www.zeroshell.org

[vviudez]

Hi all!...

This post is to tell all of you a problem that I have in my network, and I can't find a solution.

Well... first of all, we have 2 sites, a local and a remote. The remote office host all of out production servers, and local office, host a local LAN and a a lot of VLANs assigned to our thecnicians, to test new products, o create some labs to learning, testing beta products... etc...

This first image is a simplification of our network diagram:


And there are some image captures form the Zeroshel config:
Zeroshell box Config:
http://img527.imageshack.us/i/zeroshellconfig.pdf/


All seems to be ok...
- all users in the OFFICE LAN can reach the PRODUCTION LAN and the LABS VLANS.

- all servers on PRODUCTION LAN can reach the OFFICE LAN... but NOT the LABS VLANS

- all servers on LABS VLANS can reach the OFFICE LAN... but NOT the PRODUCTION LAN.

- Every Server in a VLAN is configured with is VLAN Gateway


The zeroshell box through ETH00, can reach our CISCO 1 router, but can't from any VLAN:


root@zeroshell root> ping -I ETH02.101 192.168.0.254
PING 192.168.0.254 (192.168.0.254) from 192.168.101.1 ETH02.101: 56(84) bytes of data.
From 192.168.101.1 icmp_seq=1 Destination Host Unreachable
From 192.168.101.1 icmp_seq=2 Destination Host Unreachable
From 192.168.101.1 icmp_seq=3 Destination Host Unreachable
^C
--- 192.168.0.254 ping statistics ---
6 packets transmitted, 0 received, +3 errors, 100% packet loss, time 5018ms, pipe 3
root@zeroshell root>

All seems to point to our CISCO 1 router.... but it is administrated by our carrier, and we can't access to it... Oru carrier sais that only have 2 routes:
a 172.16.0.0/16 route to the line and a 192.168.0.0/16 to the LAN...

I have tested a lot of combinations, but no succeded...

Checking with Wireshark,... the only strange thing I see is that CISCO 1 router a sending ARP Broadcast to know how is some of our VLAN servers, but it is not getting a reply...

Please,... any ideas?...

[ppalias]

By the pattern of the responses I would bet on the fact that Cisco Router 1 has not adequate static routes, since it responds only when traffic comes from its directly connected interfaces.

There also seems to be a mixup of the networks. Production LAN has 192.168.0.0/16 which overlaps with the Office LAN as well as the Labs Vlans.

Is there any kind of NAT at the Cisco?
Any kind of tunnel?

It would be much easier to enable dynamic routing, RIPv2 that is supported with ZS to announce at the Cisco routers your networks, as well as the default route. ZS would also learn the Production LAN and it's state.

[ppalias]

I suppose you have mistakenly written the Production LAN 192.168.0.0/16 instead of the correct 172.16.0.0/16 which seems to be correct.
My belief is that Cisco 1 has wrong gateway for the 192.168.0.0/16 to the LAN.

[vviudez]

Thanks for your response ppalias...

I think that if the problem is the route onn the CISCO 1 router, we'll don't have access to the OFFICE LAN.... but from PRODUCTION LAN we reach OFFICE LAN and viceversa...

From PRODUCTION LAN we can't reach LABS VLANS, and viceversa...

And... how we can configure the RIPv2... over all interfaces? only over VLAN interfaces?....

[ppalias]

You can reach interfaces that are directly connected on the Cisco routers.
It seems that static routing is not working, to be able to reach the networks connected on the ZS (LABS). So my suggestion is to enable RIPv2 on ETH00 of ZS and LAN interface of Cisco 1 (ask it from the netadmins).

[vviudez]

[vviudez]

[ppalias]

[ppalias]

[vviudez]

[ppalias]

I am out of ideas... Try to reload them just in case.

[vviudez]

[ppalias]

My compliments to the notorious administrators of your carrier.