This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9 cant reach servers in local net

Hellow!

So, UTM 9 cant reach servers in local network from UTM itself as i said.

UTM have local interface 10.255.200.10. Server is 10.255.197.108. Firewall on server turned off.

I can ping UTM local interface, but i can not ping server IP.  

Traceroute from UTM:

traceroute to 10.255.197.108 (10.255.197.108), 30 hops max, 40 byte packets using UDP
 1  astaro.domain.com (UTM outside interface)(H!)  2997.048 ms (H!)  2995.811 ms (H!)  2994.614 ms

UTM is trying to reach this server using outside interface.

Routing table:

astaro:/root # ip route show table all
default via "ISP gateway" dev eth0  table 200  proto kernel onlink
local default dev lo  table 252  scope host
default via "ISP gateway" dev eth0  table default  proto kernel  metric 20 onlink
10.255.0.0/16 via 10.255.200.9 dev eth1  proto static  metric 5
10.255.200.8/29 dev eth1  proto kernel  scope link  src 10.255.200.10
"ISP network" dev eth0  proto kernel  scope link  src "UTM outside interface"
127.0.0.0/8 dev lo  scope link
broadcast 10.255.200.8 dev eth1  table local  proto kernel  scope link  src 10.255.200.10
local 10.255.200.10 dev eth1  table local  proto kernel  scope host  src 10.255.200.10
broadcast 10.255.200.15 dev eth1  table local  proto kernel  scope link  src 10.255.200.10
broadcast *.*.*.* dev eth0  table local  proto kernel  scope link  src "UTM outside interface"
local "UTM outside interface" dev eth0  table local  proto kernel  scope host  src "UTM outside interface"
broadcast *.*.*.* dev eth0  table local  proto kernel  scope link  src "UTM outside interface"
broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1
local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 127.0.0.1
unreachable default dev lo  table unspec  proto kernel  metric 4294967295  error -101
unreachable default dev lo  table unspec  proto kernel  metric 4294967295  error -101
local ::1 dev lo  table local  proto none  metric 0
unreachable default dev lo  table unspec  proto kernel  metric 4294967295  error -101



This thread was automatically locked due to age.
Parents
  • Utm must have an IP Address in servers network 10.255.197.0

    It is normal for UTM to route through ISP because Wan IP is default gateway

  • Thank you for answer!

    "Utm must have an IP Address in servers network 10.255.197.0"

    Added third interface in server subnet (10.255.197.250 255.255.255.0). No luck, still cant ping server.

    astaro:/root # traceroute 10.255.197.108
    traceroute to 10.255.197.108 (10.255.197.108), 30 hops max, 40 byte packets using UDP
     1  * * *
     2  * * *
     3  * * *
     4  * * *
     5  * * *

     

    astaro:/root # ip route show table all | grep 197

    10.255.197.0/24 dev eth2  proto kernel  scope link  src 10.255.197.250
    broadcast 10.255.197.0 dev eth2  table local  proto kernel  scope link  src 10.255.197.250
    local 10.255.197.250 dev eth2  table local  proto kernel  scope host  src 10.255.197.250
    broadcast 10.255.197.255 dev eth2  table local  proto kernel  scope link  src 10.255.197.250

  • Added second interface on server side (10.255.200.12), in 10.255.200.8/29 subnet. Nothing changed.  I can see records in arp table but UTM still try reach 10.255.200.12 thrue outside interface...

  • Can you draw a simple picture of how your UTM now looks (which interfaces and which IP-addresses and subnetmasks) and where the server is connected.

    You don't use VLAN's do you?


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply Children
  • Can you give another "ip route show table all"?

    In your first post there was an overlap in 10.255.0.0/16 and 10.255.200.8/29. Maybe that has now resolved due to new interfaces have come into play.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Sure.

    default via "ISP gateway" dev eth0  table 200  proto kernel onlink
    local default dev lo  table 252  scope host
    default via "ISP gateway" dev eth0  table default  proto kernel  metric 20 onlink
    10.255.0.0/16 via 10.255.200.9 dev eth1  proto static  metric 5
    10.255.197.0/24 dev eth2  proto kernel  scope link  src 10.255.197.250
    10.255.200.8/29 dev eth1  proto kernel  scope link  src 10.255.200.10
    "ISP network" dev eth0  proto kernel  scope link  src "UTM outside interface"
    127.0.0.0/8 dev lo  scope link
    broadcast 10.255.197.0 dev eth2  table local  proto kernel  scope link  src 10.255.197.250
    local 10.255.197.250 dev eth2  table local  proto kernel  scope host  src 10.255.197.250
    broadcast 10.255.197.255 dev eth2  table local  proto kernel  scope link  src 10.255.197.250
    broadcast 10.255.200.8 dev eth1  table local  proto kernel  scope link  src 10.255.200.10
    local 10.255.200.10 dev eth1  table local  proto kernel  scope host  src 10.255.200.10
    broadcast 10.255.200.15 dev eth1  table local  proto kernel  scope link  src 10.255.200.10
    broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src 127.0.0.1
    local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1
    local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1
    broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 127.0.0.1
    unreachable default dev lo  table unspec  proto kernel  metric 4294967295  error -101
    unreachable default dev lo  table unspec  proto kernel  metric 4294967295  error -101
    local ::1 dev lo  table local  proto none  metric 0
    unreachable default dev lo  table unspec  proto kernel  metric 4294967295  error -101

  • There's still overlap in 10.255.0.0/16 via 10.255.200.9 (I don't see 10.255.200.9 in your diagram, what is this IP?)

