Network Traffic Being Re-routed

I have a network with 2 HP switches, 2 Netgear switches, a Netgear wireless router and a SonicWall firewall. I have inherited this network, so I am still looking through things, but the only network device that is routing traffic is my Sonicwall Firewall. I also have wireless software called "Untangle" running on a desktop computer. It is routing wireless traffic. My issue is that if I tracert any IP address outside my network, I should see my SonicWall firewall as the first hop, but it's not. The first hop is always the "Untangle" box. I cannot find anything that is redirecting all of my traffic through the "Untangle" box. If I disconnect the network cable from the "Untangle" box, I can't access the internet or any computer outside my network. There are only 2 NICs on the "Untangle" box. One is connected to a wireless access point (separate subnet from my main network) and the other to my network. Is there a good way to track down the device that is forwarding traffic? I have looked through configurations of the switches and routers and have not been able to see anything that is forwarding traffic.
G27Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
pergrConnect With a Mentor Commented:
The Untangle is ARP Spoofing in your network, and pretends to be 192.168.1.1.

When ever a PC is trying to find out the MAC address of the default gateway (192.168.1.1) the Untangle shouts - hey it is me!!!, and then the PC sends the packet to Untangles MAC address.

http://community.spiceworks.com/topic/29557-does-untangle-have-to-take-over-my-network

If you want to remove the Untangle, you need to clear the ARP on the PCs - or wait for it to time out - or reboot the PC after you have disconnected Untangle.
0
 
apathy42Commented:
What is the default gateway on your computer?
0
 
G27Author Commented:
The network is 192.168.1.x
The SonicWall's IP address is 192.168.1.1
The gateway for each computer I have run a tracert for is 192.168.1.1

The odd thing is that when I run a tracert on any computer, I never see 192.168.1.1 for any hop. My Untangle box's IP address is 192.168.1.90 and that is the first hop and the second hop is the IP address I am tracert-ing.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
Fred MarshallPrincipalCommented:
It's pretty important to keep terminology clear - so I will try:

A tracert reveals some things but not necessarily the "gateway".
The gateway is revealed by looking at the NIC settings for computers / devices such as using:
ipconfig /all.

So, can you confirm that the gateway is indeed 192.168.1.1 and not 192.168.1.90?

Also, can you confirm that you can ping 192.168.1.1.
If so, can you tracert to it as well?
If so, what do you see in that case?

What happens if you tracert 192.168.1.90?
0
 
phoenix5ireCommented:
Are your IPs DHCP or static? If DHCP, is your DHCP scope setting the Untangle IP as the gateway?  Can you post the output of your Ipconfig /all ?

Evidently, your Untangle box is acting as the gateway and that's why all traffic are going thru it. I would re-check your Untangle configuration and verify your DHCP scope settings.
0
 
G27Author Commented:
The ipconfig /all was the first thing I tried when I started trying to track this down. Every computer I have tried to run a tracert on shows a default gateway of 192.168.1.1. If I tracert the gateway (192.168.1.1) i get the first hop as 192.168.1.90 and the second is 192.168.1.1. If I tracert 192.168.1.90, just like tracert-ing all of my workstations, I only get that IP address as a single hop. So, if I tracert 192.168.1.90, the only hop is 192.168.1.90. If I tracert 192.168.1.67 (desktop computer), the only hop is 192.168.1.67, which is what I would expect.
0
 
G27Author Commented:
I am posting the ipconfig /all result, DHCP and tracert.
ipconfig-all.jpg
DHCP.jpg
tracert.jpg
0
 
Fred MarshallPrincipalCommented:
What is the subnet mask entered AT 192.168.1.1?
0
 
Fred MarshallPrincipalCommented:
I have to wonder if 192.168.1.1 has a secondary IP assigned to the same NIC that's 192.168.1.90???  I have no idea what happens in that case but it's the closest thing that I can figure that might do this.
0
 
G27Author Commented:
fmarshall, are you referring to the subnet mask on the Sonicwall firewall? If so, it's 255.255.255.0
0
 
G27Author Commented:
The Sonicwall is a TZ 200, which has multiple network ports, has one IP address of 192.168.1.1, but none of the other ports has an IP address of 192.168.1.90.
0
 
Fred MarshallPrincipalCommented:
I was asking about multiple IP assignments to the *same* port.  Those are often less obvious unless you go looking.
0
 
G27Author Commented:
Not sure you can do that on a Sonicwall, but I did look and didn't see anything.
0
 
naderzCommented:
Have a look at your SonicWall again. Untangle is a content filtering, intrusion protection, attack blocker, etc software running on the PC you mentioned, and more than likely your SonicWall is configured to send all outgoing packets to the PC running Untangle for inspection.
0
 
G27Author Commented:
Any idea where I would look in the Sonicwall? I am much more familiar with the Cisco PIX and ASA CLI, I am not familiar with the Sonicwall GUI, but I haven't been able to track it down in the Sonicwall.
0
 
G27Author Commented:
I just checked my arp table and low and behold both my Sonicwall and the Untangle box are showing the exact same MAC address. I didn't realize that Untangle did that. Frustrating! Thanks everyone for the help. Thanks pergr for the solution!
0
All Courses

From novice to tech pro — start learning today.