- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Firewall problems
Switches, Hubs, and Modems
1753947
Members
7437
Online
108811
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-17-2009 10:42 AM
тАО01-17-2009 10:42 AM
Firewall problems
I got three switches Procurve 5304 and one 2512
My net has all static ip's.
Domain Controller 192.168.10.5
Backup Domain controller 192.168.10.7
Gateway for Host's: every host has the gateway set to its own vlan.
I set four VLAN's on all switches with those IP's
Switch 1 (Main)
VLAN10 192.168.10.1
VLAN20 192.168.20.1
VLAN30 192.168.30.1
VLAN40 192.168.40.1
Switch 2
VLAN10 192.168.10.2
VLAN20 192.168.20.2
VLAN30 192.168.30.2
VLAN40 192.168.40.2
Switch 3
VLAN10 192.168.10.3
VLAN20 192.168.20.3
VLAN30 192.168.30.3
VLAN40 192.168.40.3
Switch 4
VLAN10 192.168.10.25
VLAN20 192.168.20.25
VLAN30 192.168.30.25
VLAN40 192.168.40.25
All my 6 servers are connected to switch 1 (Main)on vlan10. On two of my servers I Installed Kerio WinRoute Firewall, the first to access the Internet and the other to access a Remote LAN through a Modem HDSL.
Internet Server has the network interface with IP 192.168.10.4
Server to access the remote LAN has the network interface with IP 192.168.10.11.
On my switch 1 (Main) I created the following static route:
0.0.0.0/24 192.168.10.4
10.0.0.0 / 8 192.168.10.11
I enabled the IP routing on all the switches, I assigned the gateway to the hosts for their own VLAN, but I'm not able to ping server's with Kerio winroute firewall installed. (192.168.10.4 and 192.168.10.11) by vlan20, 30.40.
What's wrong? Do you have any other suggestions to complete this VLAN routing?
Any kind of suggestion will be appreciated.
roberto
My net has all static ip's.
Domain Controller 192.168.10.5
Backup Domain controller 192.168.10.7
Gateway for Host's: every host has the gateway set to its own vlan.
I set four VLAN's on all switches with those IP's
Switch 1 (Main)
VLAN10 192.168.10.1
VLAN20 192.168.20.1
VLAN30 192.168.30.1
VLAN40 192.168.40.1
Switch 2
VLAN10 192.168.10.2
VLAN20 192.168.20.2
VLAN30 192.168.30.2
VLAN40 192.168.40.2
Switch 3
VLAN10 192.168.10.3
VLAN20 192.168.20.3
VLAN30 192.168.30.3
VLAN40 192.168.40.3
Switch 4
VLAN10 192.168.10.25
VLAN20 192.168.20.25
VLAN30 192.168.30.25
VLAN40 192.168.40.25
All my 6 servers are connected to switch 1 (Main)on vlan10. On two of my servers I Installed Kerio WinRoute Firewall, the first to access the Internet and the other to access a Remote LAN through a Modem HDSL.
Internet Server has the network interface with IP 192.168.10.4
Server to access the remote LAN has the network interface with IP 192.168.10.11.
On my switch 1 (Main) I created the following static route:
0.0.0.0/24 192.168.10.4
10.0.0.0 / 8 192.168.10.11
I enabled the IP routing on all the switches, I assigned the gateway to the hosts for their own VLAN, but I'm not able to ping server's with Kerio winroute firewall installed. (192.168.10.4 and 192.168.10.11) by vlan20, 30.40.
What's wrong? Do you have any other suggestions to complete this VLAN routing?
Any kind of suggestion will be appreciated.
roberto
3 REPLIES 3
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-18-2009 01:32 PM
тАО01-18-2009 01:32 PM
Re: Firewall problems
Hi Robert,
Your setup looks kind of strang. I don't know how these switches are connected (together), but your setup would have for example 4 default gateways for VLAN 10. You really don't want to do that.
