?
Solved

Routing between multiple firewalls behind single router

Posted on 2005-04-19
16
Medium Priority
?
520 Views
Last Modified: 2013-11-29
My scenario is that I have two firewalls behind one DSL router.  Attached to one firewall in the DMZ is a camera system.  If I do a tracert from the network that doesn't have the camera attached to it the route goes from the firewall to the router then stops, as opposed to going directly to the camera or to the router then back to the camera.

Router
IP xxx.xxx.xxx.101

Site A
Firewall LAN IP 192.168.206.1
Firewall WAN IP xxx.xxx.xxx.106
WAN  Gateway xxx.xxx.xxx.101

Site B
Firewall LAN IP 192.168.200.1
Firewall WAN IP xxx.xxx.xxx.102
WAN Gateway xxx.xxx.xxx.101

Camera attached to Site B DMZ
IP address xxx.xxx.xxx.104

I can get to the camera from the LAN on Site B and from the internet but not from the LAN at Site A.  I'm not sure if there's something I have to add to the DSL router, unfortunately it's owned by the ISP, but I may be able to get them to add something if it will help.  Any hints as to an easier way to get the traffic destined for xxx.xxx.xxx.104 from Site A to make it there?

Thanks
0
Comment
Question by:Tud
  • 9
  • 7
16 Comments
 
LVL 9

Expert Comment

by:fixnix
ID: 13815157
Sounds like all you need to do is punch a hole in the Site B firewall to allow the appropriate traffic from Site A.  The specifics of course depend on your firewall and the ports/traffic you need to allow.  You shouldn't have to change anything on the ISP-owned DSL router.
0
 

Author Comment

by:Tud
ID: 13815699
The camera can be reached via the internet, which makes me think the appropriate ports are open from teh WAN to the DMZ.  When doing a trace route, should the packet go from the SIte A firewall to the router?  
0
 
LVL 9

Expert Comment

by:fixnix
ID: 13815772
Sorry, I misread a line in the original question...thought the traceroute stopped at the firewall for site B, not the router....let me think a bit before I post again to make sure I'm getting it right ;)...
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 9

Expert Comment

by:fixnix
ID: 13815832
If you're referencing the external IP of the cams from site A, then the packets would hit the router.  Can you access the cam via the 192.168.200.x IP instead of the world-visible IP?
0
 
LVL 9

Expert Comment

by:fixnix
ID: 13815845
nevermind...didn't think it out enough again....grrr.  will be back after another cup of coffee lol.  sorry again
0
 

Author Comment

by:Tud
ID: 13815890
Thanks for trying.  I've thought about routing all internet traffic through the firewalls so that everything from site B goes through site A, since the local site A systems can see the camera, unfortunately the support people for the firewall say that this can only be done with a second router, which didn't make sense to me but I'm sure there's a reason.  The whole thing seems like a routing issue to me, just not sure how to clear it up.  The WAN IP for both firewalls, the router gateway IP and the camera are all on the same subnet.
0
 
LVL 9

Expert Comment

by:fixnix
ID: 13815997
Okay...If I'm understanding your setup correctly, Site B's firewall has multiple WAN IP's...x.x.x.102 and x.x.x.104 (and possibly others).  I've run a similar setup at home...32 world-visible IP's and multiple firewalls and DMZ's.  I used to run off SDSL, then upgraded to a T1, and never had a problem hitting the webservers or other machines from behind one firewall to one fo the other DMZ's using the world-visible IP's or names...traffic behaved just as if it were all on the LAN.

I just shelled in and did a traceroute from one DMZ to another and it failed at the first firewall, although pinging the other DMZ firewall worked fine.  I wouldn't worry about the traceroute stopping at the router.

Can you ping Site B's firewall from Site A?  (Assuming site B firewall is configured to reply to pings)
0
 

Author Comment

by:Tud
ID: 13816193
Yes, we've got 32 world-visable IP's behind our DSL router.  1 is assigned to the router and is used as the gateway IP address for everything else.  One is assigned to the firewall at Site A, one for the firewall at Site B and 1 for the camera system.  If I move the camera system outside the DMZ and basically in the same subnet as the firewalls and the router, I get the same results.

