Hi

Can you post the output from get interface and get route?

---

Moerkholt wrote:

Hi

 

Can you post the output from get interface and get route?

 

 

---

stripped out personally identified info, but this should give some clarifcation

ns5gt-> get interface

A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name           IP Address                        Zone        MAC            VLAN State VSD
eth1           192.168.1.1/24                    Trust       x.x.x            -   U   -
eth2           192.168.3.1/24                    DMZ         x.x.x            -   D   -
eth3           0.0.0.0/0                         Untrust     x.x.x            -   D   -
eth4           x.x.x.x/21                        Untrust     x.x.x            -   U   -
vlan1          0.0.0.0/0                         VLAN        x.x.x            1   D   -
null           0.0.0.0/0                         Null        N/A               -   U   0

ns5gt-> get route


IPv4 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent D: Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
E2: OSPF external type 2 trailing B: backup route


IPv4 Dest-Routes for <trust-vr> (7 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*        70          0.0.0.0/0           eth4       x.x.x.x   C    0      1     Root
*         5      x.x.x.0/21               eth4         0.0.0.0   C    0      0     Root
*         2     192.168.1.1/32           eth1         0.0.0.0   H    0      0     Root
          4     192.168.3.1/32           eth2         0.0.0.0   H    0      0     Root
*         6     x.x.x.x/32               eth4         0.0.0.0   H    0      0     Root
          3     192.168.3.0/24           eth2         0.0.0.0   C    0      0     Root
*         1     192.168.1.0/24           eth1         0.0.0.0   C    0      0     Root

Hi

As you can see from the routing table there is no route for 192.168.2.0/24 and therefore the firewall does not know how to deliver traffic back to this network. Furthermore as it has not any route it regards the traffic from 192.168.2.0/24 as being spoofed.

You have to configure a route(next hop gateway), that tells the firewall where to deliver the return traffic for 192.168.2.0/24.

---

Moerkholt wrote:

Hi

 

As you can see from the routing table there is no route for 192.168.2.0/24 and therefore the firewall does not know how to deliver traffic back to this network. Furthermore as it has not any route it regards the traffic from 192.168.2.0/24 as being spoofed.

 

You have to configure a route(next hop gateway), that tells the firewall where to deliver the return traffic for 192.168.2.0/24.

---

so i need to add a route that delivers/returns all 192.168.2.0 traffic to the the 192.168.1.1 gateway?

i don't see any way to clone the route from the .1 network or the .3 network, and i don't remeber how to do this, sorry.

one more thing, there is no physical relationship to this subnet as it relates to the ns5gt. the wireless segment is not going to be physically connected to the 5gt (it comes into a switch).

example -

untrust / isp connection goes into eth4

trust connection comes out of eth1 into switch

Hi

You have to route the traffic to the device that delivers the wireless traffic to the firewall.

I dont' know if you have your wireless attached to ethernet1 or ethernet2, but as an example:

You have a Wireless Access Point/Wireless Router attached to ethernet1

The ip address of the wireless device is 192.168.1.50.

What you have to do in this case is to make a route statement as follows:

set route 192.168.2.0/24  ethernet1 gateway 192.168.1.50

---

Moerkholt wrote:

Hi

 

You have to route the traffic to the device that delivers the wireless traffic to the firewall.

 

I dont' know if you have your wireless attached to ethernet1 or ethernet2, but as an example:

 

You have a Wireless Access Point/Wireless Router attached to ethernet1

 

The ip address of the wireless device is 192.168.1.50.

 

What you have to do in this case is to make a route statement as follows:

 

set route 192.168.2.0/24  ethernet1 gateway 192.168.1.50

 

 

---

can i do this virtually in the router vs. physically to the interface? i can't connect them in this fashion as the devices are not located in the same part of my SOHO

Hi

I am not sure waht you mean.

How is your wireless network connected to your network?

So in the front part of my SOHO we have multiple machines and the wireless gear. that is then routed via a long haul cat6 line to the "backoffice" where the ISP line comes in and the firewall lives.