Link to home
Start Free TrialLog in
Avatar of BHTN
BHTNFlag for United States of America

asked on

Cable Modem, Firewall, Unmanaged Switch, Different Subnet

Hello EE,

I am probably going to mess this question up, but, I'm pulling my hair out trying to get this to work.  So, here goes!

Cable Modem (10.1.15.X)
- Subnet 255.255.255.0
- Gateway 10.1.15.1
- DNS 68.87.68.166
- DMZ 10.1.15.5

Firewall (Fortinet 80C)
- WAN 10.1.15.5
- LAN 10.1.10.225
- Static Routes:
      - 0.0.0.0/0.0.0.0                GW:  10.1.15.1      WAN1
      - 10.1.15.0/255.255.255.0            GW:  10.1.15.5      WAN1
      - 10.1.10.0/255.255.255.0            GW:  10.1.10.225      Internal LAN

Routing Monitor
      - Static      0.0.0.0/0            GW:  10.1.15.1      WAN1
      - Connected      10.1.10.0/24            GW:  0.0.0.0            Internal LAN
      - Connected       10.1.15.0/24            GW:  0.0.0.0            WAN1

IP/Netmask (Address)
      - Internal Subnet      10.1.10.0/255.255.255.0            Any Interface
      - WAN1 Port            10.1.15.0/255.255.255.0            WAN1

Local Domain (10.1.17.X)
- Subnet 255.255.255.0
- Gateway 10.1.17.1
- DNS 10.1.17.20

Here’s what I’m trying to accomplish:

I would like to have one PC work on both subnets.  For example, on the LAN I want to be able to access network resources (file servers, printers) but also, utilize a faster cable modem for internet access.

I’ve setup my NIC to utilize two IP addressing schemes.

Local Domain IP Addressing Scheme (static):
- IP 10.1.17.137
- Subnet 255.255.255.0
- GW 10.1.17.1
- DNS 10.1.17.20
      Comcast IP Addressing Scheme (static):
- IP 10.1.15.137
- Subnet 255.255.255.0
- GW 10.1.15.1
- DNS 10.1.15.1

Now, when I try and tracert a server on our domain (e.g. server61) the tracert goes out through the Comcast Modem (10.1.10.225)

When I try and tracert www.google.com it does the same thing.

If I switch the order of the Gateways in TCP/IP settings of NIC card, server61 goes through the 10.1.17.1 gateway, but then when I tracert www.google.com, it also goes through that same gateway (10.1.17.1).  Since that gateway is designed to utilize an MPLS connect to an overseas centralized network, I can’t be sending internet traffic through this connection.

As it stands, I have four clocks that reside on the Comcast Modem and are communicating with a server at the vendor’s location just fine.  But that setup is going directly through the switch (Linksys SR2024 – Unmanaged) and out the cable modem.  I want to put those four clocks behind the firewall as well as the PC I mentioned earlier.

Part of my frustration has to do with the firewall needing both the LAN port and WAN port to be on two different subnets.  That’s why I went with 10.1.15.X for the Comcast LAN connection, and 10.1.10.225 for the LAN port on the firewall.  Obviously I can’t utilize an IP address from our domain as these two subnets need to stay separated.

So, anyone have any ideas?  I’m sure I’ve missed something I could have added to this post, so any further questions will be answered ASAP!  I’ve attached a diagram…it shows how I created a VLAN to support the clocks running across our LAN.  The clocks have static IP addresses (10.1.15.X) and the Comcast Modem has DHCP turned off.

Thanks for taking the time to look at this and I hope to hear from you soon!

Getnoldfast




TIME-CLOCKS---NETWORK-SETUP-with.jpg
Avatar of Todd Gerbert
Todd Gerbert
Flag of United States of America image

Your system can have only one active default gateway - you need for you default gateway to be the firewall and to manually add routes for everything that's in the MPLS cloud.
Avatar of BHTN

ASKER

Hi tgerbert,

If that is the case, then why can you manually add as many default gateways as you want within the TCP/IP settings?  I mean what's the point of that option?  

Thanks!
ASKER CERTIFIED SOLUTION
Avatar of Todd Gerbert
Todd Gerbert
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of BHTN

ASKER

Well tgerbert, here's what I did...

I statically assigned IP address info to each clock

I added a static route to my Comcast Firewall (Fortinet Firewall) that represented the domain gateway.

