Screen OS

Hi all,

I know that we can define DIP pool that is in different subnet than our interface IP address, by using the extended interface option.

So after I define the IP pool range, then I click to select "In the same subnet as the extended IP", and enter an Extended IP/Netmask.

My question is, what value should I enter in the Extended IP/Netmask field?

Does this field function as an secondary interface or does it function as an netmask?

1) Let's say I want to use 3.3.3.13 ~ 3.3.3.14 as my DIP pool.

Which value should I enter in the Extended IP/Netmask field?

a) 3.3.3.1 / 255.255.255.0

b) 3.3.3.0 / 255.255.255.0

c) 3.3.3.12 / 255.255.255.252

2) Another example, if I want to use single IP address as my DIP pool, so I define the IP range 3.3.3.100 ~ 3.3.3.100

Should I enter

a) 3.3.3.1 / 255.255.255.0

b) 3.3.3.0 / 255.255.255.0

c) 3.3.3.100 / 255.255.255.255

I've tried these three options and all of them work.

What's the difference between these three options? Is there any difference that might effect my firewall performance?

Appreciate if someone can explain about this, because I'm really curious what the difference between these three options.

Thanks!

The subnet mask should only be dealing with the extended IP of the interface and shouldn't have anything to deal with your pool range.

Here's an example out of the cookbook.

set interface eth0/0 zone untrust

set interface eth0/0 ip 2.2.2.100/24

set interface eth0/0 ext ip 1.1.1.1/32 dip 4 1.1.1.1 

or you could do this

set interface eth0/0 zone untrust

set interface eth0/0 ip 2.2.2.100/24

set interface eth0/0 ext ip 1.1.1.1/32 dip 4 1.1.1.2 1.1.1.10

I have set this up a while back for to solve interoperability issues and can provide you some more examples if you want.

Greg

Hi Greg,

Thanks for replying, really appreciate it.

The first example that you give will work.

But the 2nd one doesn't work (I've tried using both CLI and WebUI), because 1.1.1.2 ~ 1.1.1.10 is not in the same subnet as ext IP 1.1.1.1/32

As I mentioned earlier on my first post, there're some alternatives for this:

a) set interface eth0/0 ext ip 1.1.1.0/24 dip 4 1.1.1.2 1.1.1.10

b) set interface eth0/0 ext ip 1.1.1.1/24 dip 4 1.1.1.2 1.1.1.10

c) set interface eth0/0 ext ip 1.1.1.0/28 dip 4 1.1.1.2 1.1.1.10

Some of the Juniper documentation use option b) because they say the extended IP functions as a secondary interface, while other people on the forums use option c) because the pool is within that range.

Does anyone know if there's any difference between these 3 options?

Thank you.

Hi,

The network mask should cover the range of IPs in the pool. 

set interface eth0/0 ext ip 1.1.1.1/32 dip 4 1.1.1.1 will work (a DIP with a single IP)

set interface eth0/0 ext ip 1.1.1.1/32 dip 4 1.1.1.2 1.1.1.10 will not work.

set interface eth0/0 ext ip 1.1.1.1/28 dip 4 1.1.1.2 1.1.1.10 will work because the IP range1.1.1.1 - 1.1.1.15 contains the range 1.1.1.2-1.1.1.10.

You can also configure multiple pools f.i. this way:

set interface eth0/0 ext ip 1.1.1.1/28 dip 4 1.1.1.1

set interface eth0/0 ext ip 1.1.1.1/28 dip 5 1.1.1.2 1.1.1.10

Thanks for the explanation!