Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 9834 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cant seem to route to a 10.0.0.0/8 network through a specfied interface

brimur

Hi guys. I have 3 interfaces on my UTM, LAN(internal),WAN and WORK.

LAN/internal is my local network (192.168.0.x).

WAN is the internet which is a public IP via cable router (172.16.0.1) in bridge mode.

WORK is a connection to a company vpn router that connects to my work place. The WORK network is a 10.x.x.x network and the VPN router hands out 10.x.x.x adresses.

So what I am trying to do is route any traffic going to a 10.x.x.x address out the WORK interface but I am not sure how to do it. I created this policy route...

WORK-10 is a defined as this... 

If I do a trace route however it just seems to fail

C:>tracert 10.0.248.1

Tracing route to 10.0.248.1 over a maximum of 30 hops

1 3 ms 1 ms 1 ms 192.168.0.1

2 192.168.0.1 reports: Destination host unreachable.

Trace complete.

Am I missing something, is a firewall rule necessary?

As a side note, the UTM itself is a VM and if I add the same physical ethernet adapter that the UTM uses to a Windows VM I get a 10.x.x.x IP address (same as the UTM does) and I can ping and connect to all my work resources.

Also as a test I bypassed the UTM and connected the work VPN router directly to my PC on a spare Ethernet port. I got a 10.x.x.x IP address and I had no problem changing that to a static IP & subnet mask on the WORK connection and removing the gateway IP and then just adding a route in Windows... route add 10.0.0.0 mask 255.0.0.0 10.x.x.x (gateway ip)

All 10.x.x.x traffic traveled over the WORK connection on my PC as expected. 

Any suggestions appreciated. Thanks



This thread was automatically locked due to age.
  • 0

    Hi, Brimur, I'm sorry, but I deleted the external links in your post. Please Edit that post, and insert your images into the post. We can't know if that external site is properly protected. The only malware I've gotten in over 10 years was from an external link to a picture in this forum several years ago.

    None of your routing will function correctly if the admin at your office really has things all spread out over 10/8.  The only thing you can do in that case is to get rid of any 10. subnets in use otherwise in the UTM.  For example, that means changing all of the VPN Pool objects to something in 172.16/12.  Just assign 10/8 as the subnet on the WORK interface and no static routes should be necessary, only firewall rules.  Any luck with that?

    Cheers - Bob

  • 0 in reply to BAlfson

    Thanks Bob, Imgur is one of the most used sites in the world for image hosting but I understand completely what you mean.

    I have updated my vpn pools to 172.16.x.x addresses

    Can you expand on your suggestion on how can I "just assign 10/8 as the subnet on the WORK". Currently it is a dynamic ip from the vpn router eg I get different IPs in the 10.5 range but I know the gateway is for example always 10.5.12.1 . I was able to route to it in Windows by routing to that gateway. I just tried unticking Dynamic IP and setting the interface address as 10.0.0.0/8 and it gave me an error saying "Interface address is invalid because it is a network or broadcast address of the network '10.0.0.0/8'."

    Also what firewall rules do I need? I added an Internal -> ANY -> WORK and a WORK -> ANY -> Internal but so far I am not seeing anything show up on the Firewall Live Log

  • 0 in reply to BAlfson

    I wanted to add that creating the static route below allowed me to ping any 10.x.x.x in my WORK network, but only from the UTM itself. So now I would like to figure out how to make a ping from the 192.168.0.x network to say 10.0.51.1, go out  eth0 (192.168.0.1) across to eth2 (10.5.13.150) and then go out the WORK-GW (10.5.12.1) to the WORK-10 network (10.0.0.0/8)

    Any ideas? Thanks

     

    Update: I got it working!

    Adding the below NAT allowed me to connect to any of the 10.x.x.x IP addresses

  • 0 in reply to brimur

    I didn't internalize that the Interface was 'Dynamic', so you're correct that it shouldn't have been changed as I said.  Same with the default gateway - your solution is perfect.  An alternative would have been a Masquerading rule.  One always needs one or the other when traffic leaves an Interface that has an assigned default gateway.

    Cheers - Bob

  • 0 in reply to BAlfson

    Hi Bob,

    One last thing I'm stuck on and I know its a very common issue but I wasn't able to find a single detailed solution. I was able to fire up my CISCO IP Communicator and it registers fine and I can make calls but, you guessed it, the one-way audio issue. They can hear me but I cant hear them. In the time after my last post above I did switch to a masquerading NAT for the WORK network. 

    For this issue I thought I might be able to create a DNAT rule saying ANY traffic from the Voice Gateway [10.x.x.x] to the WORK interface gets redirected to my PC where the softphone is running, since no other IP will be talking to it. This did not work and neither has anything else. Putting my PC temporarily on the WORK network itself [10.x.x.x] I was able to make calls fine (hear and be heard)

    Any tips appreciated. Thanks

    B