN IP for the Linksys device, so I set it to 10.85.81.10. It, in turn, serves IP addresses to wireless clients from its own DHCP server configured as follows:
a) DHCP address range = 10.85.81.100-119
b) SNM = 255.255.255.0
c) Gateway address = 10.85.81.10
d) DNS = uses the upstream router
I want a wired workstation connected to the TRUST port on the Juniper device to connect to a wireless client connected wirelessly to the Linksys device. To date, I've managed to PING the wired workstation from a wireless client, even remote desktop into it. But not the other way around...
EXCEPT...when I changed the Operation Mode on Linksys "Advanced Routing" tab from Gateway to Router. In this scenario, I can ping both directions, but now my wireless clients are no longer able to get out onto the Internet.
It's really cludged!
1. A Netscreen 5GT -- used as a firewall protecting my home network from the Internet (a cable modem)
2. A Linksys WRV200 Wireless Router
The cable modem is connected the the UNTRUST port of the Juniper firewall. ANd the Linksys wireless router is connected to the TRUST switchport on the Juniper firewall.
The Juniper TRUST ports (four of them) are configured by its internal DHCP server with specific parameters:
a) Gateway address = 192.168.1.1
b) SNM = 255.255.255.0
c) DHCP Scope = 192.168.1.200-219
d) DHCP DNS = 66.76.87.122 | 66.76.88.122
The Linksys wireless router has an ethernet cable connected from its INTERNET port to the TRUST port on the Juniper firewall. It is current configured with an Internet connection type of "Automatic Configuration - DHCP"
in this case, 192.168.1.201 which it receives fromt he Juniper device.
I have to configure a different LAN IP for the Linksys device, so I set it to 10.85.81.10. It, in turn, serves IP addresses to wireless clients from its own DHCP server configured as follows:
a) DHCP address range = 10.85.81.100-119
b) SNM = 255.255.255.0
c) Gateway address = 10.85.81.10
d) DNS = uses the upstream router
I want a wired workstation connected to the TRUST port on the Juniper device to connect to a wireless client connected wirelessly to the Linksys device. To date, I've managed to PING the wired workstation from a wireless client, even remote desktop into it. But not the other way around...
EXCEPT...when I changed the Operation Mode on Linksys "Advanced Routing" tab from Gateway to Router. In this scenario, I can ping both directions, but now my wireless clients are no longer able to get out onto the Internet.
It's really cludged!
I think you need change mode of Linksys to Access point, as was recommended in first comment (jimmyray7). All devices will be on one network. Your router must be set to "infrastructure mode". I can't find in Linksys manual this mode. May be you can do it. You can also (without changing mode) connect cable from Juniper to any LAN port of Linksys and disable DHCP in Linksys.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The Linksys router was the real problem here. But I finally configured it as an access point for my local LAN, and it even acts as a DHCP relay for all my wireless clients.
Here's what I did:
I set the Linksys device to Router Mode (SETUP-->ADV ROUTING-->OPERATION MODE) and rebooted twice. Then, after ensuring the Internet Connection Type was set for "Automatic Configuration - DHCP", I disabled the local DHCP Server, changed the LAN IP address to 192.168.1.55 and connected a wired ethernet cable to the LAN switch-port on the Linksys device (which connects back to the LAN TRUST interface of the Juniper device).
Now the Linksys device is passively acting as a DHCP relay for the server service running on the Netscreen 5GT. It actually passes the DHCP scope to its wireless clients upon WAP authentication.
It should be noted that, the Linksys device is no longer collecting a DHCP address from the Juniper server b/c its own LAN IP address is already on the same subnet.
Here's what I did:
I set the Linksys device to Router Mode (SETUP-->ADV ROUTING-->OPERATION MODE) and rebooted twice. Then, after ensuring the Internet Connection Type was set for "Automatic Configuration - DHCP", I disabled the local DHCP Server, changed the LAN IP address to 192.168.1.55 and connected a wired ethernet cable to the LAN switch-port on the Linksys device (which connects back to the LAN TRUST interface of the Juniper device).
Now the Linksys device is passively acting as a DHCP relay for the server service running on the Netscreen 5GT. It actually passes the DHCP scope to its wireless clients upon WAP authentication.
It should be noted that, the Linksys device is no longer collecting a DHCP address from the Juniper server b/c its own LAN IP address is already on the same subnet.
Your Linksys is working as NAT or as simple router? If as NAT - disable it.
It is better to set Linksys to static IP.
On 1-st network workstations (Juniper) add route to second network:
route add 10.85.81.0 MASK 255.255.255.0 192.168.1.201