Routing with MPLS

Question

Hi, 
 I have two Networks. 192.168.100.0/24 and 192.168.101.0/24 
 The Networks are connected through a MPLS route. 
 The internal IP for the XG is 192.168.100.1 
 The MPLS-IP is 192.168.100.254 
 I did set up a Firewall policy. 
 Source Zone: LAN 
 Source Network: Any 
 Source Services: Any 
 Destination Zone: LAN 
 Destination Networks: 192.168.101.0/24 
 And rewrite Source Adress with the global policy MASQ. 
 So far I can Access everthing in 192.168.101.0/24 from 192.168.100.0/24 
 I did set up another policy where source and Destination is switched to the first policy. 
 But I can't get from 192.168.101.0/24 to 192.168.100.0/24. The trace route Shows that the package get to the Firewall and is then stopped. 
 What has to be done to get both Networks communicate with each other. 
 Do I have to add a reroute or something like that ? 
 Best Regards 
 Benjamin

IT Department · Accepted Answer

This looks like an old post, but I think I know what's going on. 
 Let's say you have a host at the site with the network 192.168.100.0/24; we'll call that site, "Site 1" and the host at that site, "Host 1". And you have a host at the site with the network 192.168.101.0/24; we'll call that site, "Site 2" and the host there, "Host 2". 
 Now, I'm making a few assumptions. First is that there is only 1 firewall, which is at "Site 1". Second, that at "Site 1" you are using the firewall as the default gateway and you are using the MPLS router at "Site 2" as the default gateway there. I'm also assuming that the MPLS router at "Site 2" has the IP address 192.168.101.254. 
 So, this is what is happening when "Host 1" pings "Host 2", which should work: 
 "Host 1" send packets to the firewall (192.168.100.1) which routes it to the MPLS router (192.168.100.254), which sends it over the MPLS network to "Site 2". The router at "Site 2" sends packets to "Host 2". "Host 2" replies and send packets back to the MPLS router (192.168.101.254) which sends it back across the MPLS network to the "Site 1" MPLS router (192.168.100.254). The MPLS router sends traffic back DIRECTY to "Host 1" without sending it back through the firewall. So this should work because the firewall is seeing outbound traffic from "Host 1" to "Host 2". Although, it's not seeing reply traffic from "Host 2" to "Host 1". 
 
 The problem comes from when "Host 2" tries to get to "Host 1": 
 "Host 2" sends packets to the "Site 2" MPLS router (192.168.101.254), which sends it across the MPLS network to the "Site 1" MPLS router (192.168.100.254). The "Site 1" MPLS router sends traffic DIRECTLY to "Host 1", WITHOUT sending it to the firewall first. "Host 1" replies, but since it's default gateway is the firewall, it sends it there. Because the first half of the communication went directly from the MPLS router (192.168.100.254) to "Host 1" without going to the firewall, the firewall is only seeing the second half the conversation between "Host 1" and "Host 2". The second half of the conversation that the firewall does see (the reply) is dropped because it thinks it doesn't make sense that there is a reply for something that doesn't have an initial request. So basically, even if you have a rule in the firewall allowing communication between the "Site 1" and "Site 2" networks, there is still deep-level packet inspection going on. 
 
 There are a few ways to fix this: 
 1) Add an advanced rule to the firewall to NOT do packet level inspection from "Site 1" and "Site 2". To do this go to the console for the firewall and add the following command: 
 set advanced-firewall bypass-stateful-firewall-config add source_network 192.168.100.0 source_netmask 255.255.255.0 dest_network 192.168.101.0 dest_netmask 255.255.255.0 
 or 
 2) Add a static route on "Host 1" to point traffic destined to "Site 2" to use the MPLS router as the default gateway. Assuming that "Host 1" is a Windows box, you could issue this command: 
 route add 192.168.101.0 mask 255.255.255.0 192.168.100.254 /p 
 or 
 3) Other option, which I'm looking into, is to have all traffic that would go on the MPLS network go through the firewall first and in both directions. This is probably the most secure configuration, but it's more complicated to setup. 
 
 Hope this makes sense. 
 -mark

lferrara · Answer

Benjamin, 
 
make sure your MPLS network knows the 192.168.100.0/24 with a static route. You should add static route on XG to inform it that network 192.168.101.0/24 exists. 
Make sure to create a network rule from LAN to LAN where source is 192.168.101.0/24 to 192.168.100.0/24. 
 
Luk