This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Switch Config for routing through a Firewall (routing on a Stick)

Switch Config for routing through a Firewall (routing on a Stick)

Joe80
New Contributor

‎06-29-2017 06:51 PM

Hi.

Hope someone can help, am having a bit of a problem routing two vlans through a firewall. I've sub interfaced a nic on a FW to have two vlans attached to the physical nic.

On the uplink to the interface on the FW I've configured the port to be tagged. Then on the two ports to the two differing PCs in the different vlans I've put them in an untagged port but also tagged the uplink port in on the vlan.

So vlan to FW port is tagged
Vlan x to PC1 port is untagged for PC but FW port tagged into vlan
Vlan y to PC2 port is untagged for PC but FW port tagged into vlan

I thought this would have worked but no joy. I've tried variations of the above but not working. I can see the ip address of the FW nic in the arp table but not the PCs

I can putty on to the FW and see in arp table and ping both PCs so FW config seems okay.

What am I missing? Any help gratefully received.

Thanks
0 Kudos
5 REPLIES 5

Erik_Auerswald
Contributor II

‎06-30-2017 06:59 AM

Hi Joe,
I can putty on to the FW and see in arp table and ping both PCs so FW config seems okay.
Can you ping both FW IP addresses? Can you ping both PCs from the FW? Can you ping the FW interface in the same VLAN as the PC?

What is not working exactly?

As I understand you description you want to use the switch as layer 2 only (no IP forwarding) and use the firewall as gateway between two VLANs. If the switch is configured correctly, you should see the MAC addresses in the FDB of the correct VLAN. I.e. PC A and FW in VLAN A and PC B and FW in VLAN B. The command to verify this is:
show fdb vlan VLAN_A
show fdb vlan VLAN_BOf course, the PCs must be configured to use the correct FW interface as default gateway and the FW needs to allow the traffic that is supposed to be allowed.

You should not enable IP forwarding on the switch, otherwise traffic could bypass the FW if the switch is used as gateway.

Thanks,
Erik
0 Kudos

Ronald_Dvorak
Honored Contributor

‎06-29-2017 09:22 PM

Is there a Extreme switch involved as I don't see one mentioned in the problem description. Please add also switch model and software and a simple network diagram with the IPs. But if I should guess with this very limited information... no/wrong default gateway on the PCs. Cheers, Ron
0 Kudos

Joe80
New Contributor

‎06-29-2017 07:16 PM

Sonicwall NSA2600.
0 Kudos

Nick_Yakimenko
New Contributor II
In response to Joe80

‎06-29-2017 07:16 PM

I can see the ip address of the FW nic in the arp table but not the PCs

Is this the only problem? If so, why do you expect to see the arp of an ip-address located in a different subnet?
0 Kudos
GTM-P2G8KFN