Since adding that static route, the clocks started showing up in my IP scanner and after physically checking them to ensure they would accept card punches, they were good to go!  I can't ping them from any PC on the domain LAN, but with the PC that I have configured for both default gateways, I am able to ping the clocks, domain network resources and outside internet IP addresses all going through their appropriate Gateways.

I think I got it now.  Thanks for your help and I hope I can keep it all together!

Getnoldfast
Avatar of BHTN

ASKER

I was able to utilize some of the information provided by tgerbert and combine that with some trial and error on my part.  
Avatar of BHTN

ASKER

Dang it tgerbert,

Looks like I jumped the gun...now that I'm testing again, domain resources that I ran a tracert on are still going out the comcast modem vs. the MPLS.  You were right of course.  Is there any way for me to set both gateways so that if traffic hits the comcast modem and the hostname or IP address is not available it would fail over to the domain MPLS gateway?  We used to have it setup that way but that was a while ago.

Thanks again for your help and if you have any additional comments, please feel free :)

Getnoldfast
Well, here's the thing...the device (whether it's your computer or the router) has no knowledge of connections destined for the Internet, vs. for your private network, vs. for your local lan; it just knows it needs to send a packet to address 1.2.3.4. Then it consults the routing table - if 1.2.3.x is your local network there will be an entry in the routing table saying "traffic for 1.2.3.x goes out interface A" If you send a packet to 5.6.7.8, then there will be no matching route in the routing table - so the device will send it via the default gateway.
Your firewall has no way to distinguish MPLS-bound traffic from Internet-bound traffic, unless you tell it how. So, for your PC that exists on both subnets - it will have a default gateway of the Comcast firewall; then you must manually add a route on your PC for every IP subnet that exists in the MPLS cloud so that it will send domain-related traffic out 10.1.17.1. That way any connection for the MPLS resources (so long as you've added their routes) will go out the MPLS router, but any other traffic (i.e. Internet) will go out the Comcast modem.
Avatar of BHTN

ASKER

Hey tgerbert,

Thanks for that explanation...makes more sense today since I had a chance to sleep :)
So as far as adding the domain-related traffic IP subnets to my PC...when that is complete, would the Comcast modem be like a "last resort" gateway in the event that traffic initially sent to the domain gateway was not destined for that network?

Finally, and I know I should know this, but, where might I add these static routes on the PC?

Appreciate your help tgerbert, BIG help!

Getnoldfast
Comcast modem be like a "last resort" gateway in the event that traffic initially sent to the domain gateway was not destined for that network?
Hmm...kinda - it will be a gateway of last resort, however traffic that's NOT destined for the domain won't ever be sent to the domain gateway, because Comcast is the route of last resort (provided all the routes are in place).
Finally, and I know I should know this, but, where might I add these static routes on the PC?
You have to do it in a command prompt window using the route command (see route -? or http:#a32339561). Do you have all the network IP addresses and their netmasks?
Avatar of BHTN

ASKER

I do have them, yes.  Great!  I'll get started now.  I wish I could change the points and grade...sorry about that.  Thanks again tgerbert!

Getnoldfast
Avatar of BHTN

ASKER

Hi tgerbert,
I'm sorry I keep bothering you about this, but I am still not sure this is working.  I've attached some screen shots of my route table and TCP/IP settings.  Would you mind looking at them for me?  Just to recall, here's some additional information:

Gateway to MPLS:  10.1.17.1
Gateway to Comcast:  10.1.10.225
Mask for both:  255.255.255.0

Local PC IP Address for Domain:  10.1.17.135
Local PC IP Address for Comcast:  10.1.10.135
Mask for both:  255.255.255.0

DNS for Local PC IP Address for Domain:  10.1.17.20
DNS for Local PC IP Address for Comcast:  10.1.20.1

Comcast Modem IP Addressing Scheme:
Gateway IP Address:  10.1.20.1
DMZ IP Address:  10.1.20.5 (Matches Fortinet Firewall WAN Port of 10.1.20.5 attached to Comcast Modem)

I've attached the following screenshots:

Fortinet Firewall Routing Monitor
Fortinet Firewall Static Routes
Route -p information
TCP/IP settings (General and Advanced to include DNS)

I know this is going on longer than you would prefer, but I think once you see what I'm looking at, it might make some sense to you and then you can explain it to me! :)

Thanks!

Getnoldfast



Fortinet-Routing-Monitor.JPG
Fortinet-static-routes.JPG
route-p.JPG
TCP-IP-Settings.JPG
TCP-IP-Settings-DNS.JPG