Skip to main content

Juniper / NetScreen Dual Untrust

Something I did recently using a SSG 20 with commercial T1 and Comcast and both default virtual routers. (You don't have to use two virtual routers, but here's why I did this at first). Initially, my client reported that Comcast was assigning DHCP to the firewall's interface. When DHCP is used, the default route created from DHCP cannot be modifed and will show up as a directly connected route, so it will have a higher metric (unless you modify your preference / metric settings, but I have not tried that) So, if Comcast is supposed to be the backup route, placing it in the untrust-vr and controlling traffic in the trust-vr worked great. This works fine with a static IP as well.

Here we go:

Here are the default zones in the default trust-vr.

set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"

I created a new custom zone and placed it in the untrust-vr

set zone id 101 "Comcast"
set zone "Comcast" vrouter "untrust-vr"

I set int Ethernet0/1 in the Comcast zone. You will have to do this or track-ip will not fail the interface back. You have to setup a manage IP on the Ethernet0/0 (untrust) interface. See the the track-ip section below.

set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "Comcast"
set interface "ethernet0/2" zone "Trust"
set interface ethernet0/0 ip 1.1.1.1/24
set interface ethernet0/1 ip 2.2.2.1/24
set interface ethernet0/2 ip 192.168.1.1/24

I then setup the track-ip option. Track-ip will use the manage ip to ping. Why? Because if track-ip can't ping the remote IP (usually a device a couple of hops from you) it brings down the interface (in software only) and thus can't monitor the remote IP if the interface is down. Track-ip uses the manage ip for those tests. If the interface link goes down, whether you unplug the cable or the upstream device goes offline, then track-ip does not play a role, but since the link is down so is the first default route and thus the second default route comes up.

set interface ethernet0/0 monitor track-ip ip

The default weight is 255, which means that -this- test has to fail 255 times before the track-ip test causes the interface to go down. If you have multiple tests, the sum of all tests must equal the weight before it drops the interface and thus the route. This only happens in software, you probably will not see the link drop or the status of the interface go down.

set interface ethernet0/0 monitor track-ip weight 1

The following interval is in seconds.

set interface ethernet0/0 monitor track-ip ip 4.2.2.2 interval 5

The threshold is the number of tests that must fail before track-ip drops the interface. So, in this scenario, track-ip will monitor the remote ip every 5 seconds (interval), if it fails twice (threshold) then the weight equals 1, and brings the interface down.

set interface ethernet0/0 monitor track-ip ip 4.2.2.2 threshold 2




Set a new default route in the untrust-vr and then set route's back to the network in the trust-vr. The default route in the untrust-vr will be active but traffic won't hit this VR until the track-ip option disables the interface located in the trust-vr. When that happens, the default route in the trust-vr becomes inactive and the second route comes up, sending traffic to the untrust-vr. Note the preference on the two default routes in the trust-vr.

set vrouter "untrust-vr"
set route 0.0.0.0/0 interface ethernet0/1 gateway 2.2.2.2
set route 192.168.1.0/24 vrouter "trust-vr" preference 20
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/0 gateway 1.1.1.2 preference 10
set route 0.0.0.0/0 vrouter "untrust-vr" preference 20 metric 1
exit



Comments

Amal said…
Any idea how to do this on a NS5GT? It won't allow me to move interfaces into any other zone but Untrust. Therefore I can't get the Connected route moved to another virtual router, hence no way to export and manage routes properly.

Am I just stuck with needing to buy a new model?
Giggly Bits said…
Amal, thanks for the comment.

I will fire up a 5GT and find a solution with you. I assume you have the firewall in dual untrust mode already.

I will follow up and/or figure out how to get my contact info to you.
Giggly Bits said…
I know you left a comment a little while back, but I have been hacking on this and I can't find a good way to resolve what you want to do. I guess the only answer I can provide is to use a newer firewall with more flexibility than the 5GT (read: SSG5). Eesh; sorry.
Unknown said…
Hi, is there any way to setup a policy-based routing on NetScreen 25?

I would like to re-direct tcp80 traffic to internal IP let say 10.0.0.2 which is Linux router's in IP, the linux router is connected using a 2nd internet connection.

Netscreen 25's internal IP is 10.0.0.1 and connected with another internet connection, how can i configure the PBR for the specified traffic?

Please help :-)
Unknown said…
Sorry forgot to say the NetScreen OS of my NetScreen 25 is 5.3
Giggly Bits said…
full, I'll be glad to help. You guys can also reach me at munpeq at gee mail dot com.

First things first, you should be upgrading your NS 25 to 5.4.0r10.0 at least. In one recent environment, we had to upgrade to 5.4.0 from 5.0.0r9.0 to have PBR functionality.

Contact me via email (above) and I'll be glad to give you a hand. Once you do it, the PBR is simple but you have to see it first to get the concept.

-MQ
Unknown said…
On the 5gt, I just created tagged interfaces and put them into custom zones. - you'll need a switch that'll do tagging to pull it off tho.

Popular posts from this blog

Um, EHLO?!

So, I have to say what a drag it is to have 20+ .pst files from an Exchange 2000 server and having no way to import said .pst files at the server level into Exchange 2007. Oh yes, I'm well aware of the SP1 option for the <!@%^%$#> Import-Mailbox Powershell command syntax, but, I'm also aware that SP1 is not yet out of beta. And even if it was today, it wouldn't have helped me 10 days ago. Here's the situation. I'm in the middle of trying to migrate a small organization over from Windows 2000 DC's and Exchange 2000 to Windows Server 2003 + Exchange 2007, I run into what I am still dwelling on, no .pst import option. Well, the two biggest problems / pain in the  <!@%^%$#>  on this project was the fact that 1) Active Directory has inconsistencies 2) Exchange 2000 is installed on a Domain Controller. Now, what's the problem with that? I can't ADPREP Active Directory with inconsistencies that are not easily resolved. But, for fun let's ...

Devaluation of Technical Certifications In Progress

I received this email as a member of a Juniper group within Google, and I was a bit blown away by the fact that someone, first of all, would be willing to pay someone else to get them certified. But then I realized after some thought, while consulting with some of the knuckleheads that I have had to work with that have > 5 certifications all from different vendors, and couldn't possibly due the work they were hired for. Honestly. I've seen it and been dumbfounded by the amount of coin they were pulling in and then they would have me do the work. Awesome. Is this the end of how certifications are valued? I of course have NEVER thought highly of certifications. My biggest reason is because so many test questions are so loaded and NEVER straight forward and are so subjective that you have to guess what {Enter Vendor Name Here} wants instead of interesting factual information.  <!@%^%$#>  I hate tests but not enough to be a  <!@%^%$#>   <!@%^%$#> ...