Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Network Traffic Being Re-routed

Posted on 2013-05-21
16
Medium Priority
?
600 Views
Last Modified: 2013-05-23
I have a network with 2 HP switches, 2 Netgear switches, a Netgear wireless router and a SonicWall firewall. I have inherited this network, so I am still looking through things, but the only network device that is routing traffic is my Sonicwall Firewall. I also have wireless software called "Untangle" running on a desktop computer. It is routing wireless traffic. My issue is that if I tracert any IP address outside my network, I should see my SonicWall firewall as the first hop, but it's not. The first hop is always the "Untangle" box. I cannot find anything that is redirecting all of my traffic through the "Untangle" box. If I disconnect the network cable from the "Untangle" box, I can't access the internet or any computer outside my network. There are only 2 NICs on the "Untangle" box. One is connected to a wireless access point (separate subnet from my main network) and the other to my network. Is there a good way to track down the device that is forwarding traffic? I have looked through configurations of the switches and routers and have not been able to see anything that is forwarding traffic.
0
Comment
Question by:G27
16 Comments
 
LVL 11

Expert Comment

by:apathy42
ID: 39185123
What is the default gateway on your computer?
0
 

Author Comment

by:G27
ID: 39185144
The network is 192.168.1.x
The SonicWall's IP address is 192.168.1.1
The gateway for each computer I have run a tracert for is 192.168.1.1

The odd thing is that when I run a tracert on any computer, I never see 192.168.1.1 for any hop. My Untangle box's IP address is 192.168.1.90 and that is the first hop and the second hop is the IP address I am tracert-ing.
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 39185192
It's pretty important to keep terminology clear - so I will try:

A tracert reveals some things but not necessarily the "gateway".
The gateway is revealed by looking at the NIC settings for computers / devices such as using:
ipconfig /all.

So, can you confirm that the gateway is indeed 192.168.1.1 and not 192.168.1.90?

Also, can you confirm that you can ping 192.168.1.1.
If so, can you tracert to it as well?
If so, what do you see in that case?

What happens if you tracert 192.168.1.90?
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 3

Expert Comment

by:phoenix5ire
ID: 39185212
Are your IPs DHCP or static? If DHCP, is your DHCP scope setting the Untangle IP as the gateway?  Can you post the output of your Ipconfig /all ?

Evidently, your Untangle box is acting as the gateway and that's why all traffic are going thru it. I would re-check your Untangle configuration and verify your DHCP scope settings.
0
 

Author Comment

by:G27
ID: 39185224
The ipconfig /all was the first thing I tried when I started trying to track this down. Every computer I have tried to run a tracert on shows a default gateway of 192.168.1.1. If I tracert the gateway (192.168.1.1) i get the first hop as 192.168.1.90 and the second is 192.168.1.1. If I tracert 192.168.1.90, just like tracert-ing all of my workstations, I only get that IP address as a single hop. So, if I tracert 192.168.1.90, the only hop is 192.168.1.90. If I tracert 192.168.1.67 (desktop computer), the only hop is 192.168.1.67, which is what I would expect.
0
 

Author Comment

by:G27
ID: 39185466
I am posting the ipconfig /all result, DHCP and tracert.
ipconfig-all.jpg
DHCP.jpg
tracert.jpg
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 39186041
What is the subnet mask entered AT 192.168.1.1?
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 39186049
I have to wonder if 192.168.1.1 has a secondary IP assigned to the same NIC that's 192.168.1.90???  I have no idea what happens in that case but it's the closest thing that I can figure that might do this.
0
 

Author Comment

by:G27
ID: 39186051
fmarshall, are you referring to the subnet mask on the Sonicwall firewall? If so, it's 255.255.255.0
0
 

Author Comment

by:G27
ID: 39186381
The Sonicwall is a TZ 200, which has multiple network ports, has one IP address of 192.168.1.1, but none of the other ports has an IP address of 192.168.1.90.
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 39188704
I was asking about multiple IP assignments to the *same* port.  Those are often less obvious unless you go looking.
0
 

Author Comment

by:G27
ID: 39188828
Not sure you can do that on a Sonicwall, but I did look and didn't see anything.
0
 
LVL 11

Expert Comment

by:naderz
ID: 39189023
Have a look at your SonicWall again. Untangle is a content filtering, intrusion protection, attack blocker, etc software running on the PC you mentioned, and more than likely your SonicWall is configured to send all outgoing packets to the PC running Untangle for inspection.
0
 

Author Comment

by:G27
ID: 39190291
Any idea where I would look in the Sonicwall? I am much more familiar with the Cisco PIX and ASA CLI, I am not familiar with the Sonicwall GUI, but I haven't been able to track it down in the Sonicwall.
0
 
LVL 17

Accepted Solution

by:
pergr earned 2000 total points
ID: 39192277
The Untangle is ARP Spoofing in your network, and pretends to be 192.168.1.1.

When ever a PC is trying to find out the MAC address of the default gateway (192.168.1.1) the Untangle shouts - hey it is me!!!, and then the PC sends the packet to Untangles MAC address.

http://community.spiceworks.com/topic/29557-does-untangle-have-to-take-over-my-network

If you want to remove the Untangle, you need to clear the ARP on the PCs - or wait for it to time out - or reboot the PC after you have disconnected Untangle.
0
 

Author Closing Comment

by:G27
ID: 39193189
I just checked my arp table and low and behold both my Sonicwall and the Untangle box are showing the exact same MAC address. I didn't realize that Untangle did that. Frustrating! Thanks everyone for the help. Thanks pergr for the solution!
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question