Basic home configuration setup with wireless router behind NetScreen FW
I have a home network with a Linksys wireless router and NAS (Network storage) behind it. My service provider is Comcast cable.
I also have a netscreen HSC (much like the NetScreen 5GT, but with a few limitations) which I would like to put behind it for VPN Termination (unless I can get Dynamic DNS running on the HSC).(Unless anyone here can really tell me that I can assume that my front-facing router address will really seldom change, and I be should be putting the HSC in front). I’d actually kind-of-prefer to have my firewall device come first.
The HSC has worked fine with its limited web interface, and full functionality seems to be pretty much available via telnet / ssh. I haven’t had it on a network yet, just plugged into a hub and connected to it to check that it works.
I would like to place the NetScreen HSC behind my linksys router, and configure it to allow basic VPN operation.
I would appreciate basic configuration advice, which will greatly reduce the amount of playing-around I may have to do to fix any basic mistakes. Even better - is there a canned script / configuration anyone has that will do the job for me?
- I know I will have to pass the appropriate port/s through from the router to the NetScreen for the VPN connection.
- The HSC would rely upon the linksys router for HDCP
- The router will need proper route setting data to pass data to / from the HSC
- The HSC will need proper routing config. to send data to / from the linksys. I will also want to be able to access the network storage / other systems hanging off the back of the linksys via the VPN.
- I will still want normal, local linksys wireless clients to connect as they have.
I figure the best way to go would be for the device right after the cable model (presumably the linksys) to have an inside address of 192.168.1.1, and the outside address of the HSC would be 192.168.2.1. Unless there is a better way for me to do this using HSC in transparent mode (which I understand may not be an actual option - I understand the HSC may not support transparent mode).
General advice on the approach and options would be appreciated. I would also like eventually to set up another low-end NetScreen device at another location and establish a tunnel to this device, making for one effective network that I could connect into. I’m not planning to do this all now, but would like a “growable” approach. I’m also doing all this on a budget, so if I need another firewall, I’d like to go with a used 5XT or similar off-of-ebay.
rdbrock last edited by
I’m coming in late for the party sorry :mrgreen:! Did you guys get this setup working?
I have almost identical setup and I plan on setting it up sometime soon.
My setup very similar below:
CM <>FW<>Dlink WR <> Switch <> PCs
I plan to have FW 5GT hand out DHCP and turn it off the Dlink’s side.
Thanks for the help. I have made some progress, and my configuration file is below.
With this configuration file, I can plug my firewall behind my cable modem, and plug a computer into the firewall, and establish connectivity to the Internet.
Now, I need to perform the next step:
Plug the firewall into the cable modem, and connect my Linksys wireless router to the Trusted side.
Then, my local systems can plug into the wireless router, or connect wirelessly.
My goal is to have this type of configuration:
NS-HSN: Untrusted Side: DHCP to acquire address / DNS info
NS-HSN: Trusted Side: IP address = 192.168.2.2
Linksys: WAN Interface: IP=192.168.2.1Gateway = 192.168.2.2
Linksys: Mode set to Router Mode (as opposed to Gateway Mode)
DNS: Set to point to : 192.168.2.2 DHCP Server: ON
Cable: Linksys WAN side interface to NS-HSC Trusted Interface (Standard cable - Not crossover)
I hooked this up, and wasn’t acquiring DHCP / IP addresses from clients behind the linksys router. I may have made a small mistake, but would appreciate input based on what appears so far.
On the NS-HSC, I’m pretty sure that this line is no good:
set interface trust dhcp server option gateway 192.168.2.1
I think that I should set it to 192.168.2.2 – so that if I plug any gear into the NS-HSC, it can acquire a 192.168.2.x address.
I’m not presently concerned with commands related to the Antivirus, X.509 certificates, or modem settings… I will happily add detail or try to clarify any of this.
Any advice would be appreciated…
nshsc-> get config
Total Config size 3409:
unset hardware wdt-reset
set clock timezone 0
set vrouter trust-vr sharable
unset vrouter “trust-vr” auto-route-export
set auth-server “Local” id 0
set auth-server “Local” server-name "Local"
set auth default auth server "Local"
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone “Trust” vrouter "trust-vr"
set zone “Untrust” vrouter "trust-vr"
set zone “VLAN” vrouter "trust-vr"
set zone “Trust” tcp-rst
set zone “Untrust” block
unset zone “Untrust” tcp-rst
set zone “MGT” block
set zone “VLAN” block
set zone “VLAN” tcp-rst
set zone “Untrust” screen tear-drop
set zone “Untrust” screen syn-flood
set zone “Untrust” screen ping-death
set zone “Untrust” screen ip-filter-src
set zone “Untrust” screen land
set zone “V1-Untrust” screen tear-drop
set zone “V1-Untrust” screen syn-flood
set zone “V1-Untrust” screen ping-death
set zone “V1-Untrust” screen ip-filter-src
set zone “V1-Untrust” screen land
set interface “trust” zone "Trust"
set interface “untrust” zone "Untrust"
unset interface vlan1 ip
set interface trust ip 192.168.2.1/24
set interface trust nat
set interface untrust ip 184.108.40.206/22
set interface untrust route
set interface untrust gateway 220.127.116.11
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ssh
set interface untrust manage telnet
set interface trust dhcp server service
set interface trust dhcp server auto
set interface trust dhcp server option gateway 192.168.2.1
set interface trust dhcp server option netmask 255.255.255.0
set interface trust dhcp server option domainname hsd1.nj.comcast.net.
set interface trust dhcp server option dns1 18.104.22.168
set interface trust dhcp server option dns2 22.214.171.124
set interface trust dhcp server ip 192.168.2.100 to 192.168.2.199
set interface untrust dhcp-client enable
set flow tcp-mss
set domain hsd1.nj.comcast.net.
set hostname nshsc
set dns host dns1 126.96.36.199
set dns host dns2 188.8.131.52
set ike respond-bad-spi 1
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set av scan-mgr pattern-update-url http://5gt-t.activeupdate.trendmicro.com:80/activeupdate/server.ini interval 0
set policy id 1 from “Trust” to “Untrust” “Any” “Any” “ANY” permit
set nsmgmt report proto-dist enable
set nsmgmt report statistics ethernet enable
set nsmgmt report statistics attack enable
set nsmgmt report statistics flow enable
set nsmgmt report statistics policy enable
set nsmgmt report alarm traffic enable
set nsmgmt report alarm attack enable
set nsmgmt report alarm other enable
set nsmgmt report alarm di enable
set nsmgmt report log config enable
set nsmgmt report log info enable
set nsmgmt report log self enable
set nsmgmt report log traffic enable
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set ssh version v2
set config lock timeout 5
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
set vrouter "trust-vr"
Thank you !
I’ll let you know how it goes… probably about a weeks before I post again.
Packet7 last edited by
The last HSC I setup was via the CLI. What version of code are you running? I simply downloaded the HSC Admin Guide and entered some commands in to setup the box. In your scenario, I would setup the HSC at the permiter and configure your Untrust Interface for DHCP. This should allow your HSC to pick up an IP from your Comcast Cable Mode. I would then setup your Trust IP with a 192.168.2.1 address. What I did at home was configure my Linksys Wireless Router behind my 5GT and disabled the Firewall. You might want to do the same. You can then setup an WAN IP on the Linksys to 192.168.2.2 and an internal of 192.168.1.1 (DHCP 192.168.1.5 - 10).
If you need help with the CLI, just let me know. Hope this helps.