Recommendation: Dedicate one switch do do the routing for you (a 53xx). Let's assume your are going to do that on switch 1. The address x.x.x.1 will be the default gateway for everyone meaning, even clients connected to switch 3 will use x.x.x.1 as their default gateway, not x.x.x.3. You can keep the IP addresses on the switch but they would only be used for network management to access the device. The only switch that needs routing turn on is switch 1. The link connecting the other switches to switch on has to be a "tagged" link. You would tagg VLAN 10,20,30,40 on that link and untagged to the user ports. #2: I would not put the Kerio firewall on the same logical network. Create a VLAN 100 with IP addess 192.168.100.x. Use 192.168.100.1 for switch 1 and 192.168.100.2 for the firewall. Then add a static route (default): ip route 0.0.0.0 0.0.0.0 192.168.100.2 on switch 1. This way, the switch will do all the local routing between the VLANs and not the Firewall. Now for the remote network. I can't tell who is doning the routing for the remote network. What address space do you have for that? Is the HDSL modem connected to the Internet and do you have a VPN to accomplish connectivity?
Your setup looks kind of strang. I don't know how these switches are connected (together), but your setup would have for example 4 default gateways for VLAN 10. You really don't want to do that.
Recommendation: Dedicate one switch do do the routing for you (a 53xx). Let's assume your are going to do that on switch 1. The address x.x.x.1 will be the default gateway for everyone meaning, even clients connected to switch 3 will use x.x.x.1 as their default gateway, not x.x.x.3. You can keep the IP addresses on the switch but they would only be used for network management to access the device. The only switch that needs routing turn on is switch 1. The link connecting the other switches to switch on has to be a "tagged" link. You would tagg VLAN 10,20,30,40 on that link and untagged to the user ports. #2: I would not put the Kerio firewall on the same logical network. Create a VLAN 100 with IP addess 192.168.100.x. Use 192.168.100.1 for switch 1 and 192.168.100.2 for the firewall. Then add a static route (default): ip route 0.0.0.0 0.0.0.0 192.168.100.2 on switch 1. This way, the switch will do all the local routing between the VLANs and not the Firewall. Now for the remote network. I can't tell who is doning the routing for the remote network. What address space do you have for that? Is the HDSL modem connected to the Internet and do you have a VPN to accomplish connectivity?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-18-2009 10:41 PM
тАО01-18-2009 10:41 PM
Re: Firewall problems
Thanks Olaf,
at the moment I have only vlan10. On my network, switch1 (192.168.10.1) is the router and has static route to the internet firewall, 0.0.0.0/24 192.168.10.4(nic of firewall),the firewall has a HDSL modem connected on the second nic.The second static route 10.0.0.0/8 192.168.10.11(nic of firewall) is for remote lan with modem HDSL on second nic. All host's have their default gateway the switch1 (192.16.10.1).All servers are connected to switch1 on vlan10. The other addresses on switches are only for connection managment.
Everythings works fine up to now.
I would like to make more vlan's, each switch should have its own vlan. Here my probem: I have ip routing enable on all switches, I set for each vlan an ip address:
vlan20 192.168.20.2 on switch2
vlan30 192.168.30.3 on switch3
vlan40 192.168.40.4 on switch4
Now I set default gateway for host's on vlan20 192.168.20.2; for vlan30 192.168.30.3; vlan40 192.168.40.4 and left on host's, servers 192.168.10.1(switch1).
Is it right this config?
(I tried this config but I cannot ping servers with kerio installed).
Thanks Roberto.
at the moment I have only vlan10. On my network, switch1 (192.168.10.1) is the router and has static route to the internet firewall, 0.0.0.0/24 192.168.10.4(nic of firewall),the firewall has a HDSL modem connected on the second nic.The second static route 10.0.0.0/8 192.168.10.11(nic of firewall) is for remote lan with modem HDSL on second nic. All host's have their default gateway the switch1 (192.16.10.1).All servers are connected to switch1 on vlan10. The other addresses on switches are only for connection managment.
Everythings works fine up to now.
I would like to make more vlan's, each switch should have its own vlan. Here my probem: I have ip routing enable on all switches, I set for each vlan an ip address:
vlan20 192.168.20.2 on switch2
vlan30 192.168.30.3 on switch3
vlan40 192.168.40.4 on switch4
Now I set default gateway for host's on vlan20 192.168.20.2; for vlan30 192.168.30.3; vlan40 192.168.40.4 and left on host's, servers 192.168.10.1(switch1).
