Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 26 subscribers
  • Views 10777 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

strange Behavior XG forwarding to internal LAN second Router

Christian Kolbe

I have new XG and don´t get it working with an additional Router and the Networks behind hin.

 

Let me explain.

 

XG210 (SFOS 17.0.5 MR-5)

Firewall Port 1 (LAN)  192.168.45.254   (VLAN 1)

There is a Layer 3 Switch on the Network (X620 Extreme) with LAN IP 192.168.45.1

On this Switch are defined various VLANs like

VLAN 99  IP 192.168.44.254

The Switch has a Default Route to 192.168.45.254 / Inter VLAN Routing is Active 

The XG has Static Routes to all Networks behind the Switch with his VLAN 1 IP as Gateway :  192.168.45.1

The XG has on Pos. 1 a Rule that is :  LAN to LAN any / any allow

 

NOW comes the Problem :

A Client with an IP 192.168.44.10  can Ping ..  Internet (8.8.8.8 )  can Ping his own Gateway 192.168.44.254 and !! he can Ping the LAN Gateway of Port 1 192.168.45.254

But he can not ping or reach any other System into the 192.168.45.0 / 24 Network

 

The Packet Capture for the returning traffic from target back to original Location  says : "Violation  Invalid Traffic"

Into a Wireshark of the ping Target  i can see that traffice arrives and goes back to Firewall.

It Looks like that the Firewall Engine of the XG see the traffic incomming on Port 1 but not Forward it back via Port 1 with the Static Rule.

 

Now an other curious .. the other Way works .. i can reach from any device in the LAN 192.168.45.X / 24  a System into the 192.168.44.X /24 Network

 

Can anyone help me with this Problem ?

 

 

Network Schema

 

 

 

Packet Capture Error

Static Route s

Rule 1

 

 

 

 



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to lferrara

    that i can not ping it´s only an example ..

     

    i also can not reach with any other service from the 192.168.44.X  Network a Host into the 192.168.45.X Network.

    it´s not a problem only related to ICMP 

    Look to my picture there was a LDPA Question on Port 389 from 192.168.44.10 to 192.168.45.100 ... that was blocked by firewall.

Children
  • 0 in reply to Christian Kolbe

    Christian,

    you can use tcpdump even for other services. Starting from ICMP is easier.

    Also use drop-packet-capture "host x.x.x.x" from XG console to understand the reason why traffic is blocked.

    Post logs.

  • 0 in reply to Christian Kolbe

    The Problem itself is clear to me.

     

    Packets are coming from 192.168.44.0 Network and will forwarded to the targe without passing the firewall.

    The networks are all direct connected on the switch and the switch will forward the packets to the host into my 192.168.45.X Network.

    But the Way Back of this packet will go over the XG becaue the target has only the XG as a gateway and will route all packets to it...

    Thats´s why the XG only see the packets coming back without the original traffic ..


    But with my static route in the XG .. this problem should be solved .... :-(  .. but it don´t work. 

    I think the XG drop this packets because no original traffic passt through it ...  

     

    Is there a way to let the XG work as a stupid Router ???

  • 0 in reply to Christian Kolbe

    Here is the window when i ping from  192.168.44.10 to 192.168.45.101 

     

     

    i only see invalid traffic .. Denied ...

  • 0 in reply to Christian Kolbe

    You are experiencing asymmetric routing. Try to disable connection tracking and inspection by using the following commands:

    set advanced-firewall bypass-stateful-firewall-config add source_network x.x.x.x source_netmask 255.255.255.0 dest_network y.y.y.y dest_netmask 255.255.255.0

    set advanced-firewall bypass-stateful-firewall-config add source_network y.y.y.y source_netmask 255.255.255.0 dest_network x.x.x.x dest_netmask 255.255.255.0

    Regards

  • 0 in reply to lferrara

    PERFECT !! Many Thanks that was the solution ...