rpottersr

Forum Replies Created

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • in reply to: Allow PC (s) in VLAN2 access to Internet in VLAN1 #52241
    rpottersr
    Member

    I figured it out, and what a dummy I feel.

    When I initially created VLAN2 I had made an entry for the VLAN under local networks on my main server which is on VLAN1.

    So, when I created the other VLAN3 and VLAN4, I never created the local network entries on the main server.

    The entries look something like this

    Local Network:

    192.168.194.0/24 gw 192.168.194.1
    192.168.20.0/24 router 192.168.194.200 (VLAN2)
    192.168.2.0/24 router 192.168.194.200 (VLAN3)
    192.168.40.0/29 router 192.168.194.200 (VLAN4)

    No that the local network entries are in place, I’m able to ping the gateway address of all VLANs.

    With the firewall entry that you had me place in the 1 sequence yesterday, I’m able to access one computer on VLAN2, but I’m still unable to access a computer on VLAN3. Not worried about VLAN4 as of yet because I don’t have any VOIP phones setup for that as of yet.

    in reply to: Allow PC (s) in VLAN2 access to Internet in VLAN1 #52240
    rpottersr
    Member

    Ok…doesn’t make since cause the routing table is showing this:

    Destination Netmask Type Metric Gateway Interface Flags State Source
    10.10.0.0 255.255.255.248 Net 0 none VPN99 U Up Auto
    192.168.40.0 255.255.255.248 Net 0 none ETH00 vlan 4 U Up Auto
    192.168.20.0 255.255.255.0 Net 0 none ETH00 vlan 2 U Up Auto
    192.168.194.0 255.255.255.0 Net 0 none ETH00 U Up Auto
    192.168.2.0 255.255.255.0 Net 0 none ETH00 vlan 3 U Up Auto
    DEFAULT GATEWAY 0.0.0.0 Net 0 192.168.194.1 ETH00 UG Up Static

    in reply to: Allow PC (s) in VLAN2 access to Internet in VLAN1 #52238
    rpottersr
    Member

    @redfive wrote:

    Of course…Add , as first rule in forward chain, Input * , Output ETH00, s.ip *, dest.ip 192.168.194.0/24 , state RELATED, ESTABLISHED, action ACCEPT .
    This is the first step for setting up a stateful firewall.. Try and post the result.
    bye

    Thank you, that allowed me access to a computer on VLAN2, but I’m still unable to access or ping any computers on VLAN3 and VLAN4.

    The results of the ping to VLAN3:

    C:UsersRobin>ping 192.168.2.1

    Pinging 192.168.2.1 with 32 bytes of data:
    Reply from 70.159.184.82: Destination net unreachable.
    Reply from 70.159.184.82: Destination net unreachable.
    Reply from 70.159.184.82: Destination net unreachable.
    Reply from 70.159.184.82: Destination net unreachable.

    Ping statistics for 192.168.2.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

    I get the same thing for VLAN4.

    Very confusing, since I’m really not a firewall admin, but very willing to learn and obtain the knowledge.

    Really appreciate all the help you have been giving me.

    in reply to: Allow PC (s) in VLAN2 access to Internet in VLAN1 #52236
    rpottersr
    Member

    @redfive wrote:

    Hi rpottersr , how are u ? Hope fine !! btw , I haven’t clearly understood what’s the problem … an host attached to a switchport (eg. member of vlan 3) can surf the web but not pinging his def-gw ?
    With the fw rule posted above ,only traffic from ETH00.2 direct to ETH00 should be denied , but all the rest of traffic should be allowed (since the default policy is accept.. or it was changed ??).
    Did you make any change in the fw rules ? Could you briefly describe your topology , ip addresses, firewall rules, and the most important, the result that would obtain ?
    greetings

    Everything is good, thank you for asking.

    The FW rules that are currently setup are as follows

    Fw policy all default , only add , in forward chain ,
    in ETH00.2 out ETH00 proto all s. ip 192.168.20.0/24 d. ip 192.168.194.0/24 action DROP

    in ETH00.3 out ETH00 proto all s. ip 192.168.2.0/24 d. ip 192.168.194.0/24 action DROP

    in ETH00.4 out ETH00 proto all s. ip 192.168.40.0/24 d. ip 192.168.194.0/24 action DROP

    the three VLANs listed above can access the internet, but cannot access VLAN1. Plus each computer on the VLANs can talk to each other in their own segment without any issues.

