Routing with MPLS

This looks like an old post, but I think I know what's going on.

Let's say you have a host at the site with the network 192.168.100.0/24; we'll call that site, "Site 1" and the host at that site, "Host 1".  And you have a host at the site with the network 192.168.101.0/24; we'll call that site, "Site 2" and the host there, "Host 2".

Now, I'm making a few assumptions.  First is that there is only 1 firewall, which is at "Site 1".  Second, that at "Site 1" you are using the firewall as the default gateway and you are using the MPLS router at "Site 2" as the default gateway there.  I'm also assuming that the MPLS router at "Site 2" has the IP address 192.168.101.254.

So, this is what is happening when "Host 1" pings "Host 2", which should work:

"Host 1" send packets to the firewall (192.168.100.1) which routes it to the MPLS router (192.168.100.254), which sends it over the MPLS network to "Site 2".  The router at "Site 2" sends packets to "Host 2".  "Host 2" replies and send packets back to the MPLS router (192.168.101.254) which sends it back across the MPLS network to the "Site 1" MPLS router (192.168.100.254).  The MPLS router sends traffic back DIRECTY to "Host 1" without sending it back through the firewall.  So this should work because the firewall is seeing outbound traffic from "Host 1" to "Host 2".  Although, it's not seeing reply traffic from "Host 2" to "Host 1".

The problem comes from when "Host 2" tries to get to "Host 1":

"Host 2" sends packets to the "Site 2" MPLS router (192.168.101.254), which sends it across the MPLS network to the "Site 1" MPLS router (192.168.100.254).  The "Site 1" MPLS router sends traffic DIRECTLY to "Host 1", WITHOUT sending it to the firewall first.  "Host 1" replies, but since it's default gateway is the firewall, it sends it there.  Because the first half of the communication went directly from the MPLS router (192.168.100.254) to "Host 1" without going to the firewall, the firewall is only seeing the second half the conversation between "Host 1" and "Host 2".  The second half of the conversation that the firewall does see (the reply) is dropped because it thinks it doesn't make sense that there is a reply for something that doesn't have an initial request.  So basically, even if you have a rule in the firewall allowing communication between the "Site 1" and "Site 2" networks, there is still deep-level packet inspection going on.

There are a few ways to fix this:

1) Add an advanced rule to the firewall to NOT do packet level inspection from "Site 1" and "Site 2".  To do this go to the console for the firewall and add the following command:

set advanced-firewall bypass-stateful-firewall-config add source_network 192.168.100.0 source_netmask 255.255.255.0 dest_network 192.168.101.0 dest_netmask 255.255.255.0

or

2) Add a static route on "Host 1" to point traffic destined to "Site 2" to use the MPLS router as the default gateway.  Assuming that "Host 1" is a Windows box, you could issue this command:

route add 192.168.101.0 mask 255.255.255.0 192.168.100.254 /p

or

3) Other option, which I'm looking into, is to have all traffic that would go on the MPLS network go through the firewall first and in both directions.  This is probably the most secure configuration, but it's more complicated to setup.

Hope this makes sense.

-mark

This looks like an old post, but I think I know what's going on.

Let's say you have a host at the site with the network 192.168.100.0/24; we'll call that site, "Site 1" and the host at that site, "Host 1".  And you have a host at the site with the network 192.168.101.0/24; we'll call that site, "Site 2" and the host there, "Host 2".

Now, I'm making a few assumptions.  First is that there is only 1 firewall, which is at "Site 1".  Second, that at "Site 1" you are using the firewall as the default gateway and you are using the MPLS router at "Site 2" as the default gateway there.  I'm also assuming that the MPLS router at "Site 2" has the IP address 192.168.101.254.

So, this is what is happening when "Host 1" pings "Host 2", which should work:

"Host 1" send packets to the firewall (192.168.100.1) which routes it to the MPLS router (192.168.100.254), which sends it over the MPLS network to "Site 2".  The router at "Site 2" sends packets to "Host 2".  "Host 2" replies and send packets back to the MPLS router (192.168.101.254) which sends it back across the MPLS network to the "Site 1" MPLS router (192.168.100.254).  The MPLS router sends traffic back DIRECTY to "Host 1" without sending it back through the firewall.  So this should work because the firewall is seeing outbound traffic from "Host 1" to "Host 2".  Although, it's not seeing reply traffic from "Host 2" to "Host 1".

The problem comes from when "Host 2" tries to get to "Host 1":

"Host 2" sends packets to the "Site 2" MPLS router (192.168.101.254), which sends it across the MPLS network to the "Site 1" MPLS router (192.168.100.254).  The "Site 1" MPLS router sends traffic DIRECTLY to "Host 1", WITHOUT sending it to the firewall first.  "Host 1" replies, but since it's default gateway is the firewall, it sends it there.  Because the first half of the communication went directly from the MPLS router (192.168.100.254) to "Host 1" without going to the firewall, the firewall is only seeing the second half the conversation between "Host 1" and "Host 2".  The second half of the conversation that the firewall does see (the reply) is dropped because it thinks it doesn't make sense that there is a reply for something that doesn't have an initial request.  So basically, even if you have a rule in the firewall allowing communication between the "Site 1" and "Site 2" networks, there is still deep-level packet inspection going on.

There are a few ways to fix this:

1) Add an advanced rule to the firewall to NOT do packet level inspection from "Site 1" and "Site 2".  To do this go to the console for the firewall and add the following command:

set advanced-firewall bypass-stateful-firewall-config add source_network 192.168.100.0 source_netmask 255.255.255.0 dest_network 192.168.101.0 dest_netmask 255.255.255.0

or

2) Add a static route on "Host 1" to point traffic destined to "Site 2" to use the MPLS router as the default gateway.  Assuming that "Host 1" is a Windows box, you could issue this command:

route add 192.168.101.0 mask 255.255.255.0 192.168.100.254 /p

or

3) Other option, which I'm looking into, is to have all traffic that would go on the MPLS network go through the firewall first and in both directions.  This is probably the most secure configuration, but it's more complicated to setup.

Hope this makes sense.

-mark