2 Replies Latest reply: Jan 16, 2013 3:02 AM by PhilM RSS

    No internet traffic from MPLS

    Tom Malmstroem


      I am not able to get internet traffic through the firewall from MPLS net.

      Environment is as follows, the firewall (8.3 appliance) has three interfaces, external, internal and DMZ.

      The internal interface is connected to, which is the primary Lan, onto this Lan a MPLS router is connected with ip address, and on the other side, the MPLS network

      I have created a static route on the firewall, and allowed interzone traffic.

      I can ping in both directions, from the firewall to a host on the MPLS, tracert to the MPLS, and vise versa, I can connect to and use terminal servers on from the MPLS.

      No problem with Internet or any other traffic from the network through the firewall.

      But I am not able to establish any traffic from the MPLS network through the firewall !!!

      What is missing ??



        • 1. Re: No internet traffic from MPLS



          It sounds to me like routing and connectivity are correct, as you can ping to and from the MPLS network.


          Perhaps this is a rule problem? What does the audit say when an MPLS host tries to connect to the internet?



          • 2. Re: No internet traffic from MPLS

            In addition to Matt's suggestion (which will show if the Firewall is blocking the connections), I would also suggest running a tcpdump on the internal side of the Firewall to see if the traffic from a host on the subnet actually arrives in the first place.


            I generally use:-


            tcpdump -npi 1-1 host <source_ip_address>


            -where 1-1 is the internal interface (I think - as 1-0 is normally the first configured interface and is the external NIC), but you can always confirm this first from the GUI.


            Intrazone traffic has been something of a bugbear for me, since the very simple checkbox setting in v6 was removed and I'm still not 100% certain about its configuration in v8.


            But, to be fair, as the traffic is originating from the other side of a routed connection I don't think that the intrazone configuration is an issue. It only tends to be one when the client machines are using the Firewall as their default gateway/route that you need intrazone routing configuration.


            If you can ping across the MPLS link between the two networks OK, the problem may be that the MPLS routers themselves don't have a default route and don't know what to do about any traffic not destined for either the or subnets. This is hopefully what the tcpdump should prove.


            If you see results from this, it means that we are back to Matt's suggestion - check the Firewall audit and see what the Firewall is doing.