SSG5 NS6.2 3WAN, one dedicated, two in failover, but how



  • Hello im a beginner in Juniper things.
    My chef was bringing me the SSG5 and say:“do it”, ok i try.
    First the Situation
    We have 3 DSL Cables 2DMZ, one ist Trusted (Mailserver), one is untrusted (WLAN), and at least the normal trusted intranet.
    One of the DSL is needed dedicated for Mail and other specail services. The other 2 DSL should configured as failover.
    The SSG5 has a new Netscreen 6.2.
    I have configured the DMZs and intranet as several Zones. Three Ports are configured as DSL/WAN
    But now i think i have a little problem. I dont know to bind Mailservices to WAN1, and how to configure WAN2 WAN3 as failover. I have configured so far with the webfrontend.
    I can use the shell per ssh. The dokumentation supplied with the Router isnt usefull for this Situation, it speaks from NRSP Setting, but there is no entry in the frontend, im unable to associate the funktion.

    eth0/0 WAN dedicated untrust_vr
    eth0/1/2 WAN failover untrust_vr
    eth0/3  unused
    eth0/4  DMZ  untrusted untrust_vr
    eth0/5  DMZ  trusted trust_vr
    bgroup0 eth0/6 Intranet trust_vr

    I hope beginners not eaten here.

    best regards
    Stefan



  • Hi GGame,

    Well, you should not loose any sleep over it 🙂

    It sounds like your mailmachine is performing more functions then just mail.
    So we cannot ‘isolate’ it’s mailtraffic based on source ip (which is what we configured).

    Then you’ll have to revert to ‘policy based routing’, but that’s a tad more complicated then this.

    I’m guessing that machine is also a proxy server or something then 😉

    In any case, it’s too bad the ‘simple’ solution does not yield the desired results (are you sure???  :p)

    Alright then, policy based routing it will be, but that’s too much for lazy old me to write down here.
    In my first reply i added a link to the techdocs.
    Download the following pdf and read the chapter on ‘policy based routing’…http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_Routing.pdf

    Cheers,



  • Ok i have the 2 Failover devices configured as Backup with track ip.
    I have Source Routing for the IP 192.168.4.10 to the dedicated Device and IP.
    I have Destiantion Routing for 0.0.0.0/0 to one of the other Failover DSL-Device and IP as default gateway.
    Thank you for the hints to this state.
    In this case the complete Traffic from 192.168.4.10 was going over dedicated DSL, but i want only ssh/SMTP/Imap/imaps… over this not other Services:-)
    How to configure this. Thats my Problem i dream bad:-)



  • Hi Goodgame,

    Yes, that’s the general idea. just use a /32 netmask in that line:
    set route source 192.168.4.10/32 int eth0/4 StaticIspIP
    else the complete 192.168.4.0/24 will use the mailserver’s gateway out 🙂

    I guess (reading your console complaint) you’re using hyperterminal (?)
    if so, you’re probably better off starting a command box and telnet into the ssg5. (it’ll allow you to edit the lines).(of you are using putty, use [CTRL+H])

    on the pc ‘start->run->cmd->[enter]’ and then type telnet ipadres-trustif-ssg

    to be honest the cli i gave is for screenos6.3, perhaps your version does not understand that part, but we might not need it anyway 🙂

    You can configure it all via webui as well, but i was too lazy to write that down too (and there needs to remain something to be explored right ? 😉

    You’re on the right track!



  • I want to test this but (the console is crappy shit, no backspace no del, directly from stoneage) the say on second part “unknown keyword 4”.

    
    set vrouter trust-vr route-lookup preference source-routing 4
    

    That i’ve understand the another part in my case
    Mailserver is connected over a switch with IP 192.168.4.10 on Port eth0/4, DSL for Mailservices are eth0/1 without IP in the moment, or you mean the static IspIP

    set route source ip_mailserver/32 int interface_to_mail_dsl  gateway ip_address_mail_dsl_router

    set route source 192.168.4.10/24 int eth0/4 StaticIspIP

    ist that right?



  • Hi goodgame,

    I don’t think you need virtual routers, save that for another time.
    Realy, the link wit docs i gave you is a good place to start.l
    You could do it like that, but there’s more elegant ways.

    For the SMTP you’ll need source based routing, and for the failover you’ll need something like ‘track ip’ and or untrust-failover…

    source based routing:

    set vr trust-vr source-routing enable
    set vrouter trust-vr route-lookup preference source-routing 4
    set route source _ip_mailserve_r/32 int interface_to_mail_dsl gateway ip_address_mail_dsl_router

    let’s first try to get this working and we’ll look at redundant isp’s 🙂



  • After a while thinking, it looks so that i use Virtual Routers for every DSL part. Virtual Router 1 for DSL dedicated and Virtual Router 2 for DSL Failover. Thats only an idea, but the way to realice this is so dark, like an inner Ass at Night :?

    I hope this is the right course.

    http://www.imgbox.de/?img=i8588e101.png



  • Hello,
    thank you for answer. But there 3 dsl, 1 is dedicated at special services and the other 2 are used for normal services in Fallback (when the one is gone the other takes over), there are not 2 Fallback dsl, only 1 and 2 active.
    I dont need (shure i need) a complete konfiguration, i would like to learn this. The routing for the services is a little problem for me in the moment.

    best regards
    Stefan



  • Hi Goodgame,

    Nah, noone is eaten 🙂

    The first place to look is the “C&E” guides for your version of screenos (which i hope is the latest and greatest (6.3)).

    do that here: http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/index.html
    (select the right version (or upgrade 🙂

    Then, to separate the services, you’ll either need to do source (interface) based routing (if you are lucky)
    OR policy based routing (if you are unlucky).

    NOW: if you have 3 dsl’s and two of them are fallbacks, why the need to separate (as that leaves 1 active dsl :))
    Anyway, in those docs you’ll also find untrust failover and nifty stuff like that.

    That documentation is around 35MB of PDF, with examples from both webui and cli… it’ll take some time, but you’ll get there. (i’m sorry, but it;s not possible to write down a complete config for you)…

    However, please do come back with more specific questions/problems :cheers:


 

16
Online

38.4k
Users

12.7k
Topics

44.5k
Posts