    I think what I want to do is be able to access a computer on one of the other VLANs from VLAN1. If this is possible??

    in reply to: Allow PC (s) in VLAN2 access to Internet in VLAN1 #52234
    rpottersr
    Member

    Hey Redfive or anyone that reads this. Everything has been working fine and decided to add a couple of more VLANs – one for a test lab and one for VOIP sometime in the future.

    The problem that I’m having now is that I can ping the gateway of VLAN2 (192.168.20.1), but I’m unable to ping the gateways of VLAN3 (192.168.2.1) and VLAN4 (192.168.40.1).

    Both VLAN3 and VLAN4 have DHCP enabled with those gateways. When I hook a computer up to either of those VLANs it gets internet access with no problems and cannot access VLAN1.

    If I’m able to ping the gateway of VLAN2, why can’t I ping the gateway of the other VLANs.

    Very confusing, any help would be much appreciated.

    in reply to: Allow PC (s) in VLAN2 access to Internet in VLAN1 #52233
    rpottersr
    Member

    Thank you Redfive 😀 , that’s exactly what I was looking for. It works perfectly.

    in reply to: Allow PC (s) in VLAN2 access to Internet in VLAN1 #52231
    rpottersr
    Member

    CPIFL#sh run
    Building configuration…

    Current configuration : 5326 bytes
    !
    version 12.2
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname CPIFL
    !
    enable secret 5 $1$fOiB$idZ1BL8xulIPY2qJRpuZh1
    !
    no aaa new-model
    ip subnet-zero
    !
    !
    mls qos srr-queue input bandwidth 90 10
    mls qos srr-queue input threshold 1 8 16
    mls qos srr-queue input threshold 2 34 66
    mls qos srr-queue input buffers 67 33
    mls qos srr-queue input cos-map queue 1 threshold 2 1
    mls qos srr-queue input cos-map queue 1 threshold 3 0
    mls qos srr-queue input cos-map queue 2 threshold 1 2
    mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7
    mls qos srr-queue input cos-map queue 2 threshold 3 3 5
    mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
    mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
    mls qos srr-queue input dscp-map queue 1 threshold 3 32
    mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
    mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48
    mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56
    mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63
    mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
    mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47
    mls qos srr-queue output cos-map queue 1 threshold 3 5
    mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
    mls qos srr-queue output cos-map queue 3 threshold 3 2 4
    mls qos srr-queue output cos-map queue 4 threshold 2 1
    mls qos srr-queue output cos-map queue 4 threshold 3 0
    mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
    mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
    mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
    mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
    mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23
    mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39
    mls qos srr-queue output dscp-map queue 4 threshold 1 8
    mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
    mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
    mls qos queue-set output 1 threshold 1 138 138 92 138
    mls qos queue-set output 1 threshold 2 138 138 92 400
    mls qos queue-set output 1 threshold 3 36 77 100 318
    mls qos queue-set output 1 threshold 4 20 50 67 400
    mls qos queue-set output 2 threshold 1 149 149 100 149
    mls qos queue-set output 2 threshold 2 118 118 100 235
    mls qos queue-set output 2 threshold 3 41 68 100 272
    mls qos queue-set output 2 threshold 4 42 72 100 242
    mls qos queue-set output 1 buffers 10 10 26 54
    mls qos queue-set output 2 buffers 16 6 17 61
    mls qos
    !
    !
    no file verify auto
    spanning-tree mode pvst
    spanning-tree extend system-id
    !
    vlan internal allocation policy ascending
    !
    interface FastEthernet0/1
    description SME-Srvr
    !
    interface FastEthernet0/2
    description WRT54G
    !
    interface FastEthernet0/3
    !
    interface FastEthernet0/4
    description TVPC
    !
    interface FastEthernet0/5
    !
    interface FastEthernet0/6
    !
    interface FastEthernet0/7
    description Dell Dock
    !
    interface FastEthernet0/8
    !
    interface FastEthernet0/9
    !
    interface FastEthernet0/10
    !
    interface FastEthernet0/11
    !
    interface FastEthernet0/12
    description On Demand
    !
    interface FastEthernet0/13
    description Garage 1
    switchport access vlan 2
    !
    interface FastEthernet0/14
    description Garage 2
    switchport access vlan 2
    !
    interface FastEthernet0/15
    description Garage WiFi
    switchport access vlan 2
    !
    interface FastEthernet0/16
    description Dad’s PC
    !
    interface FastEthernet0/17
    shutdown
    !
    interface FastEthernet0/18
    shutdown
    !
    interface FastEthernet0/19
    shutdown
    !
    interface FastEthernet0/20
    shutdown
    !
    interface FastEthernet0/21
    shutdown
    !
    interface FastEthernet0/22
    shutdown
    !
    interface FastEthernet0/23
    shutdown
    !
    interface FastEthernet0/24
    shutdown
    !
    interface FastEthernet0/25
    !
    interface FastEthernet0/26
    shutdown
    !
    interface FastEthernet0/27
    shutdown
    !
    interface FastEthernet0/28
    shutdown
    !
    interface FastEthernet0/29
    shutdown
    !
    interface FastEthernet0/30
    description VOIP Srvr
    !
    interface FastEthernet0/31
    shutdown
    !
    interface FastEthernet0/32
    shutdown
    !
    interface FastEthernet0/33
    shutdown
    !
    interface FastEthernet0/34
    shutdown
    !
    interface FastEthernet0/35
    shutdown
    !
    interface FastEthernet0/36
    shutdown
    !
    interface FastEthernet0/37
    shutdown
    !
    interface FastEthernet0/38
    shutdown
    !
    interface FastEthernet0/39
    shutdown
    !
    interface FastEthernet0/40
    shutdown
    !
    interface FastEthernet0/41
    shutdown
    !
    interface FastEthernet0/42
    shutdown
    !
    interface FastEthernet0/43
    shutdown
    !
    interface FastEthernet0/44
    shutdown
    !
    interface FastEthernet0/45
    shutdown
    !
    interface FastEthernet0/46
    shutdown
    !
    interface FastEthernet0/47
    shutdown
    !
    interface FastEthernet0/48
    shutdown
    !
    interface GigabitEthernet0/1
    shutdown
    !
    interface GigabitEthernet0/2
    description Trunk
    switchport mode trunk
    !
    interface Vlan1
    ip address 192.168.194.10 255.255.255.0
    no ip route-cache
    !
    interface Vlan2
    no ip address
    no ip route-cache
    !
    ip default-gateway 192.168.194.1
    ip http server
    !
    control-plane
    !
    !
    line con 0
    line vty 0 4
    login
    length 0
    line vty 5 15
    login
    !
    end

