Firewall and routing between VLANS...

Sig_1 · ‎12-27-2006

Hi -

Here is the issue. We have one HP 5308XL switch that is now basically in the out of the box configuration (no VLANS configured). connected to the switch are three subnets (10.109.x.x/16, 10.100.x.x/16, 10.101.x.x/16). Routing currently is achieved via a Novell Border Manager firewall that holds the gateway IP's on the private interface for the three subnets of 10.109.0.1, 10.101.0.1, and 10.100.0.1. All workstations have set as their DNS server the IP of 10.100.0.1 and their default gateway is set to the IP of the respective subnet on the Border Manager firewall. The Border Manager firewall on the public interface has an address (part of a class C range) assigned to us by the ISP. The default route that is set points to the ISP's router IP. And with this things work ok (NAT is enabled).

Now the plan is to try out VLANS and do routing between them by breaking up the ports that are connected to the three subnets. I created 3 VLANS in addition to the default VLAN and assigned the ports as untagged to the proper VLAN name (VLAN 101, VLAN 109, VLAN 100). The VLAN IP for 101 and 109 was assigned the gateway IP address that was on the Border Manager machine originally - VLAN 100 was assigned an IP of 10.100.0.10. The Border Manager machine was in VLAN 100 and the IP address of 10.100.0.1 syated on the Border Manager machine.

Routing was enabled and I was able to ping other workstations in other VLANS with no problem but I could not ping the 10.100.0.1 firewall address in VLAN 100. I tried creating static routes on the border manager box to point back to the respective VLANS and that did not make any difference. What did work for the Border Manager box as far as pinging was to change the default route from the ISP's router to the IP address assigned to VLAN 100 (10.100.0.10).

The deal was to try and not have to reconfigure the workstations in the 109 and 101 VLANS and have internet work. For the 100 VLAN the default gateway has to be changed but the amount of machines was minimal so that was ok to do. It seems like what I am trying to do though is not realistic so what does have to be done to the workstations in terms of DNS or default gateway settings to make this work? What about the Border Manager machine in terms of static and default routes?

Any info would be helpful - thanks....

Ron Kinner · ‎01-04-2007

I assume we have:

ISP -- ISP RTR --Firewall -100-Switch -109/-101.

Your DNS is probably not happy because it is trying to use the Firewall as its default route and thus can't get back to the two vlans since the firewall does not want to play router. On the DNS you should add two static routes for the other Vlans and keep the default route pointing to the firewall.

The default route on the firewall should remain pointed at the ISP Router since that is where the internet is. The switch's default route: 0.0.0.0 0.0.0.0 should point at the firewall. It will not need any other routes. (If you log into it and do

sh ip route

you should see a route for each of the three subnets listed as connected and then the default route. The default gateway command is only used when ip routing is not turned on and is only used so that when you telnet it to it from somewhere else that it can get back to you)

Firewalls need to know about subnets that are on the good side but not directly connected. Usually this is done with a static route on the firewall. In each case this should point to the VLAN100 address of the switch.

You shouldn't have to make any changes to PCs on the 101/109 LANs.

Ron

PS. If you want to send me your config for the firewall directly rather than post it for all to see I'll be glad to look at it. rkinner AT att DOT net - put HP in the subject so I'll know it's not spam.