D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: andyhill24 on December 01, 2009, 09:48:23 AM

Title: DFL-800 Routing problem with multiple LAN setup
Post by: andyhill24 on December 01, 2009, 09:48:23 AM

We have a setup where a DFL-800 is located at head office is used to connect to the internet.
There is another router on the LAN which provides connection to branch offices via a private network.
Network Config is as follows.
Head Office 192.168.0.0/24
Branch 1 10.0.31.0/24
Branch 2 10.0.32.0/24
DFL-800 LAN IP 192.168.0.225
Branch office router LAN IP 192.168.0.201
Branch office router is a managed service, but has a default route to send all unknown traffic to 192.168.0.225 (DFL-800)
Problem is Branch offices are unable to route traffic to internet.
DFL-800 has static routes to branch office networks with the branch office router as the gateway.
Probably missing something silly but any pointers much appreciated.

Title: Re: DFL-800 Routing problem with multiple LAN setup
Post by: Fatman on December 01, 2009, 11:00:31 AM

Well, the problem is almost certainly either in Routes or in IP Rules.

Do you get log entries?

If they mention Default_Rule, you have an IP Rule problem.

If they mention Default_Access_Rule, you have a routing problem.

If you don't have any, the traffic is most likely not reaching the DFL, inspect downstream first.

Title: Re: DFL-800 Routing problem with multiple LAN setup
Post by: Lavdd on December 22, 2009, 05:35:57 AM

Got almost the same

(http://img191.imageshack.us/img191/9800/dfl.jpg) (http://img191.imageshack.us/i/dfl.jpg/)

There was freebsd on *.0.1
route add x.x.1.0/24 x.x.0.224
everything was fine - 1.0/24 and 0.0/24 was routed

On DFL-260 when it replased freebsd server
with rout lan x.x.1.0/24 x.x.0.224
0.0/24 pings 1.0/24 but telnet dont work
1.0/24 pings dfl but not 0.0/24

Ip rules
Allow lan/lannet lan/remote_net all_tcpudpicmp
Allow lan/remote_net lan/lannet all_tcpudpicmp

there is something about too high scr value in logs when I do telnet on 135 fron 0.0/24 to 1.0/24

Title: Re: DFL-800 Routing problem with multiple LAN setup
Post by: Fatman on December 22, 2009, 09:57:15 AM

Show me what is in the logs and we can decipher it together.

Title: Re: DFL-800 Routing problem with multiple LAN setup
Post by: Lavdd on December 22, 2009, 10:33:34 AM

Ill make another try on thursday.
I plugged freebsd svr back to 0.1 now.

Title: Re: DFL-800 Routing problem with multiple LAN setup
Post by: Lavdd on December 24, 2009, 01:30:38 AM

Did full reset and add some rules
ping 192.168.3.10 goes
telnet 192.168.3.10 135 dont

(http://img97.imageshack.us/img97/932/logz.jpg) (http://img97.imageshack.us/i/logz.jpg/)

(http://img97.imageshack.us/img97/4692/log2b.jpg) (http://img97.imageshack.us/i/log2b.jpg/)

(http://img189.imageshack.us/img189/6119/log3s.jpg) (http://img189.imageshack.us/i/log3s.jpg/)

Title: Re: DFL-800 Routing problem with multiple LAN setup
Post by: Lavdd on December 24, 2009, 01:41:22 AM

set
TCP Sequence Numbers: Ignore


2009-12-24
12:36:04 Warning TCP_FLAG 3300010 LogStateViolations TCP lan lan 192.168.0.191 192.168.3.10 50337 135 unexpected_tcp_flags drop
flags=SYN endpoint=originator state=FIN_RCVD origsent=232 termsent=0 ipdatalen=28 tcphdrlen=28 syn=1 

Title: Re: DFL-800 Routing problem with multiple LAN setup
Post by: Lavdd on December 24, 2009, 01:55:24 AM

set
Allow TCP Reopen On

dont work, no logs ...

Title: Re: DFL-800 Routing problem with multiple LAN setup
Post by: Lavdd on December 24, 2009, 02:02:59 AM

Jesus

for rules put
from_local  FwdFast
from_far  FwdFast

set
Allow TCP Reopen Off

http://archive.netbsd.se/?ml=cfw-users&a=2002-08&t=253890

Title: Re: DFL-800 Routing problem with multiple LAN setup
Post by: Fatman on January 04, 2010, 08:36:15 AM

I belive that was a statement of exasperation, and not a name.  The link points to mailing list thread where an issue with a Clavister firewall is troubleshot, which Lavdd then used as inspiration for his fix here.