    in reply to: Allow PC (s) in VLAN2 access to Internet in VLAN1 #52229
    rpottersr
    Member

    Ok, did that but still unable to ping the internet.

    When I ping google.com – I get unknown host response.

    I removed the ip address from vlan 2 and still get the same results.

    You stated that you would suggest something a bit different, I open for any suggestions right now.

    in reply to: Allow PC (s) in VLAN2 access to Internet in VLAN1 #52227
    rpottersr
    Member

    Yes the IPs are on the VLAN interfaces.

    There is no dhcp server for members of vlan2, from what I read so far I can setup PCs with static addresses pointed back to the PC that handles routing for the VLANS. So if it can be done, I would like to be able to give the PCs on vlan2 access to the internet but not allow them to access PCs on vlan1.

    So far with the routing of the vlans I’m able to ping a couple addresses on vlan1 from a pc that is on vlan2, but I’m not able to ping any web addresses for example google.com.

    The ZS routing table looks something like this:

    192.168.20.0/24 ETH00 VLAN 2
    192.168.194.0/24 ETH00
    Default GW 192.168.194.1

    in reply to: Allow PC (s) in VLAN2 access to Internet in VLAN1 #52225
    rpottersr
    Member

    Thanks for the response redfive.

    Currently I’m connecting to the Internet through my web server that also provides DHCP to the rest of the network. Eth0 on the server is connected to Fa0/1 on the 2960 and ETH1 is connected to a DSL modem with a static IP from the ISP.

    I think my problem is I don’t know what firewall rules I’m suppose to setup.

    Server IP 192.168.194.1 (default gw for all PCs)
    VLAN 1 IP 192.168.194.10/24
    VLAN 2 IP 192.168.20.10/24

    The PC that I have ZS running on has an IP 192.168.194.200 on ETH00 and the IP on ETH00 2 is 192.168.20.1.

    Hope this is info you were looking for…

Viewing 10 posts - 1 through 10 (of 10 total)