Firewall design - should this work?

[bk6662]

Hi!

I inherited a project where I was asked to set up a firewall, to control traffic within the same subnet.  (I know that's sort of counterintuitive - should be done with VLANS!)  But anyhow...

Using a Juniper firewall, I'm working with 2 interfaces.  0 is "untrusted", and 1 is trusted.  Both interfaces connect to a switch, and all connected devices are in the same subnet.  With Juniper it seems the best method is to configure both 0 and 1 as INETv4 interfaces, assign an IP (both being in the same range as the rest of the subnet), and create policies allowing traffic to flow in both directions.

I set up in a test lab, but not having any success.  End result to this point is:

From Juniper I can ping both interfaces, and also get a PING response from endpoints located on both interfaces.
From untrusted endpoint I get a PING response from the Juniper untrusted interface, but no response from the trusted interface or trusted endpoint (Request timed out)
From trusted endpoint I get a PING response only from the Juniper trusted interface.  Everything else results in "Destination host unreachable" response.

Also side note I have a router configured on the untrusted end.  Using that as "Next Hop" for the Juniper (set routing-options static route 0.0.0.0/0 next-hop 10.1.1.1)

I'll be happy to provide a config if requested (it's really short).  But I'm wondering if this design should work, or is there a better way to accomplish what I'm trying to do?  (Only caveat it has to be with the Juniper!)

Thank you!
-BK

EDIT: may as well provide the config

security
  policies
    from-zone trust to-zone untrust
      policy our-internet-policy
        match
          source-address any
          destination-address any
          application any
        then permit

    from-zone untrust to-zone trust
      policy outside-in
        match
          source-address any
          destination-address any
          application any
        then permit

  zones
    security-zone untrust
      host-inbound-traffic
        system-services
          all
        protocols
          all
      interfaces ge-0/0/0.0

    security-zone trust
      host-inbound-traffic
        system-services
          all
        protocols
          all
      interfaces ge-0/0/1.0

interfaces
  ge-0/0/0
    unit 0
      family inet
        address 10.1.1.2/24

  ge-0/0/1
    unit 0
      family inet
        address 10.1.1.3/24

routing-options
  static
    route 0.0.0.0/0 next-hop 10.1.1.1

[icecream-guy]

So what happens when a device is looking for another device on the same network segment?

say 10.1.1.5 is looking for 10.1.1.6,
so 10.1.1.5  sends out a broadcast  "who has IP 10.1.1.6"
10.1.1.6 replies "i do, here is my MAC address" and sends it to 10.1.1.5,
now that 10.1.1.5 has the MAC address of 10.1.1.6 the communication is sent directly.

if you want to separate segments via a firewall, you need to separate hosts on to unique networks for inside (trusted) and outside (untrusted)

at least at the network layer,

[deanwebb]

Correct. The zones need to be in different IP subnets. Firewalls control access from one subnet to the other - they block or permit traffic at layer 3. Having both interfaces being layer 3 adjacent means no routing and, hence, no firewalling.

[icecream-guy]

if you had a high-end switch you could probably do something with private VLANs

[bk6662]

Thanks everybody - appreciate the responses.

I did find out this particular firewall has a feature allowing it to run in transparent mode, thereby operating as a switch.  In that scenario it does allow me to designate specific interfaces as trusted or untrusted.  But only later Juniper's support that.

Thanks again!
-BK