Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 32043 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing with MPLS

BenjaminGutberlet

Hi,

 I have two Networks. 192.168.100.0/24 and 192.168.101.0/24

The Networks are connected through a MPLS route.

The internal IP for the XG is 192.168.100.1

The MPLS-IP is 192.168.100.254

I did set up a Firewall policy.

Source Zone: LAN

Source Network: Any

Source Services: Any

Destination Zone: LAN

Destination Networks: 192.168.101.0/24

And rewrite Source Adress with the global policy MASQ.

So far I can Access everthing in 192.168.101.0/24 from 192.168.100.0/24

I did set up another policy where source and Destination is switched to the first policy.

But I can't get from 192.168.101.0/24 to 192.168.100.0/24. The trace route Shows that the package get to the Firewall and is then stopped.

What has to be done to get both Networks communicate with each other.

Do I have to add a reroute or something like that ?

Best Regards

Benjamin



This thread was automatically locked due to age.
  • 0
    Benjamin,

    make sure your MPLS network knows the 192.168.100.0/24 with a static route. You should add static route on XG to inform it that network 192.168.101.0/24 exists.
    Make sure to create a network rule from LAN to LAN where source is 192.168.101.0/24 to 192.168.100.0/24.

    Luk
  • 0 in reply to lferrara
    Hi Luk,

    thank you for your answer.
    I can't configure the MPLS as this was done by the network group of the building.

    I did set up the route on the firewall and I can ping from Network A to Network B. Idid also create the network rule as in your answer.

    The traceroute from Network B to Network A shows the following hops.

    1. 192.168.101.1 (the gateway in Network B)
    2. some transport net for the MPLS
    3. 192.168.100.254 (the IP of the MPLS router in network A)

    Then it stops.
    But I can ping the firewall in network A. And I can access the Internet from Network B through the firewall in Network A.

    So it has to be a problem with the network rule but I can't figure it out what it is missing. If the route on the MPLS to network A would be missing then I shouldn't be able to ping the firewall or am I wrong ?

    Regards
    Benjamin
  • 0
    Hi Luk,

    I can't configure the MPLS network as this was set up by the network management group of the building.
    I did configure a static route from network A to network B on the firewall and also the network rule.

    I can reach everything from network A to network B. Only the other way make problems.

    If I do a traceroute from network B to network A I get the following output.

    1. 192.168.101.1 (the gateway in network B)
    2. some transport route of the MPLS
    3. 192.168.100.254 (the IP of the MPLS in network A)
    4. 192.168.100.1 (the internal IP of the firewall)
    then it stops.

    But I can ping from network B the firewall in network A (192.168.100.1)
    I can also reach the internet from network B through the firewall in network A
    So imho it must be a problem with the network rule but I can't figure it out what it is missing.

    If the static route on the MPLS to 192.168.100.0/24 would be missing then I wouldn't be able to ping the firewall. Correct or do I miss something there ?

    Best Regards
    Benjamin
  • 0 in reply to BenjaminGutberlet
    Thanks for your additional info.
    Anyway you only need a network rule that allows traffic from 192.168.101.0/24 to 192.168.100.0/24.

    What does the Security Policy log say?

    Luk
  • 0
    Hi Luk,

    I do see a lot of These

    2016-02-05 11:31:39 IP Spoof Denied - 0 - -
    And some of These

    2016-02-05 11:31:39 Local ACL Denied - 0 PortA1 -

    Nothing else.

    Regards
    Benjamin
  • 0
    Hi Luk,

    thanks again for your help.
    I did figure it out. A bit :)

    I had to change the User application policy.
    But I still have the problem that I can't connect to all IP's.

    I can ping or access from 192.168.101.0/24 only devices that are joined to the domain. All non domain devices like switches, access points or the NAS isn't available.

    Very strange.

    Regards
    Benjamin
  • 0 in reply to BenjaminGutberlet

    Benjamin,

    This does not make sense. I will try to simulate multiple networks and let you know.

    Spk u on monday.

    Luk

  • 0

    This looks like an old post, but I think I know what's going on.

    Let's say you have a host at the site with the network 192.168.100.0/24; we'll call that site, "Site 1" and the host at that site, "Host 1".  And you have a host at the site with the network 192.168.101.0/24; we'll call that site, "Site 2" and the host there, "Host 2".

    Now, I'm making a few assumptions.  First is that there is only 1 firewall, which is at "Site 1".  Second, that at "Site 1" you are using the firewall as the default gateway and you are using the MPLS router at "Site 2" as the default gateway there.  I'm also assuming that the MPLS router at "Site 2" has the IP address 192.168.101.254.

    So, this is what is happening when "Host 1" pings "Host 2", which should work:

    "Host 1" send packets to the firewall (192.168.100.1) which routes it to the MPLS router (192.168.100.254), which sends it over the MPLS network to "Site 2".  The router at "Site 2" sends packets to "Host 2".  "Host 2" replies and send packets back to the MPLS router (192.168.101.254) which sends it back across the MPLS network to the "Site 1" MPLS router (192.168.100.254).  The MPLS router sends traffic back DIRECTY to "Host 1" without sending it back through the firewall.  So this should work because the firewall is seeing outbound traffic from "Host 1" to "Host 2".  Although, it's not seeing reply traffic from "Host 2" to "Host 1".

     

    The problem comes from when "Host 2" tries to get to "Host 1":

    "Host 2" sends packets to the "Site 2" MPLS router (192.168.101.254), which sends it across the MPLS network to the "Site 1" MPLS router (192.168.100.254).  The "Site 1" MPLS router sends traffic DIRECTLY to "Host 1", WITHOUT sending it to the firewall first.  "Host 1" replies, but since it's default gateway is the firewall, it sends it there.  Because the first half of the communication went directly from the MPLS router (192.168.100.254) to "Host 1" without going to the firewall, the firewall is only seeing the second half the conversation between "Host 1" and "Host 2".  The second half of the conversation that the firewall does see (the reply) is dropped because it thinks it doesn't make sense that there is a reply for something that doesn't have an initial request.  So basically, even if you have a rule in the firewall allowing communication between the "Site 1" and "Site 2" networks, there is still deep-level packet inspection going on.

     

    There are a few ways to fix this:

    1) Add an advanced rule to the firewall to NOT do packet level inspection from "Site 1" and "Site 2".  To do this go to the console for the firewall and add the following command:

    set advanced-firewall bypass-stateful-firewall-config add source_network 192.168.100.0 source_netmask 255.255.255.0 dest_network 192.168.101.0 dest_netmask 255.255.255.0

    or

    2) Add a static route on "Host 1" to point traffic destined to "Site 2" to use the MPLS router as the default gateway.  Assuming that "Host 1" is a Windows box, you could issue this command:

    route add 192.168.101.0 mask 255.255.255.0 192.168.100.254 /p

    or

    3) Other option, which I'm looking into, is to have all traffic that would go on the MPLS network go through the firewall first and in both directions.  This is probably the most secure configuration, but it's more complicated to setup.

     

    Hope this makes sense.

    -mark