Switch Config for routing through a Firewall (routing on a Stick)

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
Hi.

Hope someone can help, am having a bit of a problem routing two vlans through a firewall.   I've sub interfaced a nic on a FW to have two vlans attached to the physical nic.

On the uplink to the interface on the FW I've configured the port to be tagged.   Then on the two ports to the two differing PCs in the different vlans I've put them in an untagged port but also tagged the uplink port in on the vlan.

So vlan to FW port is tagged
Vlan x to PC1 port is untagged for PC but FW port tagged into vlan
Vlan y to PC2 port is untagged for PC but FW port tagged into vlan

I thought this would have worked but no joy.    I've tried variations of the above but not working.  I can see the ip address of the FW nic in the arp table but not the PCs

I can putty on to the FW and see in arp table and ping both PCs so FW config seems okay.

What am I missing?  Any help gratefully received.

Thanks
Photo of Joe80

Joe80

  • 112 Points 100 badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Nick Yakimenko

Nick Yakimenko

  • 2,518 Points 2k badge 2x thumb
What kind of a FW do you use?
Photo of Joe80

Joe80

  • 112 Points 100 badge 2x thumb
Sonicwall NSA2600.
Photo of Nick Yakimenko

Nick Yakimenko

  • 2,518 Points 2k badge 2x thumb
 I can see the ip address of the FW nic in the arp table but not the PCs

Is this the only problem? If so, why do you expect to see the arp of an ip-address located in a different subnet?
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 51,328 Points 50k badge 2x thumb
Is there a Extreme switch involved as I don't see one mentioned in the problem description.
Please add also switch model and software and a simple network diagram with the IPs.

But if I should guess with this very limited information... no/wrong default gateway on the PCs.

Cheers,
Ron
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,792 Points 10k badge 2x thumb
Hi Joe,
I can putty on to the FW and see in arp table and ping both PCs so FW config seems okay.
Can you ping both FW IP addresses? Can you ping both PCs from the FW? Can you ping the FW interface in the same VLAN as the PC?

What is not working exactly?

As I understand you description you want to use the switch as layer 2 only (no IP forwarding) and use the firewall as gateway between two VLANs. If the switch is configured correctly, you should see the MAC addresses in the FDB of the correct VLAN. I.e. PC A and FW in VLAN A and PC B and FW in VLAN B. The command to verify this is:
show fdb vlan VLAN_A
show fdb vlan VLAN_B
Of course, the PCs must be configured to use the correct FW interface as default gateway and the FW needs to allow the traffic that is supposed to be allowed.

You should not enable IP forwarding on the switch, otherwise traffic could bypass the FW if the switch is used as gateway.

Thanks,
Erik