dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
3524
mudtoe
join:2005-10-09
Cincinnati, OH

1 edit

mudtoe

Member

Z35 Static Route Problem

Click for full size
Route Table
Click for full size
Log Entries
Hi folks:

I'm having a problem adding a static route to a Zywall 35. I'm trying to add a static route to a machine that is hosting a VM that's using a different subnet. When I add the route to the Z35 I cannot ping from the VM to other machines on the main network. I keep getting errors in the Z35 log saying that the ICMP request is out of order. However, I can ping from machines on the main network to the VM without problems. Also, if I add the route manually to any of the machines on the network then I can ping fine (I'm assuming that doing this bypasses the Z35 completely and sends the packet directly to the gateway machine, which is why it works). The main network is 172.26.0.0/16 and the network for the VM is 172.24.33.0/24. The gateway machine containing the VM is 172.26.66.11 (the route I'm working with is the one marked "Test").

I'm attaching the log and route table I created.

Suggestions welcome.

mudtoe
mudtoe

mudtoe

Member

OK. I found the answer. It's this dumb asymmetrical route setting that's causing the problem. If I allow asymmetrical routes it works. Unfortunately I have some firewall rules to block some WAN to WAN traffic because that is also WAN to Zywall traffic, and if I allow asymmetrical routes those rules don't get enforced. There ought to be a way to just allow asymmetrical routes on the LAN interface and not the others. Whoever designed this didn't think it through IMHO.

mudtoe
JPedroT
Premium Member
join:2005-02-18

JPedroT

Premium Member

Could you draw your net? Because from what you have posted, it seems that you do not need static routes, but just use an alias ip on the lan interface of the ZyWALL, but I think you haven't posted something vital

Anyway if all traffic goes through a router to get to the second net, then this is what asymmetrical routing block was designed for. Ie not allow any other device to be used as a gw out of the network.

If you do not need to go through a router to get to the second subnet, then an alias on the ZyWALL will do.

bbarrera
MVM
join:2000-10-23
Sacramento, CA

bbarrera to mudtoe

MVM

to mudtoe
The motivation for asymmetrical route setting on firewall is that if LAN hosts access the Internet via another router on the LAN, then those hosts could potentially sidestep the security policies implemented on the zw35. Of course if you have two security routers, with the same policies, that isn't an issue and you can allow asymmetrical routing without concern about sidestepping your security policies.

I'm unclear about your WAN-to-WAN firewall rules and lack of enforcement. Its been awhile but allowing asymmetrical routing and firewall rules should be independent (at least on LAN). Unless the zw35 is sending traffic redirect to host (and host re-routes traffic to other router), it should still be possible to construct LAN-LAN and WAN-WAN firewall rules to filter traffic routed thru ZyWALL.
mudtoe
join:2005-10-09
Cincinnati, OH

mudtoe

Member

I'm thinking about the IP alias thing, but I'm not sure if I can make it work or not.

What I've got here is a laptop with a VM on it. When the laptop is on the local network all is fine as both the laptop host O/S (Vista) and the VM guest O/S (WinXP) can get their own local network IP address (172.26.x.x) from the Z35 (I use a bridged network connection for the VM in this configuration).

However, when the laptop is on the road I'm using OpenVPN to establish an SSL tunnel to the local network (the OpenVPN server is on a machine on the local network and has nothing to do with the Z35 itself). I have OpenVPN setup in bridge mode so that the laptop gets a local address and things like network browsing work. The issue is that the WinXP guest cannot get a DHCP IP address from the local network in that configuration because of how OpenVPN is setup (the openVPN connection is between the laptop host O/S and the OpenVPN server, not the guest O/S). So I tried to setup a separate ethernet connection between the guest O/S and host O/S on the laptop using routing, which I could activate when the laptop was on the road. This is where the 172.24.33.0/24 network came from. I was assuming that if I had the Z35 static route table point back to the laptop IP address, which was configured to be static in OpenVPN, then I could make it work. That's how this all came to be.

I've been thinking about potential solutions. First I was thinking about installing OpenVPN on the guest O/S and having two OpenVPN connections to the home network, one from the host O/S, and one from the guest. That might be the cleanest answer. In this configuration I'd just leave the bridged connection from the guest to the host intact and let the guest get an IP address from whatever DHCP server the laptop happens to be connected to, just like it does today when the laptop is connected to the local network.

If I do anything else it involves routing at some point, and I'm not sure that I can make that work without the asymmetrical route setting. For example I was toying with the idea of having the OpenVPN server give the laptop an IP address within the range of IP alias 1 on the zywall, and then having the guest o/s use the range in IP alias 2, but setup a routed connection between the guest o/s and host o/s just like I was trying to do initially. The only difference would be that IP addresses would match the IP alias range. I'd have to test that out. That would force all traffic between the local network and the OpenVPN server (on behalf of the laptop) to go through the Z35 because of the subnet change. I'm not worried about the extra overhead because this is only for a single laptop for my personal use. The only gotcha is that I would have to go into all the machines' firewalls on the local network and add both IP alias subnets to the trusted networks list.

Anyway, that's what I'm thinking about. Oh, and the reason I wanted the WAN to WAN firewall rules to be continued to be enforced is that there is some idiot out there on the internet that has my IP address configured as a VPN end point and tries to setup a VPN connection with the Z35 every 20 seconds, 24 x 7. I have a firewall rule in place blocking this IP address so that my log doesn't fill up with messages about a bad VPN connection attempt. I've tried complaining to the ISP that owns the IP address, but so far I've received no response.

mudtoe