# Need to route between 172.x.x.x and 192.x.x.x with watchguard routhers.



## irreverant (Apr 4, 2010)

We currently re-did our network. We were using 192.168.x.x network for our entire site. We decided to segment the networks into 192.168.x.x and 172.16.x.x. We currenlty are using HP Pro Curve switches both 2424m and 4000m. The 2424m sit at department telco cabinets and the 4000m are sitting in the server room. Let me start over...... our current configuration has a cisco router from timewarner as our internet gateway, from there we have an unmanaged switch a small 24 port switch that connects the time warner router and two watch guard routers; one is configured with 192.168.x.x and the other is configured 172.16.x.x, the 192.x.x.x router connects to a 80 port HP Pro Curve switch and that switch is connected using a cross over cable to another 80 port HP Pro Curve switch for our collections dept. The 172.x.x.x router connects to a small 24 port switch for our legal dept. We have configured the two wan interfaces with public address from time warner so that the three routers are on the same network and one interface on each routher with the private network addresses. We have shares on the 172.x.x.x network that need to be accessed by clients on the 192.x.x.x network unfortunately after setting static routes: 172.x.x.x via public and 192.x.x.x via public (public is the other network address which I will not give for obvious reasons) The clients cannot access the shares, instead we trace routed the packets and noticed that when attempting to reach the other network, they would go private interface > wan interface > and then out to the internet; they never even tried to follow the static route. We can ping the address from one network interface address to another such as from 192.168.7.1 to public but cannot get past that interface, we can't reach the private network interface ( 192.168.x.x). Can anyone recommend a possible solution to our issue?


----------



## zx10guy (Mar 30, 2008)

I can't understand your layout. A network diagram will do wonders here.


----------



## irreverant (Apr 4, 2010)

Here is the diagram of how I would like network to be segmented, the problem were encountering is having the router's route traffic between them, from 172. to 192. without leaving network, their trying to route packets - sending them through the wan interface out to the internet and never returning, we don't want them routed through the web, we want them routed through the routing tables we set up, but they ignore these routing tables.


----------



## zx10guy (Mar 30, 2008)

What is the subnet and IP addresses of the rotuers connected to the switch at the top middle of your diagram. Namely, the Time Warner router and the two routers you have segmenting the 192 and 172 networks?


----------



## irreverant (Apr 4, 2010)

That's what i'm trying to figure out. We were given 4 public ip addresses and when we used those, (the public addresses on the wan interfaces) the packets go out into the internet and never return, i can't give out our public address.


----------



## zx10guy (Mar 30, 2008)

So the Time Warner device you have showing as a router isn't really a router but a modem?

I don't know anything about the Watchguard routers you are using. But since the segment where I need info about is public space, then I would go one step further and NOT route any internal traffic through the public space as you're exposing all of your traffic. Also, I hope the Watchguard routers are also performing SPI firewall duties. If they are also firewalls, you would need to put in ACLs in each of the Watchguards to allow the private networks to talk to each other.

A better solution is to connect the two Watchguard routers directly to each other and then configure your static routes over this dedicated connection.


----------



## irreverant (Apr 4, 2010)

Correct, the Time Warner router is a modem. So if I connect the two routers directly, I can setup router B as 172. and configure router A's wan interface as a static 172 network address while using it's trusted (lan) interfaces dynamically; configuring them to use 192 addresses. This should allow the networks to communicated without the need of static or summary routes correct?


----------



## zx10guy (Mar 30, 2008)

What model Watchguard routers are you using?


----------



## irreverant (Apr 4, 2010)

Firebox X Edge Watch Guard.


----------



## zx10guy (Mar 30, 2008)

Oh yes, the Fireboxes. I have had some limited experience with them. From my limited use, they are frustrating devices to work on. From my limited use, I don't like them at all.

So here is the way I would do this setup. I would use a Cisco ASA 5505 or a 5510 firewall. For the two subnets you have, I would create two virtual interfaces on the 5505....one for each subnet. Then I would assign one of the ports on the 5505 to the VLAN one of the virtual interfaces is configured for. Repeat for the second virtual interface. A third virtual interface would be created for your Time Warner connection in a similar fashion. Then this allows you to plug your switches up the way you have them set up into a single firewall device. The 5510 works a bit differently than the 5505 where the 5505 has a built in switch. With the 5510, I would configure two ports of the four onboard to be the gateway interfaces for the two subnets. The third would be configured as the interface to your Time Warner connection.

