ScreenOS Firewalls (NOT SRX)
Reply
Contributor
drick
Posts: 37
Registered: ‎01-13-2008
0

NS5GT / can't route traffic across new subnet, why?

Hi,

 

i currently have a flat network (192.168.1.x) that all my devices live on. I'm trying to add a new wireless subnet (192.168.2.x) in my environment. When i do this, it appears that the 5GT is stepping on all of that traffice, see examples below:

 

Date / Time Level Description
2010-04-01 10:12:50alertIP spoofing! From 192.168.2.3:64619 to 224.0.0.252:5355, proto UDP (zone Trust, int ethernet1). Occurred 2 times.
2010-04-01 10:12:17alertIP spoofing! From 192.168.2.3:60771 to 224.0.0.252:5355, proto UDP (zone Trust, int ethernet1). Occurred 2 times.
2010-04-01 10:11:44alertIP spoofing! From 192.168.2.3:62147 to 224.0.0.252:5355, proto UDP (zone Trust, int ethernet1). Occurred 2 times.
2010-04-01 10:11:22alertIP spoofing! From 192.168.2.3:54282 to 224.0.0.252:5355, proto UDP (zone Trust, int ethernet1). Occurred 1 times.
2010-04-01 10:11:22alertIP spoofing! From 192.168.2.3:54278 to 224.0.0.252:5355, proto UDP (zone Trust, int ethernet1). Occurred 1 times.
2010-04-01 10:11:22alertIP spoofing! From 192.168.2.3:59913 to 224.0.0.252:5355, proto UDP (zone Trust, int ethernet1). Occurred 1 times.
2010-04-01 10:11:22alertIP spoofing! From 192.168.2.3:51592 to 224.0.0.252:5355, proto UDP (zone Trust, int ethernet1). Occurred 1 times.
2010-04-01 10:11:11alertIP spoofing! From 192.168.2.3:63443 to 224.0.0.252:5355, proto UDP (zone Trust, int ethernet1). Occurred 2 times.
2010-04-01 10:10:58alertIP spoofing! From 192.168.2.3:62582 to 239.255.255.250:1900, proto UDP (zone Trust, int ethernet1). Occurred 1 times.
2010-04-01 10:10:55alertIP spoofing! From 192.168.2.3:62582 to 239.255.255.250:1900, proto UDP (zone Trust, int ethernet1). Occurred 1 times.
2010-04-01 10:10:52alertIP spoofing! From 192.168.2.3:62582 to 239.255.255.250:1900, proto UDP (zone Trust, int ethernet1). Occurred 1 times.
2010-04-01 10:10:52alertIP spoofing! From 192.168.2.3:55533 to 224.0.0.252:5355, proto UDP (zone Trust, int ethernet1). Occurred 2 times.
2010-04-01 10:10:49alertIP spoofing! From 192.168.2.3:62582 to 239.255.255.250:1900, proto UDP (zone Trust, int ethernet1). Occurred 1 times.
2010-04-01 10:10:46alertIP spoofing! From 192.168.2.3:62582 to 239.255.255.250:1900, proto UDP (zone Trust, int ethernet1). Occurred 1 times.
2010-04-01 10:10:45alertIP spoofing! From 192.168.2.3:64091 to 224.1.0.38:497, proto UDP (zone Trust, int ethernet1). Occurred 1 times.
2010-04-01 10:10:43alertIP spoofing! From 192.168.2.3:64089 to 224.1.0.38:497, proto UDP (zone Trust, int ethernet1). Occurred 1 times.
2010-04-01 10:10:43alertIP spoofing! From 192.168.2.3:62582 to 239.255.255.250:1900, proto UDP (zone Trust, int ethernet1). Occurred 5 times.
2010-04-01 10:10:42alertIP spoofing! From 192.168.2.3:64087 to 224.0.0.252:5355, proto UDP (zone Trust, int ethernet1). Occurred 2 times.
2010-04-01 10:10:41alertIP spoofing! From 192.168.2.3:61121 to 224.1.0.38:497, proto UDP (zone Trust, int ethernet1). Occurred 1 times.
2010-04-01 10:10:41alertIP spoofing! From 192.168.2.3 to 224.0.0.22, proto 2 (zone Trust, int ethernet1). Occurred 2 times.

 

How do i fix this so the 5GT will pass the traffic on?

 

TIA for any/all assistance.

Super Contributor
Moerkholt
Posts: 169
Registered: ‎11-05-2007
0

Re: NS5GT / can't route traffic across new subnet, why?

Hi

 

Can you post the output from get interface and get route?

 

 

Regards

Hans
JNCIS-FWV

If this worked for you then please flag my post as an "Accepted Solution" so others can benefit from it. A kudo would be nice if you think I earned it
Contributor
drick
Posts: 37
Registered: ‎01-13-2008
0

Re: NS5GT / can't route traffic across new subnet, why?

 


Moerkholt wrote:

Hi

 

Can you post the output from get interface and get route?