    Overlap with 10.255.197.0/24 AND 10.255.200.8/29 (Both of these don't overlap each other but both are in 10.255.0.0/16).

    Maybe you have a static route 10.255.0.0 / 255.255.0.0 configured and "forgot" about it? otherwise where/what is 10.255.22.9 in your diagram?

    Could you also list the first 2 octets of your public interface (WAN) and it's corresponding subnetmask? 


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 10.255.200.9 it is another router, network 10.255.0.0/16  lies behinde it.

    None of these routes not work for this server, i can send traffick from server thru UTM with these routes or ping UTM, but I cant ping server from UTM, because it send all traffic in to outside interface.

  • I'm not sure that it is because of the overlap in all those subnets, but this will definately make for some headache in trying to determine which host can (or cannot) communicate with which other hosts. I also think it's strange that UTM tries to go over the external interface, but what happens when you add another PC into the network?

    Also now you have the server connected with 2 NIC's in 2 different subnets both connected to the same UTM, while this should work, it's really not necessary as the UTM is perfectly capable to route between those subnets.

    What you could try is to add another host into the 10.255.200.8/29 network (if there is not one already) and see if that is

    1) capable of pinging the server on 10.255.200.12
    2a) capable of pinging the server on 10.255.197.108 (while this probably needs to travel the UTM, you need to make sure that under Network Protection -> ICMP you enable the traffic (ICMP traffic is handled there and not by firewall rules
    2b) if pinging from 2a succeeds, do a traceroute from the same host to 10.255.197.108 to see how it routes there.

     

    Can the server reach the internet?
    Server will probably not be able to route to 10.255.0.0/16 network.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Added another server (10.255.200.13)

    Ping from 10.255.200.13 to 10.255.200.12:

    >ping 10.255.200.12

    Pinging 10.255.200.12 with 32 bytes of data:
    Reply from 10.255.200.12: bytes=32 time<1ms TTL=128
    Reply from 10.255.200.12: bytes=32 time<1ms TTL=128

    Ping statistics for 10.255.200.12:
        Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 0ms, Maximum = 0ms, Average = 0ms

    Traceroute from 10.255.200.13 to 10.255.200.12:


    >tracert -d 10.255.200.12

    Tracing route to 10.255.200.12 over a maximum of 30 hops

      1    <1 ms    <1 ms    <1 ms  10.255.200.12

    Trace complete.

     

    Ping from 10.255.200.13 to 10.255.200.10

    >ping 10.255.200.10

    Pinging 10.255.200.10 with 32 bytes of data:
    Reply from 10.255.200.10: bytes=32 time<1ms TTL=64
    Reply from 10.255.200.10: bytes=32 time<1ms TTL=64

    Ping statistics for 10.255.200.10:
        Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 0ms, Maximum = 0ms, Average = 0ms

    Traceroute 10.255.200.13 to 10.255.200.10
    >tracert -d 10.255.200.10

    Tracing route to 10.255.200.10 over a maximum of 30 hops

      1    <1 ms    <1 ms    <1 ms  10.255.200.10

    Trace complete.

    Atm both servers have 2 interfaces:

    Server 1 - 10.255.197.108 (VLAN100) and 10.255.200.12 (VLAN101)

    Server 2 - 10.255.197.109 (VLAN100) and 10.255.200.13 (VLAN101)

    And i dont realy need trafic between 10.255.197.108 and 10.255.200.13.

    Traffick goes wrong direction inside UTM itself, and i cant understand why...

  • You don't have any "forgotten about" static routes?

    Try to ping from server 10.255.200.12 to 10.255.197.109 and/or vice-versa and also do a traceroute for this. The traceroutes you did now stayed in the same subnet and will never be delivered to a default gateway. What we are trying to determine is where (and why) things go wrong and how traffic gets routed the way it does.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Servers not use any routes, except default route.

    The table of routes from UTM, I have already shown.

     

    Ping from Server 1 to server 2

    >ping 10.255.197.109

    Pinging 10.255.197.109 with 32 bytes of data:
    Reply from 10.255.197.109: bytes=32 time<1ms TTL=128
    Reply from 10.255.197.109: bytes=32 time<1ms TTL=128

    Ping statistics for 10.255.197.109:
        Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 0ms, Maximum = 0ms, Average = 0ms
    Control-C
    ^C
    >tracert -d 10.255.197.109

    Tracing route to 10.255.197.109 over a maximum of 30 hops

      1    <1 ms    <1 ms    <1 ms  10.255.197.109

    Trace complete.

     

    Ping from Server 1 with -S 10.255.200.12  to Server 2

    >ping 10.255.197.109 -S 10.255.200.12

    Pinging 10.255.197.109 from 10.255.200.12 with 32 bytes of data:
    PING: transmit failed. General failure.
    PING: transmit failed. General failure.
    PING: transmit failed. General failure.
    PING: transmit failed. General failure.

    Ping statistics for 10.255.197.109:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

    Seems like, traceroute on Windows cant use -S with ipv4

  • Getting hard to further diagnose this, but I suppose you have all your default gateways set correct? All devices have the respective UTM IP-address configured as default gateway?

    I kinda suspect your 10.255.0.0/16 to add routing issues since the router (10.255.200.9) falls in the 10.255.200.8/29 network I suspect you also have a route like: 10.255.0.0/16 => 10.255.200.9.

    But like said before 10.255.0.0/16 overlaps both 10.255.200.8/29 and 10.255.197.0/24.

    If you have any possibility (small timeframe) where you could either disable the route to/from 10.255.0.0/16 or rename 10.255.0.0/16 to something that doesn't overlap with the other subnets you could confirm or rule out whether or not this is the culprit.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.