Solved

Network Traffic Being Re-routed

Posted on 2013-05-21
16
568 Views
Last Modified: 2013-05-23
I have a network with 2 HP switches, 2 Netgear switches, a Netgear wireless router and a SonicWall firewall. I have inherited this network, so I am still looking through things, but the only network device that is routing traffic is my Sonicwall Firewall. I also have wireless software called "Untangle" running on a desktop computer. It is routing wireless traffic. My issue is that if I tracert any IP address outside my network, I should see my SonicWall firewall as the first hop, but it's not. The first hop is always the "Untangle" box. I cannot find anything that is redirecting all of my traffic through the "Untangle" box. If I disconnect the network cable from the "Untangle" box, I can't access the internet or any computer outside my network. There are only 2 NICs on the "Untangle" box. One is connected to a wireless access point (separate subnet from my main network) and the other to my network. Is there a good way to track down the device that is forwarding traffic? I have looked through configurations of the switches and routers and have not been able to see anything that is forwarding traffic.
0
Comment
Question by:G27
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
16 Comments
 
LVL 11

Expert Comment

by:apathy42
ID: 39185123
What is the default gateway on your computer?
0
 

Author Comment

by:G27
ID: 39185144
The network is 192.168.1.x
The SonicWall's IP address is 192.168.1.1
The gateway for each computer I have run a tracert for is 192.168.1.1

The odd thing is that when I run a tracert on any computer, I never see 192.168.1.1 for any hop. My Untangle box's IP address is 192.168.1.90 and that is the first hop and the second hop is the IP address I am tracert-ing.
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 39185192
It's pretty important to keep terminology clear - so I will try:

A tracert reveals some things but not necessarily the "gateway".
The gateway is revealed by looking at the NIC settings for computers / devices such as using:
ipconfig /all.

So, can you confirm that the gateway is indeed 192.168.1.1 and not 192.168.1.90?

Also, can you confirm that you can ping 192.168.1.1.
If so, can you tracert to it as well?
If so, what do you see in that case?

What happens if you tracert 192.168.1.90?
0
Don't Miss ATEN at InfoComm 2017!

Visit booth #2167 to see the  new ATEN VM3200 32 x 32 Modular Matrix Switch. Other highlights include the VE8950 4K HDMI Over IP Extender, VS1912 12-Port DP Video Wall Media Player  and VK2100 ATEN Control System. Register now with Free Pass Code ATEN288!

 
LVL 3

Expert Comment

by:phoenix5ire
ID: 39185212
Are your IPs DHCP or static? If DHCP, is your DHCP scope setting the Untangle IP as the gateway?  Can you post the output of your Ipconfig /all ?

Evidently, your Untangle box is acting as the gateway and that's why all traffic are going thru it. I would re-check your Untangle configuration and verify your DHCP scope settings.
0
 

Author Comment

by:G27
ID: 39185224
The ipconfig /all was the first thing I tried when I started trying to track this down. Every computer I have tried to run a tracert on shows a default gateway of 192.168.1.1. If I tracert the gateway (192.168.1.1) i get the first hop as 192.168.1.90 and the second is 192.168.1.1. If I tracert 192.168.1.90, just like tracert-ing all of my workstations, I only get that IP address as a single hop. So, if I tracert 192.168.1.90, the only hop is 192.168.1.90. If I tracert 192.168.1.67 (desktop computer), the only hop is 192.168.1.67, which is what I would expect.
0
 

Author Comment

by:G27
ID: 39185466
I am posting the ipconfig /all result, DHCP and tracert.
ipconfig-all.jpg
DHCP.jpg
tracert.jpg
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 39186041
What is the subnet mask entered AT 192.168.1.1?
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 39186049
I have to wonder if 192.168.1.1 has a secondary IP assigned to the same NIC that's 192.168.1.90???  I have no idea what happens in that case but it's the closest thing that I can figure that might do this.
0
 

Author Comment

by:G27
ID: 39186051
fmarshall, are you referring to the subnet mask on the Sonicwall firewall? If so, it's 255.255.255.0
0
 

Author Comment

by:G27
ID: 39186381
The Sonicwall is a TZ 200, which has multiple network ports, has one IP address of 192.168.1.1, but none of the other ports has an IP address of 192.168.1.90.
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 39188704
I was asking about multiple IP assignments to the *same* port.  Those are often less obvious unless you go looking.
0
 

Author Comment

by:G27
ID: 39188828
Not sure you can do that on a Sonicwall, but I did look and didn't see anything.
0
 
LVL 11

Expert Comment

by:naderz
ID: 39189023
Have a look at your SonicWall again. Untangle is a content filtering, intrusion protection, attack blocker, etc software running on the PC you mentioned, and more than likely your SonicWall is configured to send all outgoing packets to the PC running Untangle for inspection.
0
 

Author Comment

by:G27
ID: 39190291
Any idea where I would look in the Sonicwall? I am much more familiar with the Cisco PIX and ASA CLI, I am not familiar with the Sonicwall GUI, but I haven't been able to track it down in the Sonicwall.
0
 
LVL 17

Accepted Solution

by:
pergr earned 500 total points
ID: 39192277
The Untangle is ARP Spoofing in your network, and pretends to be 192.168.1.1.

When ever a PC is trying to find out the MAC address of the default gateway (192.168.1.1) the Untangle shouts - hey it is me!!!, and then the PC sends the packet to Untangles MAC address.

http://community.spiceworks.com/topic/29557-does-untangle-have-to-take-over-my-network

If you want to remove the Untangle, you need to clear the ARP on the PCs - or wait for it to time out - or reboot the PC after you have disconnected Untangle.
0
 

Author Closing Comment

by:G27
ID: 39193189
I just checked my arp table and low and behold both my Sonicwall and the Untangle box are showing the exact same MAC address. I didn't realize that Untangle did that. Frustrating! Thanks everyone for the help. Thanks pergr for the solution!
0

Featured Post

[Webinar] Code, Load, and Grow

Managing multiple websites, servers, applications, and security on a daily basis? Join us for a webinar on May 25th to learn how to simplify administration and management of virtual hosts for IT admins, create a secure environment, and deploy code more effectively and frequently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question