Screen OS

Hello guys,

Not too sure how to subnject the question which I have.

It might be bit compicated to explain but will try.

We are currently having SSG550M in our network with 2 separate internet connections. One connection if for the business the second one is for Wireless Guests. We would like to keep WiFi separately so the guests who are using it won't have access to our LAN resources.

To make it simple there is to separate subnets one dedicated for LAN (10.X.X.X/8) and second fro WiFi (192.168.X.X/16).

Everything works fine untill someone from Guest is trying to access the Web Site which is hosted on one of the servers or Juniper SSL boxes inside of our LAN.

When pinging the website url the DNS resolve the name to correct public IP address which sits on our firewall (MIP) and sends all the traffic to it.

The traceroute also looks correct.

I believe what happens is that the traffic which goes out from WiFi Untrust interface and the comes back in via Business Untrust interface will be redirected incorrectly by the firewall's routing table and rahter that send the reply back to the Untrust WiFi ip address it will look for a route in the routing table of the firewall and will do it using that route.

The question now is it possible to somehow change it using maybe PBR or untrust-vr (has never used this and not too sure how it works).

Thanks for all the suggestions.

Regards,

Dom

How about using virtual routers? Isolate the networks from each other completely.

The most simple setup would be like this:

- Put the internet-connection to untrust-vr

- Point untrust-vr default route to internet

- Create static routes for lan/wifi-networks on untrust-vr each to point correct virtual-router (eg. 10.0.0.0/8 -> trust-vr and 192.168.0.0/16 -> wifi-vr)

- Create new virtual router for wifi-network (eg. wifi-vr)

- Move wifi-networks to this new virtual router

- Leave your LAN to trust-vr

- Create static default route for lan/wifi virtual routers and point it to untrust-vr

If you are satisfied with the answer, please click "Accepted as Solution". Kudos also welcome!

Hi Terosa,

It looks like all my present static routes sits in trust-vr.

I don't understand how the trust-vr, untrust-vr, etc work yet.

Do I need to move the default (internet) routes to untrust-vr or can I just use Wireless-vr and move the routes for wireless only.

---

@NIS_Dom wrote:

Do I need to move the default (internet) routes to untrust-vr or can I just use Wireless-vr and move the routes for wireless only.

 

 

---

Hi,

You said you have two internet connections. Two ISPs? If so you could only create a new virtual router and attach wireless LAN and the second internet-connection to that virtual router and leave your production land and another internet connection to trust-vr. Then the networks would be completely isolated from each other.

Virtual routers are explained very well in the manuals. You can think virtual routers as physical routers when it comes how they work.

If you are satisfied with the answer, please click "Accepted as Solution". Kudos also welcome!

Will that fix my issue?

How do I create a routing between trust-vr and wireless-vr?

---

@NIS_Dom wrote:

Will that fix my issue?

 

How do I create a routing between trust-vr and wireless-vr?

---

I am a little confused here. First you said you want to seperate them and now you want to create a route between them?

Perhaps you just want to create a firewall policy between networks if it's not there already? You can check how traffic flows inside the firewall by using internal debug-commands (Told you how in another post). But with seperate virtual routers the traffic would flow through internet and through 2 different ISPS in this case since theres no connection between virtual routers. It makes no sense if you want to seperate the networks but of course you can make routes between virtual routers. In this case if you would want to route traffic between two virtual routers, wireless-vr and trust-vr you would create a route in wireless-vr for 10.0.0.0/8 to point to trust-vr and vice versa 192.168.0.0/16 to point to wireless-vr.

set vrouter wireless-vr route 10.0.0.0/8 vrouter trust-vr

set vrouter trust-vr route 192.168.0.0/16 vrouter wireless-vr

Perhaps I've missunderstood your problem and am suggesting a completely wrong solution. Maybe you would like to show us somekind of a network diagram and tell us more about what you are trying to achieve. Debug flow data wouldnt mind either if you cant interpret it yourself.

If you are satisfied with the answer, please click "Accepted as Solution". Kudos also welcome!

Hi Terosa,

It's bit more complicated as I have PBR in place which basically separates the WiFi traffic from production LAN and send it accross the second ISP interface.

I do want to create 2 separate routers but also will have to recreate the PBR as currently everything is in my trust-vr.

Will run few tests and see how it works.

Thanks for your help

I am pretty sure you can ditch PBR when implementing virtual routers.

That worked !!!

Thanks a lot Terosa for your help today.