Solved

Routing question between wifi / firewall and switch

Posted on 2016-07-16
11
63 Views
Last Modified: 2016-09-04
WiFi Controller has setup a Radius server 10.0.1.120 behind Sonicwall.

Wifi client assigned with VLAN30 need to authenticated through Radius 10.0.1.120.
For WiFi controller routing to network 10.0.1.0, it need to route through Fortigate and then to Sonicwall.

DHCP server on LAN 10.0.1.0 will subnet 10.0.99.0 will start DHCP negoitation with the wifi client,
through the trunk -> PoE Switch -> WiFi Controller -> Wifi client.

After DHCP negotiation, the PoE switch should have the MAC address Wifi client and the correct port (ie the port connecting to the controller) . Am I corect ?

When wifi client access any servers 10.0.1.0 behind Sonicwall, it will go through
  wifi client -> Wifi Controller -> PoE Switch -> Fortigate -> PoE Switch Sonicwall, correct ?

How does server in network 10.0.1.0 return to the Wifi client (10.0.99.0) ? How does Sonicwall know that the client is behind the Controller ?

Thx
Diagram.png
0
Comment
Question by:AXISHK
  • 5
  • 4
  • 2
11 Comments
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 41714881
Your diagram is pretty helpful.  In that regard, I presume that T10 on the Fortigate is intended to be the connection to the WiFi controller?  That's not explicit (as T10 and T30 on the WiFi controller could be independent.... perhaps).

I'm not clear what this means:
DHCP server on LAN 10.0.1.0 will subnet 10.0.99.0 will start DHCP negoitation with the wifi client,
through the trunk -> PoE Switch -> WiFi Controller -> Wifi client.
Does this mean:DHCP server on the Sonicwall / LAN 10.0.10.0 WITH subnet 10.0.99.0 ???? Well one might *presume* /24 but you don't say so maybe it's 10.0.9.0???
Whether the WiFi Controller has a DHCP server running is unclear.  I suspect NOT, eh?

After DHCP negotiation, the PoE switch should have the MAC address Wifi client and the correct port (ie the port connecting to the controller) . Am I corect ?
Yes.  That sounds correct.

When wifi client access any servers 10.0.1.0 behind Sonicwall, it will go through
  wifi client -> Wifi Controller -> PoE Switch -> Fortigate -> PoE Switch Sonicwall, correct ?
Yes. That sounds correct.

How does server in network 10.0.1.0 return to the Wifi client (10.0.99.0) ? How does Sonicwall know that the client is behind the Controller ?
Since the 10.0.99.0 subnet is also on the Sonicwall, it seems that a route on the Sonicwall from 10.0.1.0 to 10.0.99.0 would do it.  Imagine if there were wired clients on the Sonicwall on VLAN30 with subnet 10.0.99.0.  And, imagine if you wanted them to talk to clients on 10.0.1.0?  There would be a route between those two VLANs.

I may be missing something in the motivation here that leads to this architecture.  It appears you're trying to provide wireless access to both 172.16.172.0 AND 10.0.99.0.  Is that right?
I can understand that maybe you want the wireless clients to be isolated but then you don't seem to be intending to do that.

Tell us what the big picture objectives are and perhaps there can be a suggestion.
0
 

Author Comment

by:AXISHK
ID: 41715038
The Window DHCP server on LAN subnet 10.0.1.0 can also provide IP leasing for 10.0.99.0. The intention of the design  is to allow wifi client to access the LAN server through wireless network.

Sonicwall has defined 10.0.99.1 on X2 (VLAN 30). The return packet from server to wifi client will go to Sonicwall. Sonicwall know 10.0.99.0 subnet is connected to X2 and it will route the packet to the PoE switch.  The PoE switch should have wif client mac address , which is the port connecting to the Wifi controller. Hence the MAC address table of PoE switch provide the information to route the packet from Sonicwall back to the Wifi controller and finally returns to the wifi client.

Am I correct ?

Thx
Sonicwall01.png
0
 
LVL 25

Accepted Solution

by:
Fred Marshall earned 500 total points
ID: 41715982
Well, "POE" isn't exactly the switch description one would be looking for.  "Level 2" or "Level 3" would be more like it.  I've been assuming that it's a Level 2 switch.  But your description suggests maybe Level 3.

The Window DHCP server on LAN subnet 10.0.1.0 can also provide IP leasing for 10.0.99.0. The intention of the design  is to allow wifi client to access the LAN server through wireless network
I might paraphrase this to make sure I understand:
"The Sonicwall serving LAN subnet 10.0.1.0 also serves VLAN on subnet 10.0.99.0 and provides DHCP for each subnet."  Is that correct?

Sonicwall has defined 10.0.99.1 on X2 (VLAN 30). The return packet from server to wifi client will go to Sonicwall. Sonicwall know 10.0.99.0 subnet is connected to X2 and it will route the packet to the PoE switch.  The PoE switch should have wif client mac address , which is the port connecting to the Wifi controller. Hence the MAC address table of PoE switch provide the information to route the packet from Sonicwall back to the Wifi controller and finally returns to the wifi client.

Am I correct ?
Maybe.  But you wouldn't be asking if it were working, eh?

First, a smart switch will know MAC addresses and associate them with ports but a Level 2 switch won't know anything about IP addresses and subnets.  VLANs are just what they are called "Virtual LANs"  and LANs are physical things (as in "wires") with no affiliation to IP addresses or MAC addresses.  Not to be confused with subnets then.... even though they often are matched up in their use.  So, it's not about MAC addresses here I shouldn't think.

