Home setup question with 5GT

kenookenoo Member Posts: 27 ■□□□□□□□□□
I recently got a netscreen 5GT that I want to incorporate into a home office, have a quick question on how the topology should be setup.

The office has time warner cable internet connection coming to an Arris cable modem box, from there a linksys router/WAP with the hosts connected. I want to continue to have the linksys router act as the DHCP server.

Where would the netscreen firewall sit in this setup? Would the untrust interface go directly to the Arris cable modem? And from there run a cable from the untrust interface to the linksys router?

What should the interfaces be set to in terms of DHCP and routing? I quickly tried re-arranging it earlier and was able to get LAN connectivity but no internet access.

Comments

  • AldurAldur Juniper Moderator Member Posts: 1,460
    I'm using a 5gt in a similar setup for my home office. How it's working for me is the 0/0 port is the WAN port, in the untrust zone, which connects to the ISP. All other ports are set for switching in the trust zone. I then turned off all DHCP features on the 5gt and plugged a WAP into one of the trusted switching ports. Other cables connecting the rest of the network are plugged in to the other switching ports on the 5gt.

    From there it all worked automagically. :) NAT is occurring out/in the 0/0 port, which gives me my internet access. And the WAP which is connected to a switched port hands out IP addys, via DHCP, to any other client on the home network.

    HTH
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • kenookenoo Member Posts: 27 ■□□□□□□□□□
    Aldur wrote: »
    I'm using a 5gt in a similar setup for my home office. How it's working for me is the 0/0 port is the WAN port, in the untrust zone, which connects to the ISP. All other ports are set for switching in the trust zone. I then turned off all DHCP features on the 5gt and plugged a WAP into one of the trusted switching ports. Other cables connecting the rest of the network are plugged in to the other switching ports on the 5gt.

    From there it all worked automagically. :) NAT is occurring out/in the 0/0 port, which gives me my internet access. And the WAP which is connected to a switched port hands out IP addys, via DHCP, to any other client on the home network.

    HTH

    I'm still having issues with the WAN connection

    Everything on the LAN side is fine, whether I set the netscreen or the linksys router as the DHCP server, the LAN works fine

    I still can't get any internet access when plugging the ISP line into the untrust port of the netscreen.. It's a dynamically assigned IP so I set it as a DHCP client, set it to NAT, configured DNS, verified that there are default routes going out through the proper gateway from the ISP, and have policies to allow any/any from trust to untrust..any ideas?
  • zoidbergzoidberg Member Posts: 365 ■■■■□□□□□□
    If the 5GT supports transparent mode, I would probably use that. No addressing, DHCP, or NAT needed on the 5GT. Untrust facing the cable modem, and Trust facing the Linksys. The Linksys receives the IP from the ISP and works just like you had it before.

    Another alternative, put the Linksys into bridge mode? Any particular reason you want to use the Linksys for DHCP instead of the 5GT? Is this so it connects to the wireless network? With bridge mode, you could still connect to the Linksys wireless and then receive an IP from the 5GT. If you're using to Linksys to serve specific IPs to specific MACs, then that may be easier on the Linksys. The 5GT should be able to do that, but I don't remember the commands.
  • zoidbergzoidberg Member Posts: 365 ■■■■□□□□□□
    For troubleshooting your problem...

    I'm assuming the Untrust interface is getting a valid IP from the ISP. Make sure that is happening. Perhaps the ISP limits the IPs by MAC address and you're not getting a valid IP to the new and unrecognized 5GT MAC?

    When you generate traffic from your network to the Internet, do you see any sessions on the 5GT? Does the session table show NAT from the LAN to the Internet working as expected?

    Turn on policy logging and counting to help troubleshoot to see if traffic is hitting the policies correctly. If logs are not showing you anything helpful, can try doing a flow debug to see what blackhole your traffic is falling into.

    What subnet are you using between the 5GT and Linksys? What subnet are you using from the Linksys to the network? Same subnet? Or different?

    Depending on the configuration of your Linksys, you could be running into a less than ideal double-NAT scenario as well. For example, client with 192.168.1.100 tries to go to the Internet. Linksys NATs that to it's WAN interface IP of 192.168.1.1. The 5GT then NATs again to it's Untrust interface IP of 192.168.238.53.
  • kenookenoo Member Posts: 27 ■□□□□□□□□□
    zoidberg wrote: »
    For troubleshooting your problem...

    I'm assuming the Untrust interface is getting a valid IP from the ISP. Make sure that is happening. Perhaps the ISP limits the IPs by MAC address and you're not getting a valid IP to the new and unrecognized 5GT MAC?

    When you generate traffic from your network to the Internet, do you see any sessions on the 5GT? Does the session table show NAT from the LAN to the Internet working as expected?

    Turn on policy logging and counting to help troubleshoot to see if traffic is hitting the policies correctly. If logs are not showing you anything helpful, can try doing a flow debug to see what blackhole your traffic is falling into.

    What subnet are you using between the 5GT and Linksys? What subnet are you using from the Linksys to the network? Same subnet? Or different?

    Depending on the configuration of your Linksys, you could be running into a less than ideal double-NAT scenario as well. For example, client with 192.168.1.100 tries to go to the Internet. Linksys NATs that to it's WAN interface IP of 192.168.1.1. The 5GT then NATs again to it's Untrust interface IP of 192.168.238.53.

    The untrust is getting the proper IP address from the cable modem

    I have policy logging on, and any traffic going outbound shows up with bytes sent, but none received, and a close age out.

    They're both on the same subnet, and I turned off NAT on the linksys before turning it on for the untrust interface on the netscreen.
  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSEC EnCE C|EH Cloud+ CySA+ CASP+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,408 Admin
    What version of ScreenOS is in your 5GT's? I bought a 5GT surplus for $10US that has ScreenOS 5.0.0. It appears that the 5GT can be upgraded to the latest Screen 6.2.0, but the price of the basic 10-user license is more than the 5GT itself cost when it was new. It is safe to use a 5GT running only ScreenOS 5.0.0?
  • ayoriayori Member Posts: 48 ■■□□□□□□□□
    kenoo wrote: »
    The untrust is getting the proper IP address from the cable modem

    I have policy logging on, and any traffic going outbound shows up with bytes sent, but none received, and a close age out.

    They're both on the same subnet, and I turned off NAT on the linksys before turning it on for the untrust interface on the netscreen.


    Try doing your NATing on the Linksys and set both Untrust and Trust ports on the 5GT to route mode. Is the trust port on the 5GT on the same subnet as the client PCs behind the Linksys? If not, then you need a route back on the 5GT to the client PCs.
Sign In or Register to comment.