Any known issues with VLANS and static routes?

[WebFooL]

Long story short.
We are moving VLAN's form an old Core-SW up in to the Untangle unit it self.

Now to the funky thing.
VLAN10 in Core switch can Tracert to VLAN11 Trace show:
Coreswitch GW -> Link network between Core Switch and Untangle -> Host in VLAN11. (Nice)

Tracert from VLAN11 to VLAN10 no go..
First to Untangle unit and then just dies.

The Untangle it self can ping host on Both VLAN10 and VLAN11.

ICMP test from VLAN11 to VLAN10:
Packet Test on Interface between switch and Untangle show no traffic from VLAN11.
Packet Test on VLAN11 Interface show ICMP echo request and that it has the right target ip.

Slowly going crazy over here..
Only thing I can think of is that traffic from a VLAN that Untangle owns just don't care about the static routes in Untangle and has no idea where to send it.

[sky-knight]

I'll bet your routing is fine, and you forgot all about an ICMP rule to control traffic between VLANs you made ages ago that's stopping your traffic.

Check your filter rules!

[WebFooL]

No blocking filter for VLAN's.. (That box only have on Filter rule at the moment)
Running currently with full Bypass rules for Src to Dest Interface

I can from VLAN11 Ping Untangles IP on the Linknet to the switch but not the switch.
The Switch it self from that link vlan can ping UT and VLAN10.

Added an allow filter rule just for fun.. No change in behavior

[sky-knight]

Hmm then you have a route off.

You're talking about VLANs here when you're troubleshooting against IP networks!

I can't see those IP ranges... but the only reason for things to not work is something has the wrong gateway, or something lacks a route to the correct gateway.

[WebFooL]

That is what I have been trying to find but I can't find that error.

GW looks solids and VLAN10 to 11 takes the correct path.. (VLAN10 to Core Sw to Untangle to VLAN11)

VLAN11 to VLAN10 just dies after the first jump (Untangle)
Layer 2 looks fine

And as I can Ping UT's interface on the Link network but not the CoreSW i am focusing on but still I can't see Untangle pushing traffic to that interface from VLAN11.

[sky-knight]

So Untangle has a route that aims at the IP network that sits on VLAN10, and that route is aimed at the core sw's IP that's facing Untangle?

[WebFooL]

Untangle Routing:
10.10.10.1/24 -> 172.10.10.2 (CoreSwitch)
10.10.11.1/24 dev eth0.11

Untangle has IP 172.10.10.1

Core Switch
0.0.0.0/0 -> 172.10.10.1


VLAN11 can ping 172.10.10.1 but not 172.10.10.2

Switch can ping VLAN11 devices

[WebFooL]

hmm..

The Link interface between Untangle and the Core-Swtich has "NAT Traffic coming from this inteface" selected

That was it!!!

[jcoffin]

Nice find.

[sky-knight]

Ha so it was a filter rule...

If filter rules look like NAT rules that hide under the configuration of LAN interfaces anyway! XD

Curse you IPTables for doing exactly what we tell you to!