Solved

Watchguard FB Routing Question

Posted on 2012-03-13
4
809 Views
Last Modified: 2012-07-18
Hi all,

I ran into this routing configuration and not understand how it is working, can some expert explain?

Background:
Network A: 192.168.0.0/24
Network B: 192.168.1.0/24

FB-A: 192.168.0.1
FB-B: 192.168.1.1

DSL A
DSL B

Two networks have their own DSL A & B on the WAN port. LAN side connecting to a shared switch. Theoritically speaking, the two networks cannot communicate with each other logically without a secondary IP configured on the FB and additional static route. For example, FB-A, I might need to add additional IP 192.168.1.2 to the LAN port or Opt port, and FB-B, I might need to add additional IP 192.168.0.2 to the LAN port or Opt port in order for both networks to see each other.

Question 1: In this case do I still need to create a static route? For example on FB-A, am I supposed to add 192.168.1.0/24 192.168.1.2?

Question 2: Somehow without adding additional IP address on the LAN nor Opt port, example, FB-A has only one IP address 192.168.0.1, we have a static route 192.168.1.0/24 192.168.0.1. By adding this static route entry and similar entry on FB-B (192.168.0.0/24 192.168.1.1), we are able to communicate across each other.... Can some expert please explain what am I missing here? Why are they working???

Thanks in advance
0
Comment
Question by:BBQPM
  • 2
  • 2
4 Comments
 
LVL 14

Expert Comment

by:Otto_N
ID: 37719233
Question 1: No, you shouldn't need to configure static routes, as the router should add connected networks to its routing table automatically.  Also, you only need to add an additional IP to one of the routers (let's assume you add the IP 192.168.1.2 to FB-A), then you can add only a static route on FB-B for 192.168.0.0/24 to 192.168.1.2 for the routing to work.

Question 2: I don't know the Firebox, but I do have an idea how this might work.  It hinges on the shared switch between the two routers - I assume that the two routers are connected to the same VLAN (the switch is either unmanaged, or the same VLAN is used on a managed switch). By adding a static route that point to the same local interface, you might force the router to use Proxy ARP, which allow the router to respons to ARP queries for addresses outside of its configured subnets.  But this is only a guess.
0
 

Author Comment

by:BBQPM
ID: 37723202
Hi Otto_N,

Appreciate your advice!

For question 2, actually that's my guess as well since I was able to pull the ARP table on the FB and showing all the mappings. Does it mean that any router must support Proxy Arp in order for it to work? I hope I can get a confirmation from someone because if not, we should be able to add a static route to other subnet and point the gateway back to itself without needing to add additional IP.

Moreover, when I tried adding similiar static route on my sonicwall for the same settings, my ping timed out so the same configuration not working on the sonicwall. Then I tried doing the same thing on linksys router, it simply error out saying invalid gateway.

Anyone can shed some light?
0
 
LVL 14

Accepted Solution

by:
Otto_N earned 500 total points
ID: 37800603
@BBQPM, I do apologise for the long delay on my end.  Year-end can be quite taxing...

The feature is not really Proxy ARP, but a specific static route.  Let's see how the IP forwarding might work:  Let's say 192.168.0.5 wants to talk to 192.168.1.15. First, 0.5 will determine if the detination is in the same subnet, or a different one.  Since it is a different subnet, 0.5 will send this packet to theMAC address of the default gateway (192.168.0.1).  The router will then look into it's routing table to determine where 192.168.1.15 are located.  But since this subnet is not directly connected (i.e. FB-A dos not have an IP address in the 192.168.1.0/24 subnet), you either require a static route, or it will follow the default route out of the DSL link.

A static route can be configured in many ways.  The most generic is a command that tell the device to "route <dest-NW> to <next-hop-IP>", where <dest-NW> is usually the combination of the network address and subnet mask (such as 192.168.1.0 255.255.255.0 or 192.168.1.0/24) and <next-hop-IP> are the IP address of the nex hop, which is reachable with the routing table.  Some devices allow that the next-hop is specified using a particular exit interface, instead of an IP address (probably the case for the FB), however, I know that on other devices (like Cisco routers), this is only allowed if the exit interface is a point-to-point connection (i.e. it can't be Ethernet, for example).

So how do you tell a router that a particular subnet is reachable on an interface that is configured with a diferent subnet?  It seems that it differs between manufacturers.  For Firebox, it seems that a static route with next-hop the interface is sufficient.  For Cisco/Linksys, you will most likely have to configure secondary IP addresses on the interfaces.  I'm not sure how this is done for SonicWall, though.

I hope this helps you understand the routing process a bit better.  Let me know if I need to clarify some points.
0
 

Author Closing Comment

by:BBQPM
ID: 38200512
Looks like Watchguard Firebox allow static route to its own interface IP and there proxy Arp kicks in.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
nmap scanner? 7 82
OSPF Design NSSA 5 36
site to site tunnel not autostarting 5 37
100mbps vs. 100mbps on cat6e - Cable is 50m 6 31
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now