Routing problem - only internal interfaces (network separation)
Dear Community,
I'd like to use a T85 to separate some local networks or in other words - to force the traffic to go through the T85. Therefore my idea was:
- do a test first with a non-critical or a new VLAN/subnet
- disable external interface on T85
- configure eth2 on T85 to be the management IP
- create an IP/interface on core router 10.101.157.2 (vlan 157)
- configure eth1 on T85 to become 10.101.157.1, connect it to core router on a port that is set to be in vlan 157
- create a policy to allow ping between 10.101.0.0/16 and 10.101.0.0/16 addresses
Now the problem is:
- core router can ping 10.101.157.1 on T85 and it works
- also the other way works: 10.101.157.1 on T85 can ping 10.101.157.2 on core router
- BUT: no other device in the local network can ping 10.101.157.1 on T85!!!
I've tried everything:
- checked VLAN 157 on all involved switches/routers
- tried to set the eth1 as "trusted"... as "VLAN"....
- checked the routing on T85
Any ideas? I guess this problems goes "back to the basics"? Does the T85 always try to use external interfaces for "leaving traffic"?
Thanks in advance.
0
Sign In to comment.
Comments
Additional info: meanwhile I did a packet trace (pcap) on the core router interface that is connected to the eth1 interface on T85. I can see in that trace my ICMP packets incoming from my client - and as a confirmation - there is no answer "no response found!" is logged in the trace.
I can also see the incoming ICMP packets from my client in the traffic monitor on the T85 even on the correct interface and they are allowed. It's just the response out to the client doesn't work.
Solved it - I guess my idea/concept was wrong.
What I did:
For some reason that alone didn't fix all problems. So Ive set eth1 on T85 to allow tagged vlan 157 and also set the interface on core router to be a trunk.
Now it works.