Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
2235 Views 17 Replies Latest reply: Jul 15, 2013 11:12 AM by grinder RSS 1 2 Previous Next
grinder Apprentice 102 posts since
Feb 8, 2013
Currently Being Moderated

Feb 8, 2013 11:15 AM

S2008 VLAN Routing?

Hello all.  I am new to setting up firewalls.  I do understand most of it but just have never done it before.  I would like to know if routing between different subnets on the same interface is possible.  Or do I need to buy some other piece of equipment.  What I am trying to do is have EM1 setup for multiple IP's and subnets. 

 

EM1

IP: 192.168.10.1     Subnet: 192.168.10.0/24

IP: 192.168.11.1     Subnet: 192.168.11.0/24

IP: 192.168.12.1     Subnet: 192.168.12.0/24

IP: 192.168.13.1     Subnet: 192.168.13.0/24

 

I want to be able to route between the subnets so a device with an IP of 192.168.10.10 can communicate with an IP of 192.168.12.50

 

So far I have not been able to get this to work.  I tried just adding alias IP's to the EM1 interface and that did not work. So then I tried to use VLAN's like so.

 

EM1

IP: 192.168.10.1     Subnet: 192.168.10.0/24     VLAN ID: 10

IP: 192.168.11.1     Subnet: 192.168.11.0/24      VLAN ID: 11

IP: 192.168.12.1     Subnet: 192.168.12.0/24     VLAN ID: 12

IP: 192.168.13.1     Subnet: 192.168.13.0/24     VLAN ID: 13

 

Then I built a policy to allow ANY from VLAN_10 to VLAN_12 and vice versa.  That does not work either. 

 

Basically I have several devices (PC's, printers, wireless, etc.) all connected into dumb switches.  I want to be able to segregate the devices into different subnets.  So PC's into one subnet, printers in another, etc.  Is this possible and if so how?

 

Thanks!

 

BTW this is a new firewall S2008 with v8.3.0 software.

 

Message was edited by: grinder on 2/8/13 11:15:15 AM CST
  • mtuma McAfee SME 314 posts since
    Nov 3, 2009
    Currently Being Moderated
    1. Feb 8, 2013 11:30 AM (in response to grinder)
    Re: S2008 VLAN Routing?

    Hello,

     

    The second option that you used is correct. You need to add four vlan interfaces.

     

    Once you do that, can you ping devices on those vlans? That would be the first thing I would focus on. When you are sure that connectivity is correct, then you can look at the policy. For example, what does the audit say when you try to pass traffic through?

     

    Regards,

     

    Matt

  • sliedl McAfee SME 535 posts since
    Nov 3, 2009
    Currently Being Moderated
    3. Feb 8, 2013 11:53 AM (in response to grinder)
    Re: S2008 VLAN Routing?

    Is your routing set up correctly outside the firewall?  If you try to ping from 192.168.11.10 to 192.168.12.10, does 11.10 know to send this ping to the firewall first?  Is the firewall 192.168.11.10's default route?

     

    If so, and the ping goes through the firewall, does 192.168.12.10 know that to talk back to 192.168.11.10 he needs to send the packet back to the firewall's interface in the 192.168.12.0/24 network?  Is the firewall 192.168.12.10's default route?


    If you set NAT to 'localhost (Host)' on your rules this will take a routing problem out of the equation.  If you set the NAT to localhost and this works you can say routing is the problem (routing outside the firewall).

     

    Whoops, I was using your actual firewall IP's as examples of CLIENT PC IP's.  I changed them all to .10s for clarity. on 2/8/13 11:53:37 AM CST
  • sliedl McAfee SME 535 posts since
    Nov 3, 2009
    Currently Being Moderated
    6. Feb 8, 2013 2:11 PM (in response to grinder)
    Re: S2008 VLAN Routing?

    If the traffic is not tagged the firewall will drop it.

  • mtuma McAfee SME 314 posts since
    Nov 3, 2009
    Currently Being Moderated
    8. Feb 8, 2013 3:01 PM (in response to grinder)
    Re: S2008 VLAN Routing?

    Hello,

     

    I took another look at your diagram. Since you are not doing any vlan tagging, it makes the most sense to connect each network to a different port on the firewall. Each port on the firewall would be assigned to a different zone and then you could enforce policy between the zones. The S2008 should have at least 8 ports, so you do have enough ports.

     

    Note: Since your switches are not tagging the traffic, do not use vlans on the firewall.

     

    -Matt

1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points