topic Re: Firewall as Default Gateway in Switches, Hubs, and Modems

Firewall as Default Gateway

Tony Flannery — Thu, 06 Apr 2006 09:46:09 GMT

Hi,

I'm having a little problem getting my computers to see the outside world. I have configured my 5308 Procurve with 4 VLAN's, each with an ip address. Devices on the VLAN's can happily see each other via their default gateways. I have connected my Sonicwall Firewall to 1 of the VLAN's and put static routes in it for the other 3. All devices can ping the Firewall, and the Firewall can ping all devices. I put a default route in the Procurve to point to the Firewall, but my clients cannot get internet access. The firewall is on the same VLAN as my servers, inc dns server. If I change the default gateway of the dns server to point to the Firewall, it gets out OK.

Here is my config:

Running configuration:
; J4819A Configuration Editor; Created on release #E.10.23
hostname "HP ProCurve Switch 5308xl"
ip access-list extended "AllowedServers"
permit ip 0.0.0.0 255.255.255.255 10.11.0.102 0.0.0.0
permit ip 0.0.0.0 255.255.255.255 10.11.0.106 0.0.0.0
permit ip 0.0.0.0 255.255.255.255 10.11.0.132 0.0.0.0
permit ip 0.0.0.0 255.255.255.255 10.11.0.1 0.0.0.0
exit
module 1 type J4907A
module 2 type J4907A
module 6 type J4878B
module 3 type J4878B
module 4 type J4878B
module 5 type J4878B
ip default-gateway 10.11.0.1
ip routing
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged B1-B16
ip address 10.10.0.254 255.255.0.0
no untagged A1-A16,C1-C4,D1-D4,E1-E4,F1-F4
exit
vlan 2
name "Servers"
untagged A1-A16
ip address 10.11.0.254 255.255.0.0
ip access-group "AllowedServers" out
exit
vlan 3
name "Staff"
untagged C1-C4,D1-D4,E1-E4
ip address 10.12.0.254 255.255.0.0
exit
vlan 4
name "Students"
untagged F1-F4
ip address 10.13.0.254 255.255.0.0
exit
gvrp
ip route 0.0.0.0 0.0.0.0 10.11.0.1
password manager

Thanks for any advice

Tony

Re: Firewall as Default Gateway

Manuel Wolfshant — Thu, 06 Apr 2006 20:18:19 GMT

Have you tested internet connectivity using "ping FQDN" or "ping IP_address" ? Since you say that the problems are solved when the DNS server has the firewall as default gateway, it looks like you are actually having a DNS problem, not a network access problem. In other words, your clients try to connect to say, www.yahoo.com, they make a valid request to your DNS server which in turn does NOT reply with a valid IP address because it has no internet access. Some simple tests you could perform:
a) issue a standard DNS query (nslookup/host/dig) on a client, asking for something which is not local. If you get no reply, probably the DNS server cannot access the external DNS servers. Using the "trace" mode of dig (dig +trace ) could be helpful in this case.
b)
- find the IP of an external target (I tend to use www.yahoo.com): host www.yahoo.com
- traceroute -n to the IP from step 1 (-n stands for DNS queries).
For instance:
#host www.yahoo.com
www.yahoo.com is an alias for www.yahoo.akadns.net.
www.yahoo.akadns.net has address 216.109.118.74
[...]
#traceroute -n 216.109.118.74
traceroute to 216.109.118.74 (216.109.118.74), 30 hops max, 46 byte packets
1 192.168.1.1 0.660 ms 0.322 ms 0.267 ms <= my router
2 82.76.245.73 17.055 ms 16.549 ms 21.507 ms <= my ISP's router
3 194.102.81.185 30.404 ms 18.172 ms 16.509 ms
4 194.102.81.1 22.244 ms 16.705 ms 11.774 ms
[...]

Now examine the last hop in the traceroute. If packets pass thru the firewall and reach your ISP, the problem is definitely the one I have described above.

Re: Firewall as Default Gateway

Tony Flannery — Fri, 07 Apr 2006 09:36:09 GMT

Thanks for the reply Manuel, after much frustration I moved the Firewall to the default VLAN, and suddenly it all started working ! It seems the default gateway has to live on the default vlan.

Thanks again,

Tony.

Re: Firewall as Default Gateway

Manuel Wolfshant — Fri, 07 Apr 2006 09:53:11 GMT

I do not think so. I still think you have a configuration problem. My switch doesn't even use the default VLAN...

Re: Firewall as Default Gateway

Tony Flannery — Fri, 07 Apr 2006 10:10:07 GMT

I can't think what else might have changed. Will have another look at the setup, but at least it's working at the moment.

Re: Firewall as Default Gateway

Manuel Wolfshant — Fri, 07 Apr 2006 10:20:44 GMT

make sure that the DNS server has access to the firewall and to internet via the firewall. It looks like you try to go from a VLAN to another one but your access lists prohibit this.

Re: Firewall as Default Gateway

Sergej Gurenko — Fri, 07 Apr 2006 11:29:40 GMT

This small article will help you to create troubleshooting plan.

CCNP CIT Exam Self-Study: Selecting a Troubleshooting Approach
http://www.ciscopress.com/articles/printerfriendly.asp?p=102211

Try to debug all the part of you network separately, but not at the same time. That's it. Make sure that the only one PC connected to the inside firewall interface have the internet. Than connect all the other infrastructure and go dipper.

I'm also advise you to use sniffer. You will find that is simple any powerfull tool. I recommend you to use Packetyzer (that is Free and user friendly Ethereal version)

Re: Firewall as Default Gateway

Tony Flannery — Mon, 10 Apr 2006 05:35:13 GMT

Thanks Sergej

Re: Firewall as Default Gateway

MDriest — Mon, 08 May 2006 11:14:02 GMT

Tony,

I had this problem when setting up our Layer 3 Infrastructure with the 5308xl-48G.

Our Firewall had an IP Address in the Server VLAN with a 0.0.0.0 0.0.0.0 route to it on the Layer 3 Switch.

Our inbound/outbound internet connections, web sites we hosted, e-mail, terminal server, VPN, etc. would constantly time out every 10 - 15 minutes.

We had to create a seperate VLAN for only the firewall.

This cured all the problems we were having.

When you moved your firewall to the default_Vlan this in essence was what you needed to do.

We never use the DEFAULT_VLAN (VID 1) and most admins prefer their setups this way.

Hope this helps.

Mike D.
Network/Systems Administrator

Re: Firewall as Default Gateway

Tony Flannery — Wed, 10 May 2006 06:18:47 GMT

Thanks Mike, some useful pointers there for me.

Tony.