LAN Routing
cancel
Showing results for 
Search instead for 
Did you mean: 

Routing beetween HP Procurve and Watchguard with VLANS

 
westberliner
Occasional Visitor

Routing beetween HP Procurve and Watchguard with VLANS

Hello,

 

I have a HP 2920-48g with different VLans and want to connect them to an Watchguard XTM 510.

 

I tried different things, but now I stuck and don´t find a solution.

 

 

On my HP Switch:

IP-Routing enabled

no default-gateway in setup

0.0.0.0 0  0.0.0.0 10.128.94.155 (VLAN 300 Gateway Watchguard to internet)

VLAN 300 10.128.94.1

VLAN 400 10.128.100.1

(The other VLans I do not describe at first)

Uplink to watchguard tagged VLAN 300+400

(If I do not configure the vlans on uplink port, i can´t to communicate to each other)

 

 

Watchguard

Interface 6, tagged 300+400

Vlan300 - 10.128.94.155

VLAN400 - 10.128.100.155

 

 

Now the problem:

 

If my client is in Vlan 300 - i have access to internet.

If my client is in Vlan 400 - then i have NO access to internet.

 

If I make traceroute from Client to 8.8.8.8 from VLAN 400 then my way is

10.128.100.1 (gateway from vlan) --> 10.128.100.155 (vlan Interface watchguard) and then no way further. In my opinon the gateway from vlan should send the the pakets to 10.128.94.155 and not to 10.128.100.155....?

 

And I suppose that the inter-Vlan-Routing will be "destroyed" by connecting my watchguard to switch, because I cannot reach the other vlan-gateways.....very strange behavior, I sitting for hours and this ..... won´t work :(

 

Any ideas?

 

Thank you very much

1 REPLY
Vince-Whirlwind
Honored Contributor

Re: Routing beetween HP Procurve and Watchguard with VLANS

I think the issue is you have to decide where your routing is occurring for each subnet.

Currently, you have 2 Layer3 devices in each subnet (Switch & FW).

 

You need to remove the VLAN 300 & 400 IP addresses from either the switch, or the router.

ie, if you want to route on the switch for VLAN400, then don't trunk the VLAN to the FW as well.

 

Ideally, do the same for VLAN300, otherwise you get asymmetric routing, as return traffic to VLAN300 hosts will go directly to the hosts from the FW even if the hosts are using the .1 address as their router.