Solved

Network Traffic Being Re-routed

Posted on 2013-05-21
16
546 Views
Last Modified: 2013-05-23
I have a network with 2 HP switches, 2 Netgear switches, a Netgear wireless router and a SonicWall firewall. I have inherited this network, so I am still looking through things, but the only network device that is routing traffic is my Sonicwall Firewall. I also have wireless software called "Untangle" running on a desktop computer. It is routing wireless traffic. My issue is that if I tracert any IP address outside my network, I should see my SonicWall firewall as the first hop, but it's not. The first hop is always the "Untangle" box. I cannot find anything that is redirecting all of my traffic through the "Untangle" box. If I disconnect the network cable from the "Untangle" box, I can't access the internet or any computer outside my network. There are only 2 NICs on the "Untangle" box. One is connected to a wireless access point (separate subnet from my main network) and the other to my network. Is there a good way to track down the device that is forwarding traffic? I have looked through configurations of the switches and routers and have not been able to see anything that is forwarding traffic.
0
Comment
Question by:G27
16 Comments
 
LVL 11

Expert Comment

by:apathy42
ID: 39185123
What is the default gateway on your computer?
0
 

Author Comment

by:G27
ID: 39185144
The network is 192.168.1.x
The SonicWall's IP address is 192.168.1.1
The gateway for each computer I have run a tracert for is 192.168.1.1

The odd thing is that when I run a tracert on any computer, I never see 192.168.1.1 for any hop. My Untangle box's IP address is 192.168.1.90 and that is the first hop and the second hop is the IP address I am tracert-ing.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 39185192
It's pretty important to keep terminology clear - so I will try:

A tracert reveals some things but not necessarily the "gateway".
The gateway is revealed by looking at the NIC settings for computers / devices such as using:
ipconfig /all.

So, can you confirm that the gateway is indeed 192.168.1.1 and not 192.168.1.90?

Also, can you confirm that you can ping 192.168.1.1.
If so, can you tracert to it as well?
If so, what do you see in that case?

What happens if you tracert 192.168.1.90?
0
 
LVL 3

Expert Comment

by:phoenix5ire
ID: 39185212
Are your IPs DHCP or static? If DHCP, is your DHCP scope setting the Untangle IP as the gateway?  Can you post the output of your Ipconfig /all ?

Evidently, your Untangle box is acting as the gateway and that's why all traffic are going thru it. I would re-check your Untangle configuration and verify your DHCP scope settings.
0
 

Author Comment

by:G27
ID: 39185224
The ipconfig /all was the first thing I tried when I started trying to track this down. Every computer I have tried to run a tracert on shows a default gateway of 192.168.1.1. If I tracert the gateway (192.168.1.1) i get the first hop as 192.168.1.90 and the second is 192.168.1.1. If I tracert 192.168.1.90, just like tracert-ing all of my workstations, I only get that IP address as a single hop. So, if I tracert 192.168.1.90, the only hop is 192.168.1.90. If I tracert 192.168.1.67 (desktop computer), the only hop is 192.168.1.67, which is what I would expect.
0
 

Author Comment

by:G27
ID: 39185466
I am posting the ipconfig /all result, DHCP and tracert.
ipconfig-all.jpg
DHCP.jpg
tracert.jpg
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 39186041
What is the subnet mask entered AT 192.168.1.1?
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 39186049
I have to wonder if 192.168.1.1 has a secondary IP assigned to the same NIC that's 192.168.1.90???  I have no idea what happens in that case but it's the closest thing that I can figure that might do this.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:G27
ID: 39186051
fmarshall, are you referring to the subnet mask on the Sonicwall firewall? If so, it's 255.255.255.0
0
 

Author Comment

by:G27
ID: 39186381
The Sonicwall is a TZ 200, which has multiple network ports, has one IP address of 192.168.1.1, but none of the other ports has an IP address of 192.168.1.90.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 39188704
I was asking about multiple IP assignments to the *same* port.  Those are often less obvious unless you go looking.
0
 

Author Comment

by:G27
ID: 39188828
Not sure you can do that on a Sonicwall, but I did look and didn't see anything.
0
 
LVL 11

Expert Comment

by:naderz
ID: 39189023
Have a look at your SonicWall again. Untangle is a content filtering, intrusion protection, attack blocker, etc software running on the PC you mentioned, and more than likely your SonicWall is configured to send all outgoing packets to the PC running Untangle for inspection.
0
 

Author Comment

by:G27
ID: 39190291
Any idea where I would look in the Sonicwall? I am much more familiar with the Cisco PIX and ASA CLI, I am not familiar with the Sonicwall GUI, but I haven't been able to track it down in the Sonicwall.
0
 
LVL 17

Accepted Solution

by:
pergr earned 500 total points
ID: 39192277
The Untangle is ARP Spoofing in your network, and pretends to be 192.168.1.1.

When ever a PC is trying to find out the MAC address of the default gateway (192.168.1.1) the Untangle shouts - hey it is me!!!, and then the PC sends the packet to Untangles MAC address.

http://community.spiceworks.com/topic/29557-does-untangle-have-to-take-over-my-network

If you want to remove the Untangle, you need to clear the ARP on the PCs - or wait for it to time out - or reboot the PC after you have disconnected Untangle.
0
 

Author Closing Comment

by:G27
ID: 39193189
I just checked my arp table and low and behold both my Sonicwall and the Untangle box are showing the exact same MAC address. I didn't realize that Untangle did that. Frustrating! Thanks everyone for the help. Thanks pergr for the solution!
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Suggested Solutions

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now