The firewalls are not setup to reply to pings.  I can ping the camera from the LAN at Site B, ( also, Site A and B are connected via a VPN tunnel) but not from the LAN, or the firewall, at Site A.
0
 
LVL 9

Expert Comment

by:fixnix
ID: 13816238
Can you use the LAN address and connect to the camera from site A via the VPN?  If the VPN tunnel is brought down, is the camera accessable from site A then?

0
 

Author Comment

by:Tud
ID: 13816309
I haven't tried it with the VPN tunnel down, although I have tried it with the VPN tunnel set to terminate at the LAN and DMZ.  I'll try shutting it down after hours to see if it makes a difference.
0
 
LVL 9

Expert Comment

by:fixnix
ID: 13816555
How is the VPN configured?  Is it a Net to Net VPN from the 2 firewall boxes or something different?  The reason I ask is that the VPN obviously works...which means a connection from one WAN IP on site A is able to get to a WAN IP on site B unless you've got some other setup physically separate from the DSL router.  If the VPN is established from one WAN IP to another, then it's almost certain the cam problem is a routing issue one a box you control.  However, if bringing the VPN down doesn't change anything, then it seems to be a WAN IP to WAN IP routing issue on the DSL router.

I'm leaning towards the problem being on a box you control tho....what are you using for the firewall, routing, and VPN on sites A and B?
0
 

Author Comment

by:Tud
ID: 13816761
The VPN is configured for Net to Net.  I can ping all teh IP addresses on one LAN from the other.  You are right, they are configured from one WAN IP address to the other, which, as you suggest, likely means that it isn't an issue with the router but perhaps one of the boxes.  The firewalls are Sonicwalls, a Pro 200 and a SOHO 3, using the build in VPN capabilities.  The router is an ISP provided Cisco 800 (or 803).

I just tried turning on the option to response to pings on the firewalls and neither firewall can ping the others IP address.  I'm beginning to wonder why the VPN connection works. :-)
0
 
LVL 9

Expert Comment

by:fixnix
ID: 13818111
I'm not familiar w/ sonicwalls so I don't know the commands, but can you post the routing tables from them?  At this point I'd guess it's routing related while the VPN is up (and would venture to guess that if you take the VPN down after hours, the cam would be accessible from site A no problems).  It'd also be worth checking the firewall rules to be sure traffic originating from your /27 isn't being blocked.

You could also try firing up a sniffer on a computer and plug it into an unused port of the 803's LAN Hub then try to hit the cam from Site A.  Since we know tracert at least makes it as far as the router, there should be something there to sniff...packets might be making it to the other firewall but aren't getting ACK'd...or are getting ACK'd but the ACK's are being rejected back at the other sonicwall.  

What kind of logging does the sonicwall have?  Can you try to hit the cam from A then grep the firewall logs on Site B for Site A's WAN IP?
0
 

Author Comment

by:Tud
ID: 13819220
I found my problem (I think, the camera has been taken offline temporarily making it hard to test).  

On the Sonicwall I have there is a tab under teh Advanced options called "Intranet."

Under this tab there are three options, only one can be selected via a radio button:

1.  SonicWALL's WAN link is connected directly to the Internet router.
2.  Specified address ranges are attached to the LAN link.
3.  Specified address ranges are attached to the WAN link.

Since it's connected to the internet router I had thought this was the appropriate option.  I decided to change this to the third option and put in the IP range for our public IP range as the specified address range.  This seemed to do the trick, and while I can't fully test it yet, I was able to see other devices in the same subnet.  I haven't seen any ill effects from this change, I can still access systems via the VPN and I can still get to web sites on the internet.  I'll have to take a look at the ins and outs of these options.

0
 
LVL 9

Accepted Solution

by:
fixnix earned 375 total points
ID: 13819698
Ahhh....yup, sounds like you've got it!

Good Deal.
0
 

Author Comment

by:Tud
ID: 13820219
Thanks for the tips along the way, figure since you're the only respondant I dropped all the points on you, hope I did it right.  Thanks again.
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question