IP Forwarding trouble - hosts can't talk to hosts on a different vlan

  • 0
  • 1
  • Problem
  • Updated 3 years ago
  • Solved
I have a x450e-24p I picked up recently and am trying to configure it as my core switch. I have two Vlans, BNS-MGMT and BNS-Net, that need to communicate. I have tagged both vlan's but all ports are left untaghed.
BNS-MGMT 10.1.20.1 tag 20
Ports 17 & 18 untagged
BNS-Net 10.1.30.1 tag 30
Ports 9-16 untagged

BNS_Net has DHCP enabled with a range of 10.1.30.100 - 10.1.30.199/24. Default gateway is assigned vlan switch IP (10.1.30.1)

BNS_MGMT does have the default gateway assigned at 10.1.20.1. DHCP is not enabled. There is only a sonic wall with a static IP 10.1.20.5/24.

IP Forwarding is enabled on each vlan.

The sonic wall can ping the switch address on its own network (10.1.20.1). The switch can ping it.

The switch can ping all nodes on all vlan's.

I have a host on BNS-Net (10.1.30.100/24) that can ping the switch's IP on the BNS-MGMT network and the BNS-NET network. However, it cannot ping the firewall (10.1.20.5). The firewall cannot ping it either.

What am I missing here? I don't think RIP is necessary here when I'm on a single switch. I'm using the "VR-Default" router.
Photo of Brian Butts

Brian Butts

  • 160 Points 100 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 8,442 Points 5k badge 2x thumb
Check routing table on your firewall. Seems as those user subnets are not known to your firewall.
Photo of Thomas, Ajo

Thomas, Ajo, Alum

  • 252 Points 250 badge 2x thumb
Have you configured the default route in firewall?
Check the appropriate routes are configured on firewall for this subnet.
Photo of Lane, Mike

Lane, Mike, Employee

  • 904 Points 500 badge 2x thumb
As Zdenek wrote, the hosts routing tables are the likely issue here.  The forwarding of packets on the switch can be verified with the "show ipstats" command, but I am willing to bet that the switch is forwarding OK.
Photo of Brian Butts

Brian Butts

  • 160 Points 100 badge 2x thumb
Pala I see where your coming from with checking the routing table in the firewall. I haven't trunked the switch to the firewall and I'm trying to avoid that. I want to keep it configured as an edge device. The BNS-MGMT vlan exists only as a "wan" vlan to my switch to provide Internet access to all other nodes on all vlan's. The BNS-Mgmt vlan also exists to contain my switch, the firewall, and later on additional switches. I'm having a hard time understanding how an untagged connection to my firewall will have dot1q info in my packet headers. The routing is to be done by the switch. Specifying mutiple vlan's over 1 interface would require a tagged connection between the firewall and switch and thus I'd be creating a router on a stick. I'm trying to avoid that sort of networking mishap. The switch should NAT all packets between vlan's before the firewall ever sees it. The firewall also is configured only to restrict inbound WAN traffic. For verification of my theory, I've taken an AP and configured a static IP for it on the BNS_Mgmt vlan (10.1.20.10). The AP is able to ping the all IPs on the 10.1.20.0 network. It can ping 10.1.30.1, but not the node on BNS-Net with an ip of 10.1.30.100.
Photo of Prashanth KG

Prashanth KG, Employee

  • 5,300 Points 5k badge 2x thumb
Hi Brian,

If 10.1.20.10 can reach 10.1.30.1, then the AP has a gateway to reach any other network and that is 10.1.20.1. Similarly, are you able to reach 10.1.20.1 from 10.1.30.100? If not, please check if the default gateway is configured. Trunking is not necessary to the link connecting to the firewall as switch is acting as Layer 3. However, each host in the network should know how to reach other subnets with default gateway pointing to the switch VLAN IP address. 

Hope this helps! 
P.S. If these hosts are windows PCs, just check if the ping is allowed by the firewall.. 
Photo of Prashanth KG

Prashanth KG, Employee

  • 5,300 Points 5k badge 2x thumb
A quick way to check this would be to ping the firewall IP from the subnet of 10.1.30.0/24 with the below command: 

ping 10.1.20.5 from 10.1.30.1 

If this works and if ipforwarding is enabled on both the VLANs, the PING from the hosts also should work.

If not, we need to check the routing table of the firewall and see if it knows to reach 10.1.30 subnet as my colleagues said above!

Hope this helps!!
Photo of Brian Butts

Brian Butts

  • 160 Points 100 badge 2x thumb
The LAN interface on the sonic wall is also left default. This means all LAN connections are trusted and allowed. There are no access rules limiting LAN clients. Also the rulebase defines that from any souce to any destination on LAN to LAN is allowed. It's routing table shows x0 (LAN) interface IP to x0 (LAN) interface ip is allowed. Packet capture shows this rule is active and working with over 10000+ packets sent and received. If I were to plug a simple wireless router from Best Buy behind this firewall, it would work flawlessly. I'm not sure why I can't do the same thing with a L3 switch with routing capabilities.
Photo of OscarK

OscarK, ESE

  • 7,702 Points 5k badge 2x thumb
That wireless router from best buy probably does NAT, so your firewall will not see the other subnet you are pinging from. Create a rule that allows icmp from 0.0.0.0/0, does it work then ?