I remain confused.  Do you really mean X2: 172.16.172.0 AND X2:10.0.99.0 (i.e. both X2?).
Something here just isn't making sense for me.
I don't see a trunk to the WiFi Controller nor might I expect one.  So that needs clarification.

Let's try this:

A WiFi client has an IP address 10.0.99.22 and connects via the WiFi Controller.
A packet is launched to the Server on 10.0.1.0/24.
The packet is sent out the WiFi controller wire destined for 172.16.172.30.
The packet arrives at the switch and is directed to the port connected to the Sonicwall.
The packet arrives at the Sonicwall 172.16.172.30.
The Sonicwall has a subnet 10.0.1.0/24 where the server resides.
The Sonicwall puts the packet out on the 10.0.1.0/24 subnet and it reaches the Server.

The Server sends a return packet destined for 10.0.99.22
Since this packet destination is not on the local subnet, it is directed to the gateway (the Sonicwall) at let's say 10.0.10.1.
The Sonicwall has a VLAN using subnet 10.0.99.0/24 it appears.
So now either:
- 1) the packet will be directed to the local 10.0.99.0/24 subnet VLAN
OR
- 2) the packet will be directed to the "internet" gateway (the Fortigate)
OR
- 3) if the switch is Level 3 then maybe it will be directed to the switch.
If it's #1 then that doesn't seem useful as there are no wireless clients on the local subnet/VLAN.
If it's #2 then the Fortigate must have a route for 10.0.99.0/24 pointing to 172.16.172.2 (the WiFi Controller)
If its' #3 then the switch must have a route for 10.0.99.0/24 pointing to 172.16.172.2 (the WiFi Controller).

I have no idea how 10.0.99.0 is associated with both the WiFi controller AND the Sonicwall at the same time.  There may be two separate LANs with the same subnet and I see no way to fix that other than changing one of them.  I must be missing something perhaps buried in the VLAN setups and operation.

I'm not a Sonicwall expert as such.  Does this have anything to do with how your Sonicwall is configured:
https://support.software.dell.com/kb/sw7081
0
 

Author Comment

by:AXISHK
ID: 41716988
I have checked the route

1. Fortigate don't have any route for 10.0.99.0 subnet
2. In Sonicwall, there is no a route for 10.0.99.0 which is point to interface X2:30, which is connect the Sonicwall back to PoE Switch.

So, can I say that return packet is based on the PoE switch using the MAC-address table. I can see the MAC address of the wifi client (of course, not the IP address)..

Thx
0
 
LVL 9

Expert Comment

by:Ian Arakel
ID: 41717000
Hi There,

Could you place the output of the below:

i)
#Sh ip route from the PoE switch
ii)
Routing table of the sonicwall and the fortigate
iii)
Trace from the client to Shoretel server and Vice versa.

Also confirm the significance of 10.0.99.x subnet.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 25

Expert Comment

by:Fred Marshall
ID: 41717407
There seems to be some misunderstanding.  As I see things now (albeit with imperfect information):

1. Fortigate don't have any route for 10.0.99.0 subnet
That may be unfortunate.  I don't see that it can hurt anything; so why not?

2. In Sonicwall, there is no a route for 10.0.99.0 which is point to interface X2:30, which is connect the Sonicwall back to PoE Switch.
So the trunk VLAN 1,30 is on X2.  Is that right?  At any rate, if 10.0.99.0 is "known" by the Sonicwall then it must have a route.  If all the route does is go to the gateway  (via 0.0.0.0 the default route) .  Is the gateway for the Sonicwall the Fortigate or the PoE Switch? You have still not said if the switch is Level2 or Level3 mode....  Once more, if there's no route in the Sonicwall for 10.0.99.0 AND no route in the gateway then there's no path and packets will be dropped.  The MAC address instance in the switch is normal but won't help.

So, can I say that return packet is based on the PoE switch using the MAC-address table. I can see the MAC address of the wifi client (of course, not the IP address)..
No.
0
 

Author Comment

by:AXISHK
ID: 41718076
The switch is C2960X, guessing it is a L2.  172.16.172.254 is Fortigate IP.


POES1#sh ip route
Default gateway is 172.16.172.254

Host               Gateway           Last Use    Total Uses  Interface
ICMP redirect cache is empty
Y5POES1#
0
 
LVL 9

Expert Comment

by:Ian Arakel
ID: 41718277
Hi there,

Kindly share the remaining outputs as requested for in my previous post.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 41719955
The fact that the switch has a gateway entry may be fairly meaningless in this discussion if it's a Layer 2 switch.  It's likely there to support things like firmware updates, etc.

Kindly share the outputs as requested by Ian Arakel.
0
 

Author Comment

by:AXISHK
ID: 41720169
10.0.99.0 is the subnet for wifi client connecting to internal LAN server through Radius authentication, Thx
Dump1.txt
Dump2-Sonicwall.png
Dump3-Fortigate.png
dump4-tracert-to-Radius.txt
0
 

Author Closing Comment

by:AXISHK
ID: 41784112
Thx
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco layer 3 ring topology 1 53
Defaulting a Branch Juniper SRX240 5 22
gns3 with layer 3 switch 6 32
Sonicwall NSA240 AppFlow 2 30
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now