BHTN
asked on
Cable Modem, Firewall, Unmanaged Switch, Different Subnet
Hello EE,
I am probably going to mess this question up, but, I'm pulling my hair out trying to get this to work. So, here goes!
Cable Modem (10.1.15.X)
- Subnet 255.255.255.0
- Gateway 10.1.15.1
- DNS 68.87.68.166
- DMZ 10.1.15.5
Firewall (Fortinet 80C)
- WAN 10.1.15.5
- LAN 10.1.10.225
- Static Routes:
- 0.0.0.0/0.0.0.0 GW: 10.1.15.1 WAN1
- 10.1.15.0/255.255.255.0 GW: 10.1.15.5 WAN1
- 10.1.10.0/255.255.255.0 GW: 10.1.10.225 Internal LAN
Routing Monitor
- Static 0.0.0.0/0 GW: 10.1.15.1 WAN1
- Connected 10.1.10.0/24 GW: 0.0.0.0 Internal LAN
- Connected 10.1.15.0/24 GW: 0.0.0.0 WAN1
IP/Netmask (Address)
- Internal Subnet 10.1.10.0/255.255.255.0 Any Interface
- WAN1 Port 10.1.15.0/255.255.255.0 WAN1
Local Domain (10.1.17.X)
- Subnet 255.255.255.0
- Gateway 10.1.17.1
- DNS 10.1.17.20
Here’s what I’m trying to accomplish:
I would like to have one PC work on both subnets. For example, on the LAN I want to be able to access network resources (file servers, printers) but also, utilize a faster cable modem for internet access.
I’ve setup my NIC to utilize two IP addressing schemes.
Local Domain IP Addressing Scheme (static):
- IP 10.1.17.137
- Subnet 255.255.255.0
- GW 10.1.17.1
- DNS 10.1.17.20
Comcast IP Addressing Scheme (static):
- IP 10.1.15.137
- Subnet 255.255.255.0
- GW 10.1.15.1
- DNS 10.1.15.1
Now, when I try and tracert a server on our domain (e.g. server61) the tracert goes out through the Comcast Modem (10.1.10.225)
When I try and tracert www.google.com it does the same thing.
If I switch the order of the Gateways in TCP/IP settings of NIC card, server61 goes through the 10.1.17.1 gateway, but then when I tracert www.google.com, it also goes through that same gateway (10.1.17.1). Since that gateway is designed to utilize an MPLS connect to an overseas centralized network, I can’t be sending internet traffic through this connection.
As it stands, I have four clocks that reside on the Comcast Modem and are communicating with a server at the vendor’s location just fine. But that setup is going directly through the switch (Linksys SR2024 – Unmanaged) and out the cable modem. I want to put those four clocks behind the firewall as well as the PC I mentioned earlier.
Part of my frustration has to do with the firewall needing both the LAN port and WAN port to be on two different subnets. That’s why I went with 10.1.15.X for the Comcast LAN connection, and 10.1.10.225 for the LAN port on the firewall. Obviously I can’t utilize an IP address from our domain as these two subnets need to stay separated.
So, anyone have any ideas? I’m sure I’ve missed something I could have added to this post, so any further questions will be answered ASAP! I’ve attached a diagram…it shows how I created a VLAN to support the clocks running across our LAN. The clocks have static IP addresses (10.1.15.X) and the Comcast Modem has DHCP turned off.
Thanks for taking the time to look at this and I hope to hear from you soon!
Getnoldfast
TIME-CLOCKS---NETWORK-SETUP-with.jpg
I am probably going to mess this question up, but, I'm pulling my hair out trying to get this to work. So, here goes!
Cable Modem (10.1.15.X)
- Subnet 255.255.255.0
- Gateway 10.1.15.1
- DNS 68.87.68.166
- DMZ 10.1.15.5
Firewall (Fortinet 80C)
- WAN 10.1.15.5
- LAN 10.1.10.225
- Static Routes:
- 0.0.0.0/0.0.0.0 GW: 10.1.15.1 WAN1
- 10.1.15.0/255.255.255.0 GW: 10.1.15.5 WAN1
- 10.1.10.0/255.255.255.0 GW: 10.1.10.225 Internal LAN
Routing Monitor
- Static 0.0.0.0/0 GW: 10.1.15.1 WAN1
- Connected 10.1.10.0/24 GW: 0.0.0.0 Internal LAN
- Connected 10.1.15.0/24 GW: 0.0.0.0 WAN1
IP/Netmask (Address)
- Internal Subnet 10.1.10.0/255.255.255.0 Any Interface
- WAN1 Port 10.1.15.0/255.255.255.0 WAN1
Local Domain (10.1.17.X)
- Subnet 255.255.255.0
- Gateway 10.1.17.1
- DNS 10.1.17.20
Here’s what I’m trying to accomplish:
I would like to have one PC work on both subnets. For example, on the LAN I want to be able to access network resources (file servers, printers) but also, utilize a faster cable modem for internet access.
I’ve setup my NIC to utilize two IP addressing schemes.
