changing internal IP breaks default config
XTM330 11.9.1.B451786
Factory config wipe.
Configured external WAN IP.
I can ping from inside to outside.
As soon as internal IP is changed from the default 10.0.1.1 to 192.168.1.254 I can no longer ping to the outside from internal hosts. I can still access the interface on the new internal IP and can ping the WAN IP, but nothing past it, even the external gateway. I can still ping from the firebox web UI Diagnostics, just not internal clients. As soon as the internal IP is reverted back to 10.0.1.1 it starts working. No other changes made in the factory config.
0
Sign In to comment.
Comments
So many questions....
1) What do you see in Traffic Monitor after the change to 192.168.1.254 ?
2) Do your internal devices do something to get an IP addr from the 192.168.1.0/24 subnet, such as a reboot or an "ipconfg /release" followed by an "ipconfg /renew" or a change to a manual IP addr, gateway addr & subnet msak?
3) why do you want to change to this very common private subnet from the default?
1) I'm not on site right now so I can't check this until later today
2) Normally DHCP but for troubleshooting I'm using static IPs, manually defined. Took the device off the LAN so it's only two other devices besides the firebox. One computer on the internal and one on the external.
3) It's an existing network in that subnet with all kinds of devices with static IPs including printers and scanners. They had this firewall in there for years, it only failed recently after a power outage but it didn't start functioning after power was restored so I wiped and and restored the saved config but that also didn't resolve it. So I wiped it and tried to config from scratch but it fails after the first and very basic step.
By the way, I'm not getting notified of replies to my posts so I tried to check in my profile which I can "view" but when I try to "edit" I get "Permission Problem - You don't have permission to do that"
What DNS server IP addr is being used for the static IP addr devices?
A public one? Or the firewall interface?
If the firewall, then you need to enable DNS forwarding
About DNS Forwarding
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/dns_forwarding_about.html
Bruce, I'm not even trying any name resolution yet. I'm only pinging IPs.
Never mind on the notifications issue, I found another path to get in there
Did you mess with the default Dynamic NAT settings?
There should be 3 entries covering each of the private subnets - Any-external
I did not make any changes besides the IP of internal interface port 1. Those settings you mention are still there in the three private subnets
192.168.0.0/16 Any-External
172.16.0.0/12 Any-External
10.1.0.0/16 Any-External
Have you tried rebooting a DHCP PC after changing the trusted interface IP addr and seeing if it now works?
For the static IP addr PC, did you change the PC IP addr & default gateway IP addrs after changing the trusted interface IP addr ?
Also try a reboot of the firewall after making this change.
Just trying to help get this working....
FYI - if you save the firewall config periodically, you could import it into a new/different firewall in the future using WSM Policy Manager - thus not needed to recreate the whole config.
1) Once again, no DHCP is involved here, just two computers with static IPs.
2) Of course, hence why I said I can access the firewall UI on the new IP and ping the external interface IP.
3) In IT this is frequently the first step in troubleshooting inexplicable problems so I did it multiple times.
4) I tried importing it into this after the wipe but it did not work after that, just like it's not working with a freshly wiped default config.
Sorry, no more ideas
"I can still ping from the firebox web UI Diagnostics, just not internal clients."
What are the static private IP address settings you have on a client having the issue? Being able to ping the Firebox on 192.168.1.254 and ping its WAN IP, but not ping the Firebox' gateway from a statically-addressed client PC makes me wonder if your gateway on the clients is correct. Please post the output of "ipconfig /all" and hide the MAC address if desired, but not any IP addresses. Posting private IP info is NOT a security risk.
Gregg Hill