Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Routing across networks - multiple gateways (Routing - Multiple gateways)
  •  
lightyear26

Messages: 11
Karma: 0
Send a private message to this user
The force is not strong with my networking skills so a quick question if I may?
When pinging across networks with multiple gateways, does an ICMP Ping need to follow the same route when returned to the source adapter, through the same gateway it entered??

I have just joined a 3rd subnet to our infrastructure and can ping from LAN1 and LAN2 to LAN3, but not from LAN3 back to LAN1 or LAN2 (on the same IP address range as the joining adapter).

Our main network is 10.10.10.x with 2 gateways joining the 2 companies Kerio router/firewalls.
Let me clarify:

LAN 1
10.10.9.0 (DMZ)
10.10.10.0/24 (LOCAL LAN)

10.10.9.1 (Default Gateway Adapter)
10.10.10.1 (Default Gateway Adapter)

Static routes:
10.10.11.0 use GW 10.10.10.200 Metric 1
10.10.12.0 use GW 10.10.10.200 Metric 1
10.10.20.0 use GW 10.10.10.5 Metric 1



LAN 2
10.10.10.0/24 (LOCAL LAN)
10.10.11.0/24 (LOCAL LAN)
10.10.12.0 (DMZ)

10.10.10.200 (Default Gateway Adapter)
10.10.11.200 (Default Gateway Adapter)
10.10.12.1 (Default Gateway Adapter)


Static routes:
10.10.9.0 use GW 10.10.10.1 Metric 1
10.10.20.0 use GW 10.10.10.5 Metric 1



LAN 3
10.10.10.5 (Default Gateway)
10.10.20.0/24 (LOCAL LAN)
10.10.20.1 (Default Gateway Adapter)

Static routes:
10.10.9.0 use GW 10.10.10.1 Metric 1
10.10.11.0 use GW 10.10.10.200 Metric 1
10.10.12.0 use GW 10.10.10.200 Metric 1


LAN 1 can ping devices and see shares in LAN 2 and LAN 3 (inc DMZ).
LAN 2 can ping devices and see shares in LAN 1 and LAN 3 (inc DMZ).
LAN 3 CAN NOT ping devices or see shares in LAN 1 or LAN 2 on the 10.10.10.x side (except for the gateway interfaces of 10.10.10.1 and 10.10.10.200, they respond)
LAN 3 CAN ping devices and see shares in LAN 2 on the 10.10.11.x side OK.

So, all traffic from LAN 3 is pinging from the 9,11,12,20 networks without error. It's only LAN 3 pinging to the 10 network that fails. (Apart from the gateway interfaces that respond).
I did manage to get a share to appear from LAN 3 using \\10.10.10.8\share but it took ages to connect and only worked from 1 PC from LAN 3.


I hope that makes sense?? It's been a long day tearing my hair out with this! Any help appreciated.
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
Return packets are not required to follow the same route, otherwise ECMP would not work. Although, it is wise to make sure each direction goes the same path to maintain in-order delivery.

Do you have any traffic rules governing LAN reachability?

You may need to provide a diagram for clarification. Your scenario above is difficult to follow in regards to which interfaces are where.
  •  
lightyear26

Messages: 11
Karma: 0
Send a private message to this user
Ok, thanks for clarifying that. I have a network diagram at work I can post on Monday. Did some testing today and it appears it is a client default gateway issue. As the 10 network has 2 gateways, I can ping if they are connected to 10.10.10.200, but not 10.10.10.1 from the remote side. I thought as long as the client has access to a routing table to get back to the remote side, it would follow it. I'll clarify next week.
Much appreciated.
  •  
lightyear26

Messages: 11
Karma: 0
Send a private message to this user
Here is the network diagram.
After another day of tinkering i have found that 10.10.10.8 can PING 10.10.20.101 quite happily. If i PING from 10.10.20.101 back to 10.10.10.8 it fails. However, if i add the following static route onto the Windows box (10.10.10.8):
route ADD 10.10.20.0 MASK 255.255.255.0 10.10.10.5 METRIC 1
Then i am able to PING both ways straight away. Remove this static route and it instantly stops Pinging.
So workstations are not picking up the routing table info from Kerio or forwarding requests. Any ideas appreciated.

  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
Hosts will not pick up the routing tables from any router without the use of a routing protocol (RIP, OSPF, etc.), or perhaps ICMP Redirects.

I'll take a look at the diagram later to see why this route is needed.
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
Are any of these routers doing any NAT, stateful inspection, or ACLs? This should work. Going from 10.10.10.8 to 10.10.20.101 is actually the more complicated path.

However, from a design perspective, I would consider tying routers together. There are always some special conditions when routers share a LAN with hosts. This almost always is solved using RIP to distribute routing tables to hosts on the shared LAN.

I prefer Point-to-Point for routers. I just makes it easier to configure and troubleshoot.

Is that possible?
  •  
lightyear26

Messages: 11
Karma: 0
Send a private message to this user
None of the Kerio Control boxes are NAT'ing internally and they have IP address group rules in place to allow transfer between network segments.
What is Point to Point config you mention? Networking is not my strong point.
I presumed this would be simple to join another Kerio Control box with a LAN card on the local network with a simple static route. Seems not and i'm learning a lot!!
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
Point-to-point means that the routers themselves are directly connected. They don't have a shared link between them. Technically, it is still a LAN, but there are only 2 devices on it: Router 1 and Router 2. No hosts.

It can be simple with certain configs.

With no NAT'ing and proper rules, this should work though. I'll give it more thought, but it is a bit more complicated without the exact configurations. I'm not sure it would be wise to share your entire configuration on a public forum.
  •  
lightyear26

Messages: 11
Karma: 0
Send a private message to this user
Thanks Silars. That makes perfect sense. I'll test it out in a lab I think. Appreciate all, your help with this.
Previous Topic: Port 49153 blocked
Next Topic: licensing question
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Aug 18 14:52:52 CEST 2017

Total time taken to generate the page: 0.00442 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.