Is it right this config?
(I tried this config but I cannot ping servers with kerio installed).
Thanks Roberto.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-19-2009 05:02 AM
тАО01-19-2009 05:02 AM
Re: Firewall problems
as Olaf said, you only need one switch to do the routing.
so for this routing example config only switch-1 is important.
on the respective vlans switch-1 (x.x.x.1) must be configured as default gateway.
vlan20 ->gateway 192.168.20.1
vlan30 ->gateway 192.168.30.1
vlan40 ->gateway 192.168.40.1
switch-1 knows all the subnets used on your local lan and external networks.
so it is able to do all the routing.
for troubleshooting of your connectivity problem ip-adresses of switches 2-4 are not important the are not used for routing (layer-3).
these switches only need to pass vlan's (at layer-2) to switch-1.
so only switch-1 needs to know about all vlan's.
enabling ip routing is not neccessary on these switches.
as the kerio-firewall has "firewall" in it's name, you may need to enable response to ping from other (non-local) subnets.
most likely the kerio firewall to the internet has an external router as it's default gateway, so you need to configure static route back for other local subnets 192.168.20.0 ->gateway 192.168.10.1
192.168.30.0 ->gateway 192.168.10.1
192.168.40.0 ->gateway 192.168.10.1
else response to ping is sent to the internet instead of back to the local interface.
probably the same goes for the other remote lan.
==========================
if you really want to let each local switch route it's own vlan, then you need other static routes back
on the respective vlans switch-x (x.x.x.1) must be configured as default gateway.
hosts in vlan20 ->gateway 192.168.20.2
hosts in vlan30 ->gateway 192.168.30.3
hosts in vlan40 ->gateway 192.168.40.4
on each switch(2-4) a static route 0.0.0.0 to 192.168.10.1
on switch-1 a route 0.0.0.0 to the kerio firewall for internet access
and on the kerio firewall
192.168.20.0 ->gateway 192.168.10.2
192.168.30.0 ->gateway 192.168.10.3
192.168.40.0 ->gateway 192.168.10.4
other ip-adresses of the switches are not used.
maybe attached document helps
Pieter
so for this routing example config only switch-1 is important.
on the respective vlans switch-1 (x.x.x.1) must be configured as default gateway.
vlan20 ->gateway 192.168.20.1
vlan30 ->gateway 192.168.30.1
vlan40 ->gateway 192.168.40.1
switch-1 knows all the subnets used on your local lan and external networks.
so it is able to do all the routing.
for troubleshooting of your connectivity problem ip-adresses of switches 2-4 are not important the are not used for routing (layer-3).
these switches only need to pass vlan's (at layer-2) to switch-1.
so only switch-1 needs to know about all vlan's.
enabling ip routing is not neccessary on these switches.
as the kerio-firewall has "firewall" in it's name, you may need to enable response to ping from other (non-local) subnets.
most likely the kerio firewall to the internet has an external router as it's default gateway, so you need to configure static route back for other local subnets 192.168.20.0 ->gateway 192.168.10.1
192.168.30.0 ->gateway 192.168.10.1
192.168.40.0 ->gateway 192.168.10.1
else response to ping is sent to the internet instead of back to the local interface.
probably the same goes for the other remote lan.
==========================
if you really want to let each local switch route it's own vlan, then you need other static routes back
on the respective vlans switch-x (x.x.x.1) must be configured as default gateway.
hosts in vlan20 ->gateway 192.168.20.2
hosts in vlan30 ->gateway 192.168.30.3
hosts in vlan40 ->gateway 192.168.40.4
on each switch(2-4) a static route 0.0.0.0 to 192.168.10.1
on switch-1 a route 0.0.0.0 to the kerio firewall for internet access
and on the kerio firewall
192.168.20.0 ->gateway 192.168.10.2
192.168.30.0 ->gateway 192.168.10.3
192.168.40.0 ->gateway 192.168.10.4
other ip-adresses of the switches are not used.
maybe attached document helps
Pieter
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP