How PC can talk to PC on different network using netscreen 5gt

[rusta]

Hello,

I have a juniper netscreen 5gt-wireless router. Pc's on both the trust interface and the wireless2 interface can access the internet, but pc's on the trust interface cannot talk to the pc's on the wireless2 interface and vice versa. The trust interface is 192.168.1.1 and the wireless2 interface is 192.168.2.1. Both trust and wireless2 interface are in the Trust zone.

How can I configure the router to allow the pc's to be on the same network or to be able to talk to each other?

Here are some of the router settings:

Port mode is trust-untrust (trust and wireless2 in Trust zone)

interface:
Name IP/Netmask Zone Type Link Configure
serial 0.0.0.0/0 Null Unused down Edit
trust 192.168.1.1/24 Trust Layer3 up Edit
untrust XXX.XXX.XXX.XXX/23 Untrust Layer3 up Edit
vlan1 0.0.0.0/0 VLAN Layer3 down Edit
wireless1 0.0.0.0/0 Wzone1 Layer3 down Edit
wireless2 192.168.2.1/24 Trust Layer3 up Edit Deactivate

tust interface is set as DHCP server - addresses 192.168.1.2 - 192.168.1.15

wireless2 interface is set as DHCP server - addresses 192.168.2.2 - 192.168.2.5

Interface link status:
Name Zone Link
trust Trust Up
wireless2 Trust Up
untrust Untrust Up

Policies:

From Untrust To Trust, total policy: 9
ID Source Destination Service Action Options Configure Enable Move
10 Any VIP::1 HTTPS Edit Clone Remove
9 Any VIP::1 RDC Edit Clone Remove
8 Any VIP::1 MAIL Edit Clone Remove
7 Any VIP::1 POP3 Edit Clone Remove
6 Any VIP::1 FTP Edit Clone Remove
5 Any VIP::1 Server Web 81 Edit Clone Remove
4 Any VIP::1 Server Web 8080 Edit Clone Remove
3 Any VIP::1 uTorrent Edit Clone Remove
2 Any VIP::1 NAS200 Edit Clone Remove

From Trust To Untrust, total policy: 1
ID Source Destination Service Action Options Configure Enable Move
1 Any Any ANY Edit Clone Remove

 

[DelJo63]

The trust interface is 192.168.1.1 and the wireless2 interface is 192.168.2.1

And this is the problem -- you have TWO subnets (1 & 2) and there is no Route between the two.

It would appear that your wiring would look like

modem ---- router#1 ----wireless-router#2

The simple fix is to get both routers onto the same subnet (192.168.1.x) by:

• take the wire from router#1 that attaches to the wireless router
• disconnect the router#2 side (which is the WAN port)
• and move it to an empty LAN port
• reconfig router#2 to disable DHCP

that last step must be done with a system WIRED to router#2

All systems with then be on the same subnet and will be able to PING each other.
Sharing or access control will then be by

1. firewall control
2. or ACL password control

 

[rusta]

Thanks again jobeard for your help.

The thing is, I only have the 1 router, the Juniper 5gt wireless router.

My cable modem connects to the Untrusted Port of the Juniper, then a cable from the Juniper's Trusted Port1 to a switch.

When I try to to put the wireless2 interface on the same subnet, I get error "illegal overlapping subnet"

I also tried setting the wireless2 interface to "DHCP relay agent", but that did not work either.

I guess there needs to a be route between the 2 interfaces like you said and this can probably be done within the router, but I have no idea how.

 

[DelJo63]

I can't find the product User's Guide nor Install Guide so I'm kind of blind sided here.

'Trusted' and 'Untrusted' Ports??? Haven't seen a device like that.

With only one router, how did you get TWO subnets -- DHCP usually assigns addresses
unless someone has manually condigured a device.

1- remove any manual config you might have performed on ANY system
2- try to connect all systems as Trusted

If you can find a URL to the User's Guide, it would go a long way to help solve your issue(s).

 

[rusta]

Jobeard,

The settings are the router's default settings, except for the VIP's / policies I created for port forwarding. The DHCP settings are the default settings.


Below is some links, I have the 5GT-Wireless model.

juniper.net/techpubs/software/screenos/screenos5x/screenos5xwlan/WLAN.pdf

juniper.net/products/integrated/dsheet/110034.pdf

juniper.net/techpubs/hardware/netscreen-appliances/netscreen-appliances50/gs_5gt.pdf

help.juniper.net/help/english/5.0.0-DSLW/ns5gt%20wireless/online_help.htm



The router allows you set DHCP for any of the following 5 interfaces.

trust(192.168.1.1/24)
untrust(xxx.xxx.xxx.xxx/23)
vlan1(0.0.0.0/0)
wireless1(0.0.0.0/0)
wireless2(192.168.2.1/24)


trust is set to DHCP server.
untrust is set to DHCP client.
vlan1 is set to None.
wireless1 is set to None.
wireless2 is set to DHCP server.

The options I can choose for the trust and untrust interface is:
None, DHCP Client, DHCP Relay Agent or DHCP Server.

For the vlan1, wireless1 and wireless2 interfaces the options are:
None, DHCP Relay Agent, or DHCP Server.

I did try setting the wireless2 interface to DHCP Relay Agent, but that did not work.

 

[DelJo63]

First, that's a great router/firewall!!

Second, getting data flow from the Trusted to the Untrusted is contrary to the basic
concepts, otherwise there would be no need for classifications like these.

This results in no means to route from one to the other and you must get all devices
on the Trusted Port if you wish to Print/File share to/from all systems.