cancel
Showing results for 
Search instead for 
Did you mean: 

IP Forwarding trouble - hosts can't talk to hosts on a different vlan

IP Forwarding trouble - hosts can't talk to hosts on a different vlan

Brian_Butts
New Contributor II
I have a x450e-24p I picked up recently and am trying to configure it as my core switch. I have two Vlans, BNS-MGMT and BNS-Net, that need to communicate. I have tagged both vlan's but all ports are left untaghed. BNS-MGMT 10.1.20.1 tag 20 Ports 17 & 18 untagged BNS-Net 10.1.30.1 tag 30 Ports 9-16 untagged BNS_Net has DHCP enabled with a range of 10.1.30.100 - 10.1.30.199/24. Default gateway is assigned vlan switch IP (10.1.30.1) BNS_MGMT does have the default gateway assigned at 10.1.20.1. DHCP is not enabled. There is only a sonic wall with a static IP 10.1.20.5/24. IP Forwarding is enabled on each vlan. The sonic wall can ping the switch address on its own network (10.1.20.1). The switch can ping it. The switch can ping all nodes on all vlan's. I have a host on BNS-Net (10.1.30.100/24) that can ping the switch's IP on the BNS-MGMT network and the BNS-NET network. However, it cannot ping the firewall (10.1.20.5). The firewall cannot ping it either. What am I missing here? I don't think RIP is necessary here when I'm on a single switch. I'm using the "VR-Default" router.
8 REPLIES 8

OscarK
Extreme Employee
That wireless router from best buy probably does NAT, so your firewall will not see the other subnet you are pinging from. Create a rule that allows icmp from 0.0.0.0/0, does it work then ?

Brian_Butts
New Contributor II
The LAN interface on the sonic wall is also left default. This means all LAN connections are trusted and allowed. There are no access rules limiting LAN clients. Also the rulebase defines that from any souce to any destination on LAN to LAN is allowed. It's routing table shows x0 (LAN) interface IP to x0 (LAN) interface ip is allowed. Packet capture shows this rule is active and working with over 10000+ packets sent and received. If I were to plug a simple wireless router from Best Buy behind this firewall, it would work flawlessly. I'm not sure why I can't do the same thing with a L3 switch with routing capabilities.

Prashanth_KG
Extreme Employee
A quick way to check this would be to ping the firewall IP from the subnet of 10.1.30.0/24 with the below command:

ping 10.1.20.5 from 10.1.30.1

If this works and if ipforwarding is enabled on both the VLANs, the PING from the hosts also should work.

If not, we need to check the routing table of the firewall and see if it knows to reach 10.1.30 subnet as my colleagues said above!

Hope this helps!!

Brian_Butts
New Contributor II
Pala I see where your coming from with checking the routing table in the firewall. I haven't trunked the switch to the firewall and I'm trying to avoid that. I want to keep it configured as an edge device. The BNS-MGMT vlan exists only as a "wan" vlan to my switch to provide Internet access to all other nodes on all vlan's. The BNS-Mgmt vlan also exists to contain my switch, the firewall, and later on additional switches. I'm having a hard time understanding how an untagged connection to my firewall will have dot1q info in my packet headers. The routing is to be done by the switch. Specifying mutiple vlan's over 1 interface would require a tagged connection between the firewall and switch and thus I'd be creating a router on a stick. I'm trying to avoid that sort of networking mishap. The switch should NAT all packets between vlan's before the firewall ever sees it. The firewall also is configured only to restrict inbound WAN traffic. For verification of my theory, I've taken an AP and configured a static IP for it on the BNS_Mgmt vlan (10.1.20.10). The AP is able to ping the all IPs on the 10.1.20.0 network. It can ping 10.1.30.1, but not the node on BNS-Net with an ip of 10.1.30.100.
GTM-P2G8KFN