Thursday, February 21, 2019

I need a lesson in Layer 3 routing

The Details:

I have 4 x Dell N3048EP-ON switches stacked, 2 x N4032F switches stacked, and a FortiGate 500E.

To simplify the ordeal, let's just focus on a single switch and the FortiGate.Let's take 3 VLANs - 10, 20, and 30.

VLAN 10 - 192.168.10.1/24
VLAN 20 - 192.168.20.1/24
VLAN 30 - 192.168.30.1/24

Firewall:

The FortiGate has a LAN interface with the IP of 192.168.30.3/24. A simple static route (0.0.0.0/0 -> Public IP). A policy allowing all traffic sourced from VLAN30 going to the FG's WAN interface to allow all the things.

Routing:

InterVLAN routing works just fine. 10 can get to 20 and 30, 20 can get to 10 and 30 , etc. I'll setup ACLs later. My problem is routing to the Internet. The Default Gateway is the FortiGate's interface IP (192.168.30.3). The switch can ping/traceroute/whatever out to the Internet - take a traceroute to 1.1.1.1. Works A-OK.

What Works:

- If I put a host on 30NET, I can get out just fine.- Like I stated before, the switches can ping the FG interface and 1.1.1.1.

What Doesn't Work:

- If I put a host on 10NET or 20NET, they can't get out.- Said hosts can't even ping the FG LAN interface.- A traceroute/tracepath stops at their VLAN gateway (192.168.10.1 or 192.168.20.1) and won't hop to 192.168.30.1 in order to hop to 192.168.30.1.

------------------------------------------------------------------------------------------------------------------

Weird Things I've Tried:

- I've added a VLAN interface to the FG's physical interface for each VLAN.- I've then manually added static routes (0.0.0.0/0 -> 192.168.10.3 & 0.0.0.0/0 -> 192.168.20.3)- Changed the switchport from an access port (VLAN 30) to a trunk allowing VLAN 10, 20, 30.- This lets every host in each VLAN be able to ping the FG LAN interface associated with their VLAN, but it causes some other weird behavior.- I'm pretty sure the switches are only supposed to have a single static route and not multiple default gateways for each VLAN

I'm fairly certain the problem lies in the layer 3 routing at the switch level. As I mentioned, they will route between VLANs perfectly fine, but it won't route any traffic out to the default gateway that isn't part of that host's VLAN.



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)