Routing between VLANS

Danté · ‎07-30-2018

Hi,

I have a physical interface which have two ports that are configured in LAG and those ports are tagged with all my VLANS.

We have 22 Cisco Switches in all departments which are also tagged with all the vlans.

Under my physical interface (10.1.0.x/23) I have three vlan interfaces which I am trying to route between.

10.3.0.0/24 staff wifi 50, 10.4.0.0/24 guest wifi 60, 10.10.0.0/24 voice 5.

I can see in the routing monitor that there are routes connected since they are directly attached. From this I understand that I only need bi-directional ipv4 policies between the subnets to make them communicate. I created these policies and can perfectly communicate and ping all devices between 10.1.0.0/23 and 10.3.0.0/24 but not between any of the other combinations. I need to be able to access 10.10.0.0/24 from 10.1.0.0./23 and I also need access to 10.4.0.0/24. Why is only one combination working when the policies are identical for the combinations? I can ping the gateway on those ranges only no other ip's, for example with the policy on I can ping 10.4.0.1 which is the gateway interface for the vlan but I can't ping a device on 10.4.0.2-254.

Thanks

Toshi_Esumi · ‎07-30-2018

It's a firewall. You have to create policies between logical interfaces for all possible combinations, unless you combine them in a zone(s) and put them in then allow intra-zone traffic.

Danté · ‎07-30-2018

Dear Toshi,

That is what I don't understand, I do have all the combinations in policies yet I can only ping the gateway within that range and nothing else. I can also see that when I ping a device on that range it does hit the correct policy even though I get no reply and can't communicate with those devices. What could be blocking the traffic? I have tried different devices as well. It was still working fine a few days ago and I did not change anything.

Danté · ‎07-30-2018

Also worth noting, when I run an advanced ip scan on the network on the affected subnets/ranges I do pick up a live device on the whole range, even though there are not even 254 devices on the range. I can however still not connect to anything on that range using http, https, icmp etc. All services are allowed in the policy.

rwpatterson · ‎07-30-2018

That is odd. What are the MAC addresses of these phantom devices? The OID portion should give you a clue as to what may be spawning these things.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Danté · ‎07-30-2018

Hi Toshi,

I will do those tests and let you know if I pick up anything,

Hi Rw,

It does not give me any MAC address just the ip, and if I expand the IP's it gives me a Ftp icon.

I am scanning the network from the 10.1.0.0/23 range after I created the policies. Without the policies I don't pick up anything. See below:

Danté · ‎07-30-2018

Dear Toshi,

This is the result of the sniffer test. MAIN_LAN is my 10.1.0.0/23 interface and GUEST_LAN(vlan 60) is 10.4.0.0/24.

The policy and reverse exists between these interfaces. I see now that if I scan any of those vlan ranges I get the same result from advanced ip scanner. What is also strange is I did further testing and can icmp certain devices on the network but not others. It seems the vlans are not passing properly over the LAG trunk perhaps? I can communicate between all devices on the 10.3.0.0 range but only partially with some on the 10.4.0.0 range. Also I tested with a laptop on the Guest_LAN and that laptop can't ping my PC on the main_lan but I can ping the laptop on the geust_lan. Very strange

Danté · ‎07-31-2018

Hi,

I feel so stupid, I looked at the switch again and found that only one of the LAG ports in the group were tagged on the Cisco.

Thanks for the assistance though as it lead to me realizing it must be a vlan problem on the Cisco switch.

Regards

rwpatterson · ‎07-31-2018

I was about to say that it felt as though there was a cable crossed between VLANs or something similar on the switch side. Glad you sorted it out.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Danté · ‎07-31-2018

Hi,

Just one more question on the routing side while on the topic, the scenario is as follows:

We have two WAN links.

WAN1-FIBRE , All traffic using this static route to go to internet.

WAN2-CABLE, I want to be able to route the guest vlan(10.4.0.0) out on this WAN and also allow the guest lan to access the captive portal server which is on the main physical interface on a different subnet, I have been playing with the ipv4 policies in conjunction with the policy routes and static routes, I can only get either one or the other to work. I can't get both the Guest to route out on WAN 2 along with the Guest to access the captive server on the main subnet.(10.1.0.0).

Thank you