 

 


 

 

stripped out personally identified info, but this should give some clarifcation

 

ns5gt-> get interface

A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name           IP Address                        Zone        MAC            VLAN State VSD
eth1           192.168.1.1/24                    Trust       x.x.x            -   U   -
eth2           192.168.3.1/24                    DMZ         x.x.x            -   D   -
eth3           0.0.0.0/0                         Untrust     x.x.x            -   D   -
eth4           x.x.x.x/21                        Untrust     x.x.x            -   U   -
vlan1          0.0.0.0/0                         VLAN        x.x.x            1   D   -
null           0.0.0.0/0                         Null        N/A               -   U   0

ns5gt-> get route


IPv4 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent D: Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
E2: OSPF external type 2 trailing B: backup route


IPv4 Dest-Routes for <trust-vr> (7 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*        70          0.0.0.0/0           eth4       x.x.x.x   C    0      1     Root
*         5      x.x.x.0/21               eth4         0.0.0.0   C    0      0     Root
*         2     192.168.1.1/32           eth1         0.0.0.0   H    0      0     Root
          4     192.168.3.1/32           eth2         0.0.0.0   H    0      0     Root
*         6     x.x.x.x/32               eth4         0.0.0.0   H    0      0     Root
          3     192.168.3.0/24           eth2         0.0.0.0   C    0      0     Root
*         1     192.168.1.0/24           eth1         0.0.0.0   C    0      0     Root



Super Contributor
Moerkholt
Posts: 169
Registered: ‎11-05-2007

Re: NS5GT / can't route traffic across new subnet, why?

Hi

 

As you can see from the routing table there is no route for 192.168.2.0/24 and therefore the firewall does not know how to deliver traffic back to this network. Furthermore as it has not any route it regards the traffic from 192.168.2.0/24 as being spoofed.

 

You have to configure a route(next hop gateway), that tells the firewall where to deliver the return traffic for 192.168.2.0/24.

Regards

Hans
JNCIS-FWV

If this worked for you then please flag my post as an "Accepted Solution" so others can benefit from it. A kudo would be nice if you think I earned it
Contributor
drick
Posts: 37
Registered: ‎01-13-2008
0

Re: NS5GT / can't route traffic across new subnet, why?

 


Moerkholt wrote:

Hi

 

As you can see from the routing table there is no route for 192.168.2.0/24 and therefore the firewall does not know how to deliver traffic back to this network. Furthermore as it has not any route it regards the traffic from 192.168.2.0/24 as being spoofed.

 

You have to configure a route(next hop gateway), that tells the firewall where to deliver the return traffic for 192.168.2.0/24.


so i need to add a route that delivers/returns all 192.168.2.0 traffic to the the 192.168.1.1 gateway?
i don't see any way to clone the route from the .1 network or the .3 network, and i don't remeber how to do this, sorry.

 

 

Contributor
drick
Posts: 37
Registered: ‎01-13-2008
0

Re: NS5GT / can't route traffic across new subnet, why?

one more thing, there is no physical relationship to this subnet as it relates to the ns5gt. the wireless segment is not going to be physically connected to the 5gt (it comes into a switch).

 

example -

 

untrust / isp connection goes into eth4

trust connection comes out of eth1 into switch

Super Contributor
Moerkholt
Posts: 169
Registered: ‎11-05-2007

Re: NS5GT / can't route traffic across new subnet, why?

Hi

 

You have to route the traffic to the device that delivers the wireless traffic to the firewall.

 

I dont' know if you have your wireless attached to ethernet1 or ethernet2, but as an example:

 

You have a Wireless Access Point/Wireless Router attached to ethernet1

 

The ip address of the wireless device is 192.168.1.50.

 

What you have to do in this case is to make a route statement as follows:

 

set route 192.168.2.0/24  ethernet1 gateway 192.168.1.50

 

 

Regards

Hans
JNCIS-FWV

If this worked for you then please flag my post as an "Accepted Solution" so others can benefit from it. A kudo would be nice if you think I earned it
Contributor
drick
Posts: 37
Registered: ‎01-13-2008
0

Re: NS5GT / can't route traffic across new subnet, why?

[ Edited ]

 


Moerkholt wrote:

Hi

 

You have to route the traffic to the device that delivers the wireless traffic to the firewall.

 

I dont' know if you have your wireless attached to ethernet1 or ethernet2, but as an example:

 

You have a Wireless Access Point/Wireless Router attached to ethernet1

 

The ip address of the wireless device is 192.168.1.50.

 

What you have to do in this case is to make a route statement as follows:

 

set route 192.168.2.0/24  ethernet1 gateway 192.168.1.50

 

 


 

can i do this virtually in the router vs. physically to the interface? i can't connect them in this fashion as the devices are not located in the same part of my SOHO

 

Super Contributor
Moerkholt
Posts: 169
Registered: ‎11-05-2007
0

Re: NS5GT / can't route traffic across new subnet, why?

Hi

 

I am not sure waht you mean.

 

How is your wireless network connected to your network?

 

 

Regards

Hans
JNCIS-FWV

If this worked for you then please flag my post as an "Accepted Solution" so others can benefit from it. A kudo would be nice if you think I earned it
Contributor
drick
Posts: 37
Registered: ‎01-13-2008
0

Re: NS5GT / can't route traffic across new subnet, why?

So in the front part of my SOHO we have multiple machines and the wireless gear. that is then routed via a long haul cat6 line to the "backoffice" where the ISP line comes in and the firewall lives.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.