Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Extra network not working
  •  
Dukeman

Messages: 57
Karma: 6
Send a private message to this user
Somehow a new extra network I'm setting up is not working.

This is my setup:

- Running Kerio Control 7.4.0 (Software Appliance)
- 1 NIC connected to Internet (IP: x, set to internet network)
- 1 NIC connected to LAN (IP: 192.168.1.1, set to local/trusted network)
- 1 NIC connected to Extra network (simply called Extra, IP: 192.168.2.1)
- 1 Switch with the LAN network
- 1 Switch with the Extra network

Everything from LAN to the internet and back works fine.

Within the Firewall Rules I've created the following rules:

Rule 1 (LAN - Extra): [Trusted] -> Extra -> Any service -> Allow
Rule 2 (Extra - LAN): Extra -> Trusted -> Any service -> Allow
Rule 3 (Extra - WAN): Extra -> Internet -> HTTP, HTTPS -> Allow -> NAT

When I ping a system located within the Extra network I don't get a response, but I can see the following traffic in the trafficlogs:

Connectionlog:
[18/Nov/2012 16:20:11] [ID] 23100 [Rule] LAN - Extra [Service] Ping [Connection] ICMP MyPC (192.168.1.2) -> 192.168.2.2 [Duration] 72 sec [Bytes] 240/352/592 [Packets] 4/4/8

And in the filter log:

[18/Nov/2012 16:22:16] PERMIT "LAN - Extra" packet from LAN, proto:ICMP, len:60, 192.168.1.2 -> 192.168.2.2, type:8 code:0
[18/Nov/2012 16:22:16] PERMIT "LAN - Extra" packet to Extra, proto:ICMP, len:60, 192.168.1.2 -> 192.168.2.2, type:8 code:0
[18/Nov/2012 16:22:19] PERMIT "LAN - Extra" packet to LAN, proto:ICMP, len:88, 192.168.1.1 -> 192.168.1.2, type:3 code:1 (orig: 192.168.1.2 -> 192.168.2.2)
[18/Nov/2012 16:22:19] PERMIT "LAN - Extra" packet from LAN, proto:ICMP, len:60, 192.168.1.2 -> 192.168.2.2, type:8 code:0
[18/Nov/2012 16:22:19] PERMIT "LAN - Extra" packet to Extra, proto:ICMP, len:60, 192.168.1.2 -> 192.168.2.2, type:8 code:0


This all seems ok, just like the configuration. No drop or block messages are shown.
Offcourse the gateway of the pinged system is set to 192.168.2.1.


Pinging 192.168.2.2 with 32 bytes of data:

Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.

From the Extra network I cannot reach anything on the Lan network.

The Routes on Firewall shows a systemroute with the 192.168.2.0 subnet with mask 255.255.255.0.
Any other services (like HTTP) doesn't work as well.
Pinging the 192.168.2.1 address gives a response.

I cannot find why it is not working. Hopefully one of you can help me.

Thanks,
Barry

[Updated on: Sun, 18 November 2012 19:41]

  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
You should be seeing the return traffic from 2.2 to 1.2 in the logs too (ICMP Echo Reply). Since you aren't, this could imply that your mask on 2.2 may not be set properly. Perhaps it is 255.255.0.0 instead of 255.255.255.0?

Also, a Wireshark capture on both ends could help with some diagnosis.
  •  
Dukeman

Messages: 57
Karma: 6
Send a private message to this user
I can see this traffic in the log, which (seems to me) looks like the return/reply packet.

[18/Nov/2012 16:22:19] PERMIT "LAN - Extra" packet to LAN, proto:ICMP, len:88, 192.168.1.1 -> 192.168.1.2, type:3 code:1 (orig: 192.168.1.2 -> 192.168.2.2)


The subnetmask is set to 255.255.255.0.

I'll try a capture later today...
  •  
Dukeman

Messages: 57
Karma: 6
Send a private message to this user
I've found the problem. It was the NIC connected to the extra network. Somehow Kerio did not show any errors (it showed connected), the lights on the card and switch all worked, but the card was not generating any traffic.

The system had an extra spare card in it, so I switched everything to this card and now all problems are gone...

Strange that Kerio did not give any error, even give a reply on the card from the Lan network...

My problem has been fixed, thanks for your help!
Previous Topic: remote web workplace
Next Topic: Linux - How to use kvnet (vpn interface ) as default route ?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Sep 22 04:48:11 CEST 2017

Total time taken to generate the page: 0.00409 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.