Local Domain IP Addressing Scheme (static):
- IP 10.1.17.137
- Subnet 255.255.255.0
- GW 10.1.17.1
- DNS 10.1.17.20
Comcast IP Addressing Scheme (static):
- IP 10.1.15.137
- Subnet 255.255.255.0
- GW 10.1.15.1
- DNS 10.1.15.1
Now, when I try and tracert a server on our domain (e.g. server61) the tracert goes out through the Comcast Modem (10.1.10.225)
When I try and tracert www.google.com it does the same thing.
If I switch the order of the Gateways in TCP/IP settings of NIC card, server61 goes through the 10.1.17.1 gateway, but then when I tracert www.google.com, it also goes through that same gateway (10.1.17.1). Since that gateway is designed to utilize an MPLS connect to an overseas centralized network, I can’t be sending internet traffic through this connection.
As it stands, I have four clocks that reside on the Comcast Modem and are communicating with a server at the vendor’s location just fine. But that setup is going directly through the switch (Linksys SR2024 – Unmanaged) and out the cable modem. I want to put those four clocks behind the firewall as well as the PC I mentioned earlier.
Part of my frustration has to do with the firewall needing both the LAN port and WAN port to be on two different subnets. That’s why I went with 10.1.15.X for the Comcast LAN connection, and 10.1.10.225 for the LAN port on the firewall. Obviously I can’t utilize an IP address from our domain as these two subnets need to stay separated.
So, anyone have any ideas? I’m sure I’ve missed something I could have added to this post, so any further questions will be answered ASAP! I’ve attached a diagram…it shows how I created a VLAN to support the clocks running across our LAN. The clocks have static IP addresses (10.1.15.X) and the Comcast Modem has DHCP turned off.
Thanks for taking the time to look at this and I hope to hear from you soon!
Getnoldfast
TIME-CLOCKS---NETWORK-SETUP-with.jpg
Your system can have only one active default gateway - you need for you default gateway to be the firewall and to manually add routes for everything that's in the MPLS cloud.
ASKER
Hi tgerbert,
If that is the case, then why can you manually add as many default gateways as you want within the TCP/IP settings? I mean what's the point of that option?
Thanks!
If that is the case, then why can you manually add as many default gateways as you want within the TCP/IP settings? I mean what's the point of that option?
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well tgerbert, here's what I did...
I statically assigned IP address info to each clock
I added a static route to my Comcast Firewall (Fortinet Firewall) that represented the domain gateway.
Since adding that static route, the clocks started showing up in my IP scanner and after physically checking them to ensure they would accept card punches, they were good to go! I can't ping them from any PC on the domain LAN, but with the PC that I have configured for both default gateways, I am able to ping the clocks, domain network resources and outside internet IP addresses all going through their appropriate Gateways.
I think I got it now. Thanks for your help and I hope I can keep it all together!
Getnoldfast
I statically assigned IP address info to each clock
I added a static route to my Comcast Firewall (Fortinet Firewall) that represented the domain gateway.
Since adding that static route, the clocks started showing up in my IP scanner and after physically checking them to ensure they would accept card punches, they were good to go! I can't ping them from any PC on the domain LAN, but with the PC that I have configured for both default gateways, I am able to ping the clocks, domain network resources and outside internet IP addresses all going through their appropriate Gateways.
I think I got it now. Thanks for your help and I hope I can keep it all together!
Getnoldfast
ASKER
I was able to utilize some of the information provided by tgerbert and combine that with some trial and error on my part.
ASKER
Dang it tgerbert,
Looks like I jumped the gun...now that I'm testing again, domain resources that I ran a tracert on are still going out the comcast modem vs. the MPLS. You were right of course. Is there any way for me to set both gateways so that if traffic hits the comcast modem and the hostname or IP address is not available it would fail over to the domain MPLS gateway? We used to have it setup that way but that was a while ago.
Thanks again for your help and if you have any additional comments, please feel free :)
Getnoldfast
Looks like I jumped the gun...now that I'm testing again, domain resources that I ran a tracert on are still going out the comcast modem vs. the MPLS. You were right of course. Is there any way for me to set both gateways so that if traffic hits the comcast modem and the hostname or IP address is not available it would fail over to the domain MPLS gateway? We used to have it setup that way but that was a while ago.
Thanks again for your help and if you have any additional comments, please feel free :)
Getnoldfast
Well, here's the thing...the device (whether it's your computer or the router) has no knowledge of connections destined for the Internet, vs. for your private network, vs. for your local lan; it just knows it needs to send a packet to address 1.2.3.4. Then it consults the routing table - if 1.2.3.x is your local network there will be an entry in the routing table saying "traffic for 1.2.3.x goes out interface A" If you send a packet to 5.6.7.8, then there will be no matching route in the routing table - so the device will send it via the default gateway.
