dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1026
share rss forum feed

whisper1

join:2007-11-28
Schomberg, ON

Weird ping problem with one computer on local network.

I can ping a device on the local network from all computers.
The firewall log shows that the device has been pinged for all but one computer. I've created a firewall rule to log anything that pings that device and its number 1 rule.

Any idea why this one computer doesn't get logged by the ZyWall when pinging the device?

Thanks.



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:9

Are you sure that the one PC is actually pinging it? Do you get ping response on that one PC?
What's the PCs IP?
What's the device's IP?
What's the FW rule to log?


whisper1

join:2007-11-28
Schomberg, ON

Click for full size
My computers IP is 192.168.1.100 and its pinging 192.168.1.105 without any issues. I can ping other computers on the network and it appears in the log. Other computers can ping the device and it will appear in the log.

ping 192.168.1.105

Pinging 192.168.1.105 with 32 bytes of data:
Reply from 192.168.1.105: bytes=32 time 1ms TTL=60
Reply from 192.168.1.105: bytes=32 time 1ms TTL=60
Reply from 192.168.1.105: bytes=32 time 1ms TTL=60
Reply from 192.168.1.105: bytes=32 time 1ms TTL=60

Ping statistics for 192.168.1.105:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:9

Is .100 and .105 traffic going through you USG20? If they're on same separate switch the traffic would never enter USG.
Is .100 member of LAN1?


whisper1

join:2007-11-28
Schomberg, ON

Click for full size
Yes they are both going through the USG. I have a bridge setup.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:9
reply to whisper1

Enable logging on the default rule any-to-any and check it there. You are not hitting this 1st rule as it seems.


whisper1

join:2007-11-28
Schomberg, ON

So I just changed the destination of rule #1 to -any- instead of -ISY- and still didn't hit the log.



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:9
reply to whisper1

Try changing To to Zywall as the bridge IP may be considered Zywall's IP.
2nd try from any instead LAN1.


whisper1

join:2007-11-28
Schomberg, ON

Tried both and still no joy. Don't forget I can ping from any other computer and it will hit the log, even from my iPod Touch LOL.


whisper1

join:2007-11-28
Schomberg, ON

There is no switch on the network only a Linksys VoIP box which is plugged into one of the LAN ports on the ZyWall USG20W.



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:9
reply to whisper1

Is both .100 and .105 on same interface? Wired or wireless?
Did you enable logging on the default rule?


whisper1

join:2007-11-28
Schomberg, ON

>Is both .100 and .105 on same interface? Wired or wireless?

Yes both wired.

>Did you enable logging on the default rule?

By Default rule are you referring to the last rule in the list? If so then yes, its always been on.


whisper1

join:2007-11-28
Schomberg, ON

Click for full size
Some further info:


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:9
reply to whisper1

Post the bridge setup page.

Anyway, I need to test this tomorrow, but if both are on same interface the traffic is most likely never reaching firewall (layer 3) but it is handled on the switch (layer 2).


whisper1

join:2007-11-28
Schomberg, ON

Click for full size
I tend to think its some type of fault in the loaded config/firmware.
The rest of the bridge setup is in one of the posts above.

Appreciate your help Brano.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:9
reply to whisper1

How many wired devices you have there other than these two? What are their IPs?


whisper1

join:2007-11-28
Schomberg, ON

The only other wired devices are:
1) The Linksys VoIP adaptor 192.168.1.110
2) MacBook 192.168.1.102



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:9
reply to whisper1

So when you ping from macbook (wired) .102 to .105 does the FW log it?


whisper1

join:2007-11-28
Schomberg, ON

Interesting, it appears the MacBook doesn't get logged either.

I doubled checked my other wireless notebook and that does get logged.


whisper1

join:2007-11-28
Schomberg, ON

So I tried pinging the MacBook and that doesn't log either. And pinging from wireless to wireless device doesn't log either.



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:9
Reviews:
·TekSavvy DSL
·Bell Fibe

Yes, that is expected normal behaviour, I should have realized on 2nd post (not sure where my brain was).
Traffic on same physical interface, in your case wired lan1 and wireless wlan-1-2 is handled on layer 2 never reaching the layer 3 firewall.

The bridge is on layer 3 so everything passing the bridge goes through firewall as well.


whisper1

join:2007-11-28
Schomberg, ON

Thanks Brano, that was my fault for not giving you proper information. Does that mean I can't log anything that takes place between the wired computers on layer 2?



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:9

Correct. This is basically the scenario when you have all your devices connected to a switch, no logging by IP address (L3) possible as all information between nodes is forwarded by MAC address (L2) ... simply put.



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:9
Reviews:
·TekSavvy DSL
·Bell Fibe
reply to whisper1

To add.
You want your LAN to be on L2 only due to speed, every layer you go UP more CPU is needed and throughput is degraded accordingly.

Your via bridge connections will be slower than those on same physical interface. However you may not notice the speed degradation in your home scenario with few machines only and small utilization.

BTW, the layers I'm talking about »en.wikipedia.org/wiki/OSI_model


whisper1

join:2007-11-28
Schomberg, ON

1 edit

Just realised that the firewall rules don't come into effect either. Say I needed to log and implement firewall rules between ALL devices on my local network (using only the USG20W) would I have to put everything on different subnets. Or is there just no way to do it?



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:9
Reviews:
·TekSavvy DSL
·Bell Fibe

You'd have to have all nodes in different zones or subnets ... no you can't do what you're asking with USG only.

You could add L2 managed switch to your setup and configure mirroring (sniffer) port for all the traffic and hook up some kind of sniffer to that port (wireshark or some other tool).

Why would you need to do so? Typically if you have set of clients that have different security classification you put them on separate network and firewall them from the rest of the network. But monitoring each single client is just PITA.


whisper1

join:2007-11-28
Schomberg, ON

said by Brano:

Why would you need to do so? Typically if you have set of clients that have different security classification you put them on separate network and firewall them from the rest of the network. But monitoring each single client is just PITA.

No, its not something I need to do I was just trying to understand the design and limitation of the USG20W. It would be handy though to log pings and traffic while trouble shooting certain issues but that can be done another way. I guess I was just surprised not to see the logging but I now understand why this is the case.

said by Brano:

You'd have to have all nodes in different zones or subnets

There is an option to create user defined Zones so would this work?


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:9

You can put only subnets into zones, not individual hosts.


Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..

If one had a smart L2 switch and in concert with the USG put every device into its own VLAN, then I think the USG could log everything, as the VLANs only connect at the USG firewall if the switch isn't allowed to provide connections between VLANs.

In this case self discovery of routes by devices might not work; printers, for example, might have to be referenced by their IP addresses.

Also, the USG would have to know that the route to every VLAN is via the address of the switch's trunk port connected to LAN1.

kirby