Switches, Hubs, and Modems
Showing results for 
Search instead for 
Did you mean: 

Firewall problems

Occasional Advisor

Firewall problems

I got three switches Procurve 5304 and one 2512
My net has all static ip's.
Domain Controller
Backup Domain controller

Gateway for Host's: every host has the gateway set to its own vlan.

I set four VLAN's on all switches with those IP's

Switch 1 (Main)

Switch 2

Switch 3

Switch 4

All my 6 servers are connected to switch 1 (Main)on vlan10. On two of my servers I Installed Kerio WinRoute Firewall, the first to access the Internet and the other to access a Remote LAN through a Modem HDSL.
Internet Server has the network interface with IP
Server to access the remote LAN has the network interface with IP

On my switch 1 (Main) I created the following static route: / 8

I enabled the IP routing on all the switches, I assigned the gateway to the hosts for their own VLAN, but I'm not able to ping server's with Kerio winroute firewall installed. ( and by vlan20, 30.40.

What's wrong? Do you have any other suggestions to complete this VLAN routing?

Any kind of suggestion will be appreciated.

Olaf Borowski
Respected Contributor

Re: Firewall problems

Hi Robert,

Your setup looks kind of strang. I don't know how these switches are connected (together), but your setup would have for example 4 default gateways for VLAN 10. You really don't want to do that.
Recommendation: Dedicate one switch do do the routing for you (a 53xx). Let's assume your are going to do that on switch 1. The address x.x.x.1 will be the default gateway for everyone meaning, even clients connected to switch 3 will use x.x.x.1 as their default gateway, not x.x.x.3. You can keep the IP addresses on the switch but they would only be used for network management to access the device. The only switch that needs routing turn on is switch 1. The link connecting the other switches to switch on has to be a "tagged" link. You would tagg VLAN 10,20,30,40 on that link and untagged to the user ports. #2: I would not put the Kerio firewall on the same logical network. Create a VLAN 100 with IP addess 192.168.100.x. Use for switch 1 and for the firewall. Then add a static route (default): ip route on switch 1. This way, the switch will do all the local routing between the VLANs and not the Firewall. Now for the remote network. I can't tell who is doning the routing for the remote network. What address space do you have for that? Is the HDSL modem connected to the Internet and do you have a VPN to accomplish connectivity?
Bilotta Alessio
Occasional Advisor

Re: Firewall problems

Thanks Olaf,
at the moment I have only vlan10. On my network, switch1 ( is the router and has static route to the internet firewall, of firewall),the firewall has a HDSL modem connected on the second nic.The second static route of firewall) is for remote lan with modem HDSL on second nic. All host's have their default gateway the switch1 ( servers are connected to switch1 on vlan10. The other addresses on switches are only for connection managment.
Everythings works fine up to now.

I would like to make more vlan's, each switch should have its own vlan. Here my probem: I have ip routing enable on all switches, I set for each vlan an ip address:

vlan20 on switch2
vlan30 on switch3
vlan40 on switch4
Now I set default gateway for host's on vlan20; for vlan30; vlan40 and left on host's, servers
Is it right this config?
(I tried this config but I cannot ping servers with kerio installed).
Thanks Roberto.
Pieter 't Hart
Honored Contributor

Re: Firewall problems

as Olaf said, you only need one switch to do the routing.

so for this routing example config only switch-1 is important.

on the respective vlans switch-1 (x.x.x.1) must be configured as default gateway.
vlan20 ->gateway
vlan30 ->gateway
vlan40 ->gateway

switch-1 knows all the subnets used on your local lan and external networks.
so it is able to do all the routing.

for troubleshooting of your connectivity problem ip-adresses of switches 2-4 are not important the are not used for routing (layer-3).
these switches only need to pass vlan's (at layer-2) to switch-1.
so only switch-1 needs to know about all vlan's.
enabling ip routing is not neccessary on these switches.

as the kerio-firewall has "firewall" in it's name, you may need to enable response to ping from other (non-local) subnets.

most likely the kerio firewall to the internet has an external router as it's default gateway, so you need to configure static route back for other local subnets ->gateway ->gateway ->gateway
else response to ping is sent to the internet instead of back to the local interface.
probably the same goes for the other remote lan.

if you really want to let each local switch route it's own vlan, then you need other static routes back

on the respective vlans switch-x (x.x.x.1) must be configured as default gateway.
hosts in vlan20 ->gateway
hosts in vlan30 ->gateway
hosts in vlan40 ->gateway

on each switch(2-4) a static route to

on switch-1 a route to the kerio firewall for internet access

and on the kerio firewall ->gateway ->gateway ->gateway

other ip-adresses of the switches are not used.

maybe attached document helps