Results 1 to 6 of 6
  1. #1
    Master Untangler
    Join Date
    Feb 2013
    Posts
    104

    Default Vlan and multiple Nic's question and problem

    Dear Team,
    I have a strange problem, will try to describe everything:

    Untangle is running on Vsphere 6 virtual machine, which has a virtual switch with 3 Vlans:

    1) Server Vlan
    2) User Vlan
    3) External Vlan for ISP

    So untangle Box has 3 Nics:

    1) 10.0.0.0/24 in Server Vlan
    2) 10.0.1.1/24 in User Vlan
    3) ISP public IP address

    4) I have a Cisco router with VPN to a brach office, inside the user Vlan.
    Branch network is 10.0.2.0/24

    Current strange problem is, I have a Print server in Server Vlan: 10.0.0.201
    All users in Branch have mapped printers from this file server.

    But, users can not print. Actually i can see that print job comes and disappears ... with out a print output.
    How ever there is nothing blocked in Firewall by logs.

    After playing with a settings i have noticed:

    If I put bypass rule like:

    rule a) bypass source 10.0.2.200 (Printer IP in a branch) to Destination 10.0.0.201 (Print Server)
    rule b) bypass source 10.0.0.201 (Print Server) to Destination 10.0.2.200 (Printer IP in a branch)

    Printer start to work.
    Had to add such rules for all network printers in Branch. But it little confuse me.
    Have attach the diagram I have.

    Also had similar situations with couple of internal applications, Like:

    users have soft installed that takes info from 10.0.0.200 server (SQL server)
    so did not work correctly, till i add this bypass rules

    Maybe i do something wrong?
    Forgot to mention i have 2 Untangles in VRRP with exactly the same rules. (So default GW are VRRP addresses)

    I use:

    Webfilter Lite
    Virus Blocker Lite
    Phish Blocker
    Application Control Lite
    Firewall
    Intrusion Prevention
    Add blocker

    OpenVPN
    Reports


    Also to see 10.0.2.0 Network i have rote in UT:

    Network 10.0.2.0 next hop 10.0.1.7

    Where 10.0.1.7 is a router (MPLS to Branch)


    Also Had a problem with VOIP:

    all phones are in 10.0.1.X and 10.0.2.X networks.
    So on UT i had to add by pass rule for RTP ports like:

    Source 10.0.1.X and 10.0.2.X by pass ports 10000 to 19999 (Where ports are Asterisk RTP ports)
    But main question is, if this all are local networks why i have to put bypass?

    Because when some address or IP is in bypass, logically i an not add rules in Firewall for it.

    Thanks for advice




    network_err.png
    Last edited by boris.minakov; 07-05-2015 at 02:13 PM.

  2. #2
    Master Untangler
    Join Date
    Feb 2013
    Posts
    104

    Default

    the thing is even if i try to open admin share from 10.0.2.X access is denied for all server.
    Till I add by pass rule like:

    source 10.0.2.x dest 10.0.0.X allow

    But thing is i can not find anything blocked. So i dont understand why its blocked?

    By pass is a temporary solution, till i find the real issue

  3. #3
    Master Untangler
    Join Date
    Feb 2013
    Posts
    104

    Default

    The strange solution i found, was to remove route:

    Network 10.0.2.0 next hop 10.0.1.7
    Where 10.0.1.7 is a router (MPLS to Branch)

    After I saw all printer and VOIP traffic was blocked by a firewall. So i add exception rules and it was fixed.

    But 1 question still on a line, i got rule:

    Block all from Server Vlan and User Vlan to External Vlan

    So this rule must block all outgoing to external interface. But as i see all traffic from 10.0.0.X (Server Vlan) to 10.0.2.X (Branch) was blocked.

    But i don't have such rule ...
    So i add allow rule from 10.0.0.X to 10.0.2.X. But i think is not correct as there is no block by default. Only rule i have is
    Block all from Server Vlan and User Vlan to External Vlan

    So this looks strange for me ...

    I do not understand why untangle see 10.0.2.X as external (WAN) ?


    Thanks in advise
    Last edited by boris.minakov; 07-06-2015 at 02:57 AM.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,414

    Default

    If a router doesn't have a route to a network, the traffic is sent to the default gateway which by necessity is pointed at the Internet.

    Routes are created either by address assignment to a local interface, or statically in the routes tab.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Master Untangler
    Join Date
    Feb 2013
    Posts
    104

    Default

    Dear Team,
    So the strange thing i have is:

    I add route: 10.0.2.0 255.255.255.0 to go thought 10.0.1.7

    In such case i do not see anything in firewall logs, but printers and phones do not work.
    Seems strange for me

    So logically it must not block print server and PBX which are in local network in server Vlan 10.0.0.0
    But something strange is happaning

    If i delete route, i see blocked traffic on firewall, can create exclude rules and it works fine.
    I am just trying to make a local network to go with out a firewall

    Will continue testing
    Thanks

  6. #6
    Master Untangler
    Join Date
    Feb 2013
    Posts
    104

    Default

    Finally i found a solution, one of our network engineers had a wrong route on a Cisco router. So that's why i could see firewall was allowing traffic, but router was redirecting to a wrong route

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2