With the ASAs, there is a concept of security levels. 0 is the least trusted where 100 is the highest trusted segment. A security level of 0 would be assigned to the Time Warner interface. The other two interfaces can have a security level assignment of anywhere from 1 to 100. Doesn't really matter. Doing it this way, you can by default block initiated traffic from a lower security level to a higher one. To allow traffic between the two subnets, you can either put in explicit ACL rules to allow this traffic or with the interfaces for the two subnets set at the same security level, enable traffic communications between same security levels on the firewall.

Doing it this way allows a clean network layout. And because both subnets are locally attached to the firewall you don't need to worry about putting in any static routes. The bonus is you get to save one of your static IPs and have both networks use one device to get out to the internet. Thereby lower your management overhead.

This is probably not a solution you wanted to hear. But my experience and comfort level is with Cisco products. I have a ASA 5505 at home with 5 connected subnets to it. All of which are routing fine. And to make things pretty slick, I have the various subnets assigned to VLANs which are broken out on my managed switches with only one trunk cable going to my 5505 servicing all 5 subnets/VLANs.


----------



## irreverant (Apr 4, 2010)

it was interesting to see your solution incorporated vlans, this was my initial solution however my boss didn't like the plan however, we do not haveenough in the budget for your proposed network solution would you recommend something else?


----------



## zx10guy (Mar 30, 2008)

What is your budget?


----------



## irreverant (Apr 4, 2010)

No budget. Lol. But seriously, no budget. The company is not very forward or progressive thinking. They seem to think since to don't produce (make money) for the company, we don't need new equipment. We are still running Windows 95 clients ... that makes me very depressed. However, I configured the two routers; router A (172) and router B (192) - I used a LAN port from A and connected it to WAN port on B Disabled DHCP relay, I was able to get out to the internet and ping clients on the 172 network from clients on the 192 network, however, I could not ping the 192 network from the 172 network, it worked in one direction - outgoing. Any thoughts?!


----------



## srhoades (May 15, 2003)

I'm not 100% sure if I am understanding your setup but can't you just give each Firebox a separate public IP and then configure a VPN tunnel using the Fireboxes as endpoints?


----------



## zx10guy (Mar 30, 2008)

So, I have to ask this question since I didn't ask early on. Why are you running two different subnets/networks? I assume both these networks are physically in the same building.

The reason you are getting the behavior you see where the devices on the 192 subnet can get out to the internet and fully communicate with the 172 subnet but traffic initiated from the 172 subnet cannot reach the 192 subnet is due to how these Fireboxes and most routers/firewalls of the SOHO/SMB type operate. By default and design, these routers/firewalls have a single WAN port (some have two.) This WAN port is to be plugged into a connection which is not trusted (i.e. your ISP/internet connection.) So the base behavior of the router/firewall is to allow traffic initiated from the inside (LAN ports) to go out the WAN port but to block all traffic initiated from the WAN side to go to the LAN side. The other behavior which prevents traffic from traversing the WAN side to the LAN side is the NAT overload function. Most people and organizations tend not to be wealthy enough to buy more than one public IP address or the option to obtain more than one public IP many not be an option. So these routers/firewalls masks the entire subnet range you define on your LAN side with the single public IP defined as your WAN port. Because of this many to one relationship, there's no way for traffic to be initiated to the WAN port (your single public IP) and have the router know which internal IP of many that traffic is to be sent to. Port forward rules are set up to get around this limitation only in the case where you define a single port to be used to forward traffic to as specific host behind your router/firewall. If you have the need to communicate to two internal hosts through the outside/WAN side of the router/firewall over the same port, you're out of luck.

So what does this mean? Well, as I stated, I don't know much about the Firebox's advanced feature set as I do with Cisco's ASAs. Solution I provided above gives the proper way (in my mind) to set this network up. The problem you're going to run in to is to find a way to provide a routed connection between the two subnets which allows full routing of all valid hosts on both subnets across this link. In addition, this device needs to be able to provide some sort of firewall capability or ACLs to control the type of traffic allowed to traverse this link in either direction. Because if you leave this part out, you might as well just combine both subnets into one as I don't see the apparent need based on your posts about why they need to be separate.


----------

