Setting up the Secondary IP option on a netscreen with a PPPoE connection.

Michael Dale

The following howto will show you how to setup an extra subnet connected to a Netscreen.

Background Info:

1. Static IP address (202.129.82.126) on ethernet3
2. /30 Subnet (202.129.82.192/30)
3. 10.0.0.0/22 Internal Network on ethernet1
4. Netscreen 5GT running ScreenOS 5.4.0r2 in Dual Untrust mode
5. PPPoE connection
6. Router address on 10.0.0.254
   

Adding an extra subnet gives us the option to run servers on separate IP addresses and bypass the Netscreen's limitation of range port forwarding.

Now what I've done for our connection is attach the extra subnet to our trust interface, the plan being that both the internal network (10.0.0.0) and the new subnet (202.129.82.192/30) can talk to each other.

Another issue is that that the 10.0.0.0 network needs to have a nat'ed connection, while the new subnet needs to be routed. All this is possible on the same interface with a few policy changes.

So Lets start. Please note that process will break your internet connection until all steps have been done.

1) Make sure that your external WAN interface is set to Route mode. This will break your current nat until we fix the policies.
This option can be found in:
Network > Interfaces > ethernet3 (name may be different) -> Edit


2) Now go to your internal LAN interface and check that it too is in route mode and that "Block Intra-Subnet Traffic" is off (allowing the internal interface to pass traffic back out the same interface (i.e. 10.0.0.0 -> 202.129.82.192)
Network > Interfaces > ethernet1 (name may be different) -> Edit


3) Add your Subnet on the internal interface
Network > Interfaces > ethernet1 (name may be different) -> Edit -> Secondary IP


4) Now we'll setup a policy so that any traffic from 10.0.0.0/22 gets nat'ed out of our static IP address
Policies -> From Trust to Untrust. The source address will be your internal network, destination address will be ANY and so will the service.


5) Click advanced and check "Source Translation", then click okay.


6) Now we'll setup a policy so that our new subnet can talk to the world.
In Policies -> From Trust to Untrust create a basic subnet any rule (of course you can restrict things if you'd like). You don't need "Source Translation" on this one.


7) Now to create a rule to allow traffic in to our new subnet
In Policies -> From Untrust to Trust create a basic any subnet rule (of course you can restrict things if you'd like). You don't need "Source Translation" on this one.


8) The last step is to allow traffic from the new subnet to talk to the internal network (this is an optional step).
In Policies -> From Trust to Trust. Source address being your new subnet and destination address is your local network.


Somethings I've noticed with this setup.

1. You can still use VIPs on your main static ip address (202.129.82.126), so that gives you another IP to play with.
2. The internal netscreen interface works on the network address for the /30 (i.e. 202.129.82.192) giving us two ip addresses that we can use for servers instead of just one.