random

two interfaces in untrust and port forwarding with netscreen

June 28th, 2007 by bernard

Recently we had to configure a network setup for a client. The clients wanted a firewalling solution for their office, and we suggested Netscreen SSG5 devices. The client had two uplinks (one ADSL and one cable link), and both uplinks should behave in the same way (they were there for redundancy).

We faced a rather strange problem. As both uplinks were in the untrust zone (they should be, as otherwise it is impossible to configure VIFs on an interface; VIF is the same as port-forwarding for non-netscreen-people), we could only configure one interface with VIF-settings. When selecting VIF on the other interface in the zone, we got a nice warning that there were already VIFs defined on another interface in the group.

So, basicly, it boils down to this: if you have two uplinks, you can’t configure port forwardings on both uplink; only on one.

But… that didn’t stop us, we wanted this to work. Another feature available is ‘MIP’, which maps an IP transparently on another. The first idea was simple. Just map one of the interface on the other, and define the VIPs on the second. This works, but when the interface with the VIFs goes down, so does the MIP and everything fails.

The only solution we found was the following: add a third interface to the group, MIP both uplinks to this third interface, define the VIFs on that third interface, and make sure this interface stays up. This “stays up” can be achieved by using a “loopback device” in the port. Not really the cleanest solution, and we are not really proud of it, but netscreen only allows VIFs on physical interfaces, so it was the only solution.

After communicating with Netscreen support, they told us this limitation would be resolved in the next version of ScreenOS. We presented our solution (the third interface in the untrust group together with the MIPs from the other interfaces), and the person would document it internally, so they can advise this to other customers.

We’ve put this online (and in english) so we might help fellow networking-dudes with the same problem.