| general advice for routing problems [message #103925] |
Tue, 18 June 2013 15:55  |
giampos
Messages: 82
Registered: May 2005
|
|
|
|
Hi, i'm looking for some advice in a routing problem.
In my lan I have 2 router
1) 10.10.10.1 Kerio Control all routes and internet usage.
2) 10.10.10.2 Proprietary Cisco (static routes 10.50.50.x to central company service)
Now I have con config static routes on each workstation with deafult gateway 10.10.10.1 and a route 10.50.50.0 mask 255.255.255.0 to GW 10.10.10.2
I'm looking for a config where only KControl (10.10.10.1) is set as gateway, and it forward the specific route to the other router.
I've configured in KControl the static route to the Cisco now I can ping the Company hosts at the 10.50.50.x address, but services not works, I suspect that packets don't return through the KControl but directly to workstation that don0t have the Cisco as gateway.
Keep in mind that I cannot manage and config the proprietary Cisco.
Thanks for any help.
|
|
|
|
|
|
| Re: general advice for routing problems [message #103952 is a reply to message #103941] |
Wed, 19 June 2013 10:45  |
giampos
Messages: 82
Registered: May 2005
|
|
|
|
Can you explain better, please?
You mean, If I don't use static ip I can add the route to Dhcp server in order that it release the ip/subnet/gateway and route to workstation?
The problem is that I don't use dynamic ip and Dhcp in my lan.
|
|
|
|
| Re: general advice for routing problems [message #103986 is a reply to message #103952] |
Wed, 19 June 2013 16:24 |
silars
Messages: 285
Registered: March 2012
|
|
|
|
Actually, this should work and is similar in concept to another thread up at the moment (lightyear's thread).
This can work a number of ways:
1. ICMP Redirect, if Control supports it. Essentially, if a router receives a packet on an interface that is also the next-hop route interface, it will generate an ICMP packet telling that host to use that next-hop route. The host will then install that route for future use. I don't believe Kerio supports this, though.
2. Control routes to the Cisco, but doesn't NAT the traffic. This should work and I have seen work with enterprise routers (Cisco, Juniper, Brocade, Extreme, etc.). However, all the security features need to account for this, primarily, stateful inspections. You are right, traffic will not flow back in the manner it went out. This is legal IP traffic though. ECMP uses this to its advantage.
3. What Martin described. DHCP can be used to install host routes.
|
|
|
|
| Re: general advice for routing problems [message #103992 is a reply to message #103986] |
Thu, 20 June 2013 10:56 |
giampos
Messages: 82
Registered: May 2005
|
|
|
|
Thanks Silars,
I've read lightyear's thread before submitting this one, but I thought it was a little different.
So...point #3 - I have to use static Ip for workstations.......
About way #1 Who knows if KControl support this??
The #2 seems more interesting.....in addition to static route in KControl, you suggest me a specific filter rule? And in this case how it should be written ?
source : Kcontrol IP
Dest: Cisco Router Ip
protocol: Any
Action: permitted
nat : ?????
If I enable NAT maybe the Cisco return packet to the Kcontrol and not directly to workstations??
Thanks for help.
|
|
|
|
| Re: general advice for routing problems [message #104001 is a reply to message #103992] |
Thu, 20 June 2013 15:21 |
silars
Messages: 285
Registered: March 2012
|
|
|
|
His problem is slightly different, but it is the similar mechanic involved. You are both try to do what is sometimes referred to as a "router on a stick" or OAR (one-armed routing). Some routers can handle this, some can't.
If you enable NAT, the traffic should return to the Control device. However, I've never tried this with Control. On other routers, this has worked.
Fundamentally, you shouldn't need NAT to make this work.
You may need to get some packet captures of the traffic that Cisco sends/receives. Do you have Wireshark and a switch that supports SPAN or port mirroring?
|
|
|
|
| Re: general advice for routing problems [message #104106 is a reply to message #104001] |
Mon, 24 June 2013 11:04 |
giampos
Messages: 82
Registered: May 2005
|
|
|
|
It works !
Just add a rule source:lan - dest:subnets - service: any - nat standard enabled
and all packets return through the Kcontrol and It redirect to the right workstation.
Clearly all the desired subnets must be on destination group and properly routed in routing table.
No matter if target hosts see only the Kcontrol firewall in place of workstations.
Thanks Silars......
|
|
|
|
Members
Search
Help
Register
Login
Home
