Switch Config for routing through a Firewall (routing on a Stick)


Hi.

Hope someone can help, am having a bit of a problem routing two vlans through a firewall. I've sub interfaced a nic on a FW to have two vlans attached to the physical nic.

On the uplink to the interface on the FW I've configured the port to be tagged. Then on the two ports to the two differing PCs in the different vlans I've put them in an untagged port but also tagged the uplink port in on the vlan.

So vlan to FW port is tagged
Vlan x to PC1 port is untagged for PC but FW port tagged into vlan
Vlan y to PC2 port is untagged for PC but FW port tagged into vlan

I thought this would have worked but no joy. I've tried variations of the above but not working. I can see the ip address of the FW nic in the arp table but not the PCs

I can putty on to the FW and see in arp table and ping both PCs so FW config seems okay.

What am I missing? Any help gratefully received.

Thanks

5 replies

Userlevel 4
What kind of a FW do you use?
Sonicwall NSA2600.
Userlevel 4
Joe80 wrote:

Sonicwall NSA2600.

I can see the ip address of the FW nic in the arp table but not the PCs


Is this the only problem? If so, why do you expect to see the arp of an ip-address located in a different subnet?
Userlevel 7
Is there a Extreme switch involved as I don't see one mentioned in the problem description. Please add also switch model and software and a simple network diagram with the IPs. But if I should guess with this very limited information... no/wrong default gateway on the PCs. Cheers, Ron
Userlevel 7
Hi Joe,

I can putty on to the FW and see in arp table and ping both PCs so FW config seems okay.

Can you ping both FW IP addresses? Can you ping both PCs from the FW? Can you ping the FW interface in the same VLAN as the PC?

What is not working exactly?

As I understand you description you want to use the switch as layer 2 only (no IP forwarding) and use the firewall as gateway between two VLANs. If the switch is configured correctly, you should see the MAC addresses in the FDB of the correct VLAN. I.e. PC A and FW in VLAN A and PC B and FW in VLAN B. The command to verify this is:
show fdb vlan VLAN_A
show fdb vlan VLAN_B[/code]Of course, the PCs must be configured to use the correct FW interface as default gateway and the FW needs to allow the traffic that is supposed to be allowed.

You should not enable IP forwarding on the switch, otherwise traffic could bypass the FW if the switch is used as gateway.

Thanks,
Erik

Reply