Your firewall has no way to distinguish MPLS-bound traffic from Internet-bound traffic, unless you tell it how. So, for your PC that exists on both subnets - it will have a default gateway of the Comcast firewall; then you must manually add a route on your PC for every IP subnet that exists in the MPLS cloud so that it will send domain-related traffic out 10.1.17.1. That way any connection for the MPLS resources (so long as you've added their routes) will go out the MPLS router, but any other traffic (i.e. Internet) will go out the Comcast modem.
Your firewall has no way to distinguish MPLS-bound traffic from Internet-bound traffic, unless you tell it how. So, for your PC that exists on both subnets - it will have a default gateway of the Comcast firewall; then you must manually add a route on your PC for every IP subnet that exists in the MPLS cloud so that it will send domain-related traffic out 10.1.17.1. That way any connection for the MPLS resources (so long as you've added their routes) will go out the MPLS router, but any other traffic (i.e. Internet) will go out the Comcast modem.
ASKER
Hey tgerbert,
Thanks for that explanation...makes more sense today since I had a chance to sleep :)
So as far as adding the domain-related traffic IP subnets to my PC...when that is complete, would the Comcast modem be like a "last resort" gateway in the event that traffic initially sent to the domain gateway was not destined for that network?
Finally, and I know I should know this, but, where might I add these static routes on the PC?
Appreciate your help tgerbert, BIG help!
Getnoldfast
Thanks for that explanation...makes more sense today since I had a chance to sleep :)
So as far as adding the domain-related traffic IP subnets to my PC...when that is complete, would the Comcast modem be like a "last resort" gateway in the event that traffic initially sent to the domain gateway was not destined for that network?
Finally, and I know I should know this, but, where might I add these static routes on the PC?
Appreciate your help tgerbert, BIG help!
Getnoldfast
Comcast modem be like a "last resort" gateway in the event that traffic initially sent to the domain gateway was not destined for that network?Hmm...kinda - it will be a gateway of last resort, however traffic that's NOT destined for the domain won't ever be sent to the domain gateway, because Comcast is the route of last resort (provided all the routes are in place).
Finally, and I know I should know this, but, where might I add these static routes on the PC?You have to do it in a command prompt window using the route command (see route -? or http:#a32339561). Do you have all the network IP addresses and their netmasks?
ASKER
I do have them, yes. Great! I'll get started now. I wish I could change the points and grade...sorry about that. Thanks again tgerbert!
Getnoldfast
Getnoldfast
ASKER
Hi tgerbert,
I'm sorry I keep bothering you about this, but I am still not sure this is working. I've attached some screen shots of my route table and TCP/IP settings. Would you mind looking at them for me? Just to recall, here's some additional information:
Gateway to MPLS: 10.1.17.1
Gateway to Comcast: 10.1.10.225
Mask for both: 255.255.255.0
Local PC IP Address for Domain: 10.1.17.135
Local PC IP Address for Comcast: 10.1.10.135
Mask for both: 255.255.255.0
DNS for Local PC IP Address for Domain: 10.1.17.20
DNS for Local PC IP Address for Comcast: 10.1.20.1
Comcast Modem IP Addressing Scheme:
Gateway IP Address: 10.1.20.1
DMZ IP Address: 10.1.20.5 (Matches Fortinet Firewall WAN Port of 10.1.20.5 attached to Comcast Modem)
I've attached the following screenshots:
Fortinet Firewall Routing Monitor
Fortinet Firewall Static Routes
Route -p information
TCP/IP settings (General and Advanced to include DNS)
I know this is going on longer than you would prefer, but I think once you see what I'm looking at, it might make some sense to you and then you can explain it to me! :)
Thanks!
Getnoldfast
Fortinet-Routing-Monitor.JPG
Fortinet-static-routes.JPG
route-p.JPG
TCP-IP-Settings.JPG
TCP-IP-Settings-DNS.JPG
I'm sorry I keep bothering you about this, but I am still not sure this is working. I've attached some screen shots of my route table and TCP/IP settings. Would you mind looking at them for me? Just to recall, here's some additional information:
Gateway to MPLS: 10.1.17.1
Gateway to Comcast: 10.1.10.225
Mask for both: 255.255.255.0
Local PC IP Address for Domain: 10.1.17.135
Local PC IP Address for Comcast: 10.1.10.135
Mask for both: 255.255.255.0
DNS for Local PC IP Address for Domain: 10.1.17.20
DNS for Local PC IP Address for Comcast: 10.1.20.1
Comcast Modem IP Addressing Scheme:
Gateway IP Address: 10.1.20.1
DMZ IP Address: 10.1.20.5 (Matches Fortinet Firewall WAN Port of 10.1.20.5 attached to Comcast Modem)
I've attached the following screenshots:
Fortinet Firewall Routing Monitor
Fortinet Firewall Static Routes
Route -p information
TCP/IP settings (General and Advanced to include DNS)
I know this is going on longer than you would prefer, but I think once you see what I'm looking at, it might make some sense to you and then you can explain it to me! :)
Thanks!
Getnoldfast
Fortinet-Routing-Monitor.JPG
Fortinet-static-routes.JPG
route-p.JPG
TCP-IP-Settings.JPG
TCP-IP-Settings-DNS.JPG