Routing problem from local interface

Hi,

I have a virtual UTM running on a ESXi server, two intefaces:

- ETH0, with a public IP 
- ETH1, with a local subnet 172.168.15.1



My problem is that I can't reach/ping anything on the WAN when I ping over the private interface (172.168.15.1):

PING 8.8.8.8 (8.8.8.8) from 172.168.15.1 eth1: 56(84) bytes of data.

From 172.168.15.1: icmp_seq=1 Destination Host Unreachable

From 172.168.15.1 icmp_seq=1 Destination Host Unreachable

From 172.168.15.1 icmp_seq=2 Destination Host Unreachable


I have another Vmware guest in the private subnet with IP 172.168.15.100 with 172.168.15.1 (the private ip of the UTM) from where I can succesfully route out.
I have set a Masquerading rule for that (Network: internal / Interface: public).

But I have no routing directly from 172.168.15.1.

This is my routes table:

default via 213.239.207.193 dev eth0  table 200  proto kernel onlink
default via 213.239.207.193 dev eth0  table default  proto kernel  metric 20 onlink
10.0.0.0/16 dev eth0  proto ipsec  scope link  src 172.168.15.1
10.242.2.0/24 dev tun0  proto kernel  scope link  src 10.242.2.1
127.0.0.0/8 dev lo  scope link
172.168.15.0/24 dev eth1  proto kernel  scope link  src 172.168.15.1
213.239.207.192/27 dev eth0  proto kernel  scope link  src 213.239.207.100
broadcast 10.242.2.0 dev tun0  table local  proto kernel  scope link  src 10.242.2.1
local 10.242.2.1 dev tun0  table local  proto kernel  scope host  src 10.242.2.1
broadcast 10.242.2.255 dev tun0  table local  proto kernel  scope link  src 10.242.2.1
broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1
local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 127.0.0.1
broadcast 172.168.15.0 dev eth1  table local  proto kernel  scope link  src 172.168.15.1
local 172.168.15.1 dev eth1  table local  proto kernel  scope host  src 172.168.15.1
broadcast 172.168.15.255 dev eth1  table local  proto kernel  scope link  src 172.168.15.1
broadcast 213.239.207.192 dev eth0  table local  proto kernel  scope link  src 213.239.207.100
local 213.239.207.100 dev eth0  table local  proto kernel  scope host  src 213.239.207.100
broadcast 213.239.207.223 dev eth0  table local  proto kernel  scope link  src 213.239.207.100
unreachable default dev lo  table unspec  proto kernel  metric 4294967295  error -101
unreachable default dev lo  table unspec  proto kernel  metric 4294967295  error -101
unreachable default dev lo  table unspec  proto kernel  metric 4294967295  error -101
local ::1 dev lo  table local  proto unspec  metric 0
unreachable default dev lo  table unspec  proto kernel  metric 4294967295  error -101


What am I missing?

  • Hi  

    When you initiate a PING from an interface in UTM 9, using ping -I eth1 8.8.8.8, UTM9 will try to send out the traffic from the eth1 interface. That is why you'll not be able to ping any Internet IPs using this on the LAN interface. You can also observe this using another SSH session and doing a tcpdump for the destination traffic or on the interface.

    This works fine as long as you try it on your different WAN interfaces to check the connectivity.

    Hope this helps.

  • Salut Guenther,

    Also, 172.168.x.y is not an IP range reserved for private subnets.  172.168.15.1 is a public IP belonging to Oath Holdings in New York City.

    Cheers - Bob

  • In reply to Jaydeep:

    Hi  

    Well, how can I fix this?

    What I am trying to do is to set up a vpn connection from my office to my branch where I can use the branch internet connection as a gateway to leave traffic from that tunnel out to the internet.

    VPN is up and working, but I am not able to make the traffic leave the remote private Lan.

    Not sure what I am missing: in the branch office I have some computers that are able to exit the Lan.

    Any idea what I have overseen?

  • In reply to BAlfson:

    Thank you pointing this out for me. You are right, this is not a private IP-range, should be something between 172.16.0.1 to 172.31.255.254.

  • In reply to GKR:

    Yes, I missed that too. Thanks, Bob.

    Please post if you still face the issue after correcting the IP address scheme.

  • In reply to Jaydeep:

    Yes, I haven't been able to route out from the Sophos UTM.

    this is what I want to do:

    use a vpn tunnel and the remote ip as a gateway.

    so I can connect from the branch (France) to the HQ (Germany) and route out from there to the public internet.

    Vpn tunnel is up, but traffic doesnt leave the vpn remote subnet.

  • In reply to GKR:

    Please show us pictures of the Edits of the IPsec Connection and Remote Gateway en France.  Also of the corresponding configuration on the other side in Germany.

    Cheers - Bob