topic Re: Routing between subnets in General Topics

Routing between subnets

JJezek — Tue, 13 Feb 2024 11:58:56 GMT

Hi,

can you help me. I can't set up routing between 2 separate site interfaces.

I have office lan 10.0.0.138/24 on LAN1:10.0.0.138
and CMS lan 198.19.133.80 on LAN4: 198.19.133.82 (198.19.133.81 is a T-mobile modem). I cannot reach the T-mobile IP (198.19.133.81) from the office network. I set the object group and put them in the policy, But the communication does not work. ping to the IP address of the modem only works with FW checkpoint. I am attaching a picture for clarification.

BR Jaroslav

Re: Routing between subnets

Lesley — Tue, 13 Feb 2024 14:55:19 GMT

I think t-mobile modem does not know how to route 10.0.0.0/24 back to the CP.

What does tcpdump -nni LAN4 host 198.19.133.81 , show when you send traffic from the LAN?

Re: Routing between subnets

Chris_Atkinson — Tue, 13 Feb 2024 15:04:29 GMT

How is any NAT configured / defined in the existing setup and which appliance firmware version/build?

Re: Routing between subnets

the_rock — Tue, 13 Feb 2024 15:45:02 GMT

Did you do any captures/debugs to see whats happening with the traffic?

Andy

Re: Routing between subnets

JJezek — Wed, 14 Feb 2024 08:25:07 GMT

Hi Lesley, Thank you for your response.

I tried setting up monitoring. There is a syntax error. I spoke with the technician who was setting up the T-mobile router. He told me that on CP I should have S-NAT for office lan 10.0.0.0/24 to IP address 198.19.133.82 (LAN4 port) when requesting communication to CMS 10.240.0.0/12. CMS 10.240.0.0/12 is a closed network that is only reachable from the 198.19.133.80/29 network.

I am afraid that it will be necessary to turn off the default hidden NAT on CP.

The CPS network is reachable now only from CP from tool.

BR Jaroslav

Re: Routing between subnets

JJezek — Wed, 14 Feb 2024 08:33:15 GMT

Hi Chris,

The natu configuration is the default. A hidden nat that masks the office to one WAN. That can be ten problems. I need to mask part of the traffic from the office LAN behind an IP from the range 198.19.133.80/29, i.e. for IP LAN4 198.19.133.82 ? This is what the Tmobile technician told me and the second thing is to set the route. 10.240.0.0/12 next hop 198.19.133.81.

BR Jaroslav

Re: Routing between subnets

JJezek — Wed, 14 Feb 2024 12:50:50 GMT

applance is box 1550

Version:

R81.10.08

Re: Routing between subnets

JJezek — Wed, 14 Feb 2024 13:12:01 GMT

HI Andy,

I only have one log where I try to ping IP 10.250.142.198 to the CMS subnet for testing. I would need the office LAN 10.0.0./24 in this case the IP from the server 10.0.0.250 to be masked behind the IP from the range 198.19.133.80/29. This is enforced by CMS as a condition.

Re: Routing between subnets

JJezek — Wed, 14 Feb 2024 13:13:14 GMT

LOG:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on LAN4, link-type EN10MB (Ethernet), capture size 262144 bytes
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
IP 10.0.0.251 > 10.250.142.198: ICMP echo request, id 1, seq 20916, length 40
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
IP 10.0.0.251 > 10.250.142.198: ICMP echo request, id 1, seq 20917, length 40
ARP, Request who-has 198.19.133.81 tell 198.19.133.82, length 28
ARP, Reply 198.19.133.81 is-at e4:77:27:1b:ec:7c, length 46
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
IP 10.0.0.251 > 10.250.142.198: ICMP echo request, id 1, seq 20918, length 40
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
IP 10.0.0.251 > 10.250.142.198: ICMP echo request, id 1, seq 20919, length 40
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
IP 10.0.0.251 > 10.250.142.198: ICMP echo request, id 1, seq 20920, length 40
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43

Re: Routing between subnets

JJezek — Mon, 19 Feb 2024 10:33:07 GMT

SOLVED by source NAT

Re: Routing between subnets

the_rock — Mon, 19 Feb 2024 14:44:06 GMT

Good job!

Best,

Andy