Zeroshell as Firewall cum router

Home Page Forums Network Management ZeroShell Zeroshell as Firewall cum router

This topic contains 9 replies, has 0 voices, and was last updated by  radivtech 3 years, 4 months ago.

Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • #44394

    radivtech
    Member

    Hey Zeroshell team,
    we are trying to setup the Zeroshell as Central Firewall and router on top of our Layer -3 Core Switch.
    Basically we have a LAN with 3 VLANs and the inter-VLAN routing happens at the core switch and there are 3 Access Layer Switches for users at different VLANs.
    Now, while setting the Zs , what/who will be our default gateway, if our WAN gateway is 10.10.10.1 and the Eth00 of Zs is assigned as 10.10.10.10 for the WAN and on the LAN side 172.22.128.2 for Eth01 in ZS and the Core Switch as 172.22.128.1/22.
    VLAN2 as 172.22.150.0/24
    VLAN3 as 172.22.160.0/24
    VLAN4 as 172.22.170.0/24

    The native network in which Zs is part of , is able to access the WAN but the other VLANs are getting blocked.

    #53899

    gordonf
    Member

    As long as your L3 switch is doing the basic routing for the other VLANs, you need to tell that switch to use the ZS ETH01 IP as its own default gateway.

    Then you need to add three static routes on ZS back to your L3 switch’s VLAN 1 IP. This is the step that a lot of people forget, because it makes intuitive sense to add routes out, but it doesn’t make intuitive sense to add routes back in.

    The resulting routing table in ZS should look something like this:

    Destination     Gateway        Genmask        Iface
    0.0.0.0 10.10.10.1 0.0.0.0 ETH00
    10.10.10.0 * 255.255.255.0 ETH00
    172.22.128.0 * 255.255.252.0 ETH01
    172.22.150.0 172.22.128.1 255.255.255.0 ETH01
    172.22.160.0 172.22.128.1 255.255.255.0 ETH01
    172.22.170.0 172.22.128.1 255.255.255.0 ETH01

    …in addition you’ll see VPN99 or other interfaces that won’t affect you unless you’re actually using them.

    (Edit: I’m used to using ETH00 as my inside interface and ETH01 as my outside, but either way works I think.)

    #53900

    radivtech
    Member

    Thanks , Let me try this.

    #53901

    radivtech
    Member

    I have tried the static routes as suggested , but the problem persists.

    The PC with IP 172.22.150.190 is able to ping the Zs with IP 172.22.128.2 but not able to access the WAN gateway 10.10.10.1 and when I did the Check IP.

    I got the ARP error,
    WARNING : the host 172.22.150.190 is not directly connected on the Eth01 but is reachable via the gateway 172.22.128.1 ( Core Switch). ARP Protocol is a Layer 2 Protocol and it cannot be routed by routers.

    Please suggest ,
    I guess its a routing issue, whether RIP shall be enabled.

    #53902

    redfive
    Participant

    Did you enabled the nat on the ZS’s wan interface ? The ARP error is right, since ARP is a L2 protocol, if you have to do a ‘IP Check’ over L3, remove the flag from ‘ARP Check’, and leave only the ‘Ping’
    Regards

    #53903

    radivtech
    Member

    Yes, the WAN interface of the ZS has NAT enabled.
    But , please suggest me why the routing for VLANs is not happening, why in the error, it is clearly mentioning that cannot be routed by routers.

    #53904

    radivtech
    Member

    Yes, the WAN interface of the ZS has NAT enabled.
    But , please suggest me why the routing for VLANs is not happening, why in the error, it is clearly mentioning that cannot be routed by routers.

    #53905

    redfive
    Participant

    It has informed you that the ARP, since is a layer 2 protocol, cannot be routed by routers (and the rest of the message, that the target is reachable via the gateway xxx, is thanks to the Proxy ARP, which is enabled by default on ZS).
    Just to be sure, do you have ETH00 in ‘Nat enabled interfaces’ ?
    Regards

    #53906

    gordonf
    Member

    Are you able to post a copy of your ZS profile to the forum for us to inspect? I’d like to try to reproduce this problem. This seems like such a simple routing problem yet you’re running into ARP errors you shouldn’t.

    If you don’t want your admin password exposed, you could change it to the ZS default before backing it up, then change it back. I’d also suggest backing it up without logs; that will make the profile backup smaller.

    What kind of switch are you using? I have access to Cisco Catalyst and HP Procurve switches to test against, both of which are L3 capable.

    #53907

    redfive
    Participant

    The Pc which is on one vlan is able to ping ZS, so I’d assume that the routing, at least between the L3 switch and ZS, is properly functioning, but the PC isn’t able to ping the router beyond Zs … And, would also be interesting to know the result of the ‘IP check’ , if the ping from Zs to that pc was succesful or not (apart the ARP ‘error’, which is normal over L3)
    Regards

    #53908

    radivtech
    Member

    Apologies guys , for the late response , I appreciate the help and I would upload the profile of the Zs , so the you can try to simulate the similar condition and help me unlock the VLAN routes.

Viewing 11 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic.