www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

Zeroshell as Firewall cum router

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell
View previous topic :: View next topic  
Author Message
radivtech



Joined: 06 Oct 2015
Posts: 6

PostPosted: Tue Oct 06, 2015 12:46 pm    Post subject: Zeroshell as Firewall cum router Reply with quote

Hey Zeroshell team,
we are trying to setup the Zeroshell as Central Firewall and router on top of our Layer -3 Core Switch.
Basically we have a LAN with 3 VLANs and the inter-VLAN routing happens at the core switch and there are 3 Access Layer Switches for users at different VLANs.
Now, while setting the Zs , what/who will be our default gateway, if our WAN gateway is 10.10.10.1 and the Eth00 of Zs is assigned as 10.10.10.10 for the WAN and on the LAN side 172.22.128.2 for Eth01 in ZS and the Core Switch as 172.22.128.1/22.
VLAN2 as 172.22.150.0/24
VLAN3 as 172.22.160.0/24
VLAN4 as 172.22.170.0/24

The native network in which Zs is part of , is able to access the WAN but the other VLANs are getting blocked.
Back to top
View user's profile Send private message
gordonf



Joined: 26 Feb 2012
Posts: 89

PostPosted: Tue Oct 06, 2015 2:02 pm    Post subject: Pretty simple really Reply with quote

As long as your L3 switch is doing the basic routing for the other VLANs, you need to tell that switch to use the ZS ETH01 IP as its own default gateway.

Then you need to add three static routes on ZS back to your L3 switch's VLAN 1 IP. This is the step that a lot of people forget, because it makes intuitive sense to add routes out, but it doesn't make intuitive sense to add routes back in.

The resulting routing table in ZS should look something like this:

Code:
Destination     Gateway        Genmask        Iface
0.0.0.0         10.10.10.1     0.0.0.0        ETH00
10.10.10.0      *              255.255.255.0  ETH00
172.22.128.0    *              255.255.252.0  ETH01
172.22.150.0    172.22.128.1   255.255.255.0  ETH01
172.22.160.0    172.22.128.1   255.255.255.0  ETH01
172.22.170.0    172.22.128.1   255.255.255.0  ETH01

...in addition you'll see VPN99 or other interfaces that won't affect you unless you're actually using them.

(Edit: I'm used to using ETH00 as my inside interface and ETH01 as my outside, but either way works I think.)
Back to top
View user's profile Send private message
radivtech



Joined: 06 Oct 2015
Posts: 6

PostPosted: Thu Oct 08, 2015 12:43 pm    Post subject: Reply with quote

Thanks , Let me try this.
Back to top
View user's profile Send private message
radivtech



Joined: 06 Oct 2015
Posts: 6

PostPosted: Fri Oct 09, 2015 5:01 pm    Post subject: the same error persists Reply with quote

I have tried the static routes as suggested , but the problem persists.

The PC with IP 172.22.150.190 is able to ping the Zs with IP 172.22.128.2 but not able to access the WAN gateway 10.10.10.1 and when I did the Check IP.

I got the ARP error,
WARNING : the host 172.22.150.190 is not directly connected on the Eth01 but is reachable via the gateway 172.22.128.1 ( Core Switch). ARP Protocol is a Layer 2 Protocol and it cannot be routed by routers.

Please suggest ,
I guess its a routing issue, whether RIP shall be enabled.
Back to top
View user's profile Send private message
redfive



Joined: 27 Aug 2009
Posts: 232

PostPosted: Fri Oct 09, 2015 8:57 pm    Post subject: Reply with quote

Did you enabled the nat on the ZS's wan interface ? The ARP error is right, since ARP is a L2 protocol, if you have to do a 'IP Check' over L3, remove the flag from 'ARP Check', and leave only the 'Ping'
Regards
Back to top
View user's profile Send private message
radivtech



Joined: 06 Oct 2015
Posts: 6

PostPosted: Sun Oct 11, 2015 2:41 pm    Post subject: Reply with quote

Yes, the WAN interface of the ZS has NAT enabled.
But , please suggest me why the routing for VLANs is not happening, why in the error, it is clearly mentioning that cannot be routed by routers.
Back to top
View user's profile Send private message
radivtech



Joined: 06 Oct 2015
Posts: 6

PostPosted: Sun Oct 11, 2015 2:42 pm    Post subject: Reply with quote

Yes, the WAN interface of the ZS has NAT enabled.
But , please suggest me why the routing for VLANs is not happening, why in the error, it is clearly mentioning that cannot be routed by routers.
Back to top
View user's profile Send private message
redfive



Joined: 27 Aug 2009
Posts: 232

PostPosted: Sun Oct 11, 2015 5:05 pm    Post subject: Reply with quote

It has informed you that the ARP, since is a layer 2 protocol, cannot be routed by routers (and the rest of the message, that the target is reachable via the gateway xxx, is thanks to the Proxy ARP, which is enabled by default on ZS).
Just to be sure, do you have ETH00 in 'Nat enabled interfaces' ?
Regards
Back to top
View user's profile Send private message
gordonf



Joined: 26 Feb 2012
Posts: 89

PostPosted: Sun Oct 11, 2015 5:16 pm    Post subject: Re: the same error persists Reply with quote

Are you able to post a copy of your ZS profile to the forum for us to inspect? I'd like to try to reproduce this problem. This seems like such a simple routing problem yet you're running into ARP errors you shouldn't.

If you don't want your admin password exposed, you could change it to the ZS default before backing it up, then change it back. I'd also suggest backing it up without logs; that will make the profile backup smaller.

What kind of switch are you using? I have access to Cisco Catalyst and HP Procurve switches to test against, both of which are L3 capable.
--
Back to top
View user's profile Send private message
redfive



Joined: 27 Aug 2009
Posts: 232

PostPosted: Sun Oct 11, 2015 6:40 pm    Post subject: Reply with quote

The Pc which is on one vlan is able to ping ZS, so I'd assume that the routing, at least between the L3 switch and ZS, is properly functioning, but the PC isn't able to ping the router beyond Zs ... And, would also be interesting to know the result of the 'IP check' , if the ping from Zs to that pc was succesful or not (apart the ARP 'error', which is normal over L3)
Regards
Back to top
View user's profile Send private message
radivtech



Joined: 06 Oct 2015
Posts: 6

PostPosted: Sun Oct 18, 2015 1:25 am    Post subject: Reply with quote

Apologies guys , for the late response , I appreciate the help and I would upload the profile of the Zs , so the you can try to simulate the similar condition and help me unlock the VLAN routes.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group