Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
888
Views
0
Helpful
3
Replies

Cisco RV042 Firewall Blocking LAN Traffic

Davasaurus
Level 1
Level 1

‎12-24-2013 02:24 PM - edited ‎03-11-2019 08:21 PM

Hello Everyone,

I currently have an RV042G with a downstream SG-300 connected to one of the LAN interfaces.  Connected to the SG-300 are a couple servers running ESXi.  Intervlan routing is working fine on the current setup; however, I only able to connect to my ESXi hosts on a separate VLAN for approximately a minute before the connection is dropped.  I have concluded that the firewall seems to be culprit in blocking my traffic.  If I turn the firewall off, everything acts as expected.  There is a default "ANY/ANY" rule for LAN traffic enabled and I have added a couple extras allowing all traffic for IP ranges, but I still seem to be losing my connections.  To make matters more confusing, I can see ACCESS_RULE events in the firewall logs permitting the traffic (or so I'm interpretting).

Regardless, here's how my rules currently stand below.  I put another ANY/ANY rule in because the default didn't seem to be working -- I immediately was able to ping other hosts on different VLANs after adding the rule.  I was under the assumption allowing all traffic from any source to any destination would make the LAN pretty accessible.  I would appreciate any guidance or resources on this topic to set up some quick firewall rules to get things up and running.  Thanks in advance.

Priority

Enable

Action

Service

Source
Interface

Source

Destination

Time

Day



Delete
AllowAll Traffic [1]LAN10.10.21.1 ~ 10.10.21.3110.10.10.10 ~ 10.10.10.10AlwaysEditDelete
AllowAll Traffic [1]LAN10.10.10.10 ~ 10.10.10.1010.10.21.1 ~ 10.10.21.31AlwaysEditDelete
AllowAll Traffic [1]LANAnyAnyAlwaysEditDelete

AllowAll Traffic [1]LANAnyAnyAlways

DenyAll Traffic [1]WAN1AnyAnyAlways

DenyAll Traffic [1]WAN2AnyAnyAlways
Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎12-25-2013 08:34 PM

Hello David,

So the SG-300 performs the Inter-Vlan routing?

If that's the case then traffic should not even arrive to the FW.

As you already said configuration is pretty straight-forward, should not cause an issue.

Let me know if the RV042 is the one with the 802.1Q links!

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Davasaurus
Level 1
Level 1
In response to Julio Carvajal

‎12-26-2013 02:02 AM

I guess I should clarify, the SG-300 is running in Layer 3 mode, and the VLANs are defined on it; however, the static routes are defined on the RV042.  Maybe there's a more efficient way of doing this? 

Below is a scrubbed copy of my switch configuration. 

config-file-header

SWITCH01

v1.3.5.58 / R750_NIK_1_35_647_358

CLI v1.0

set system mode router

!

vlan database

vlan 2

exit

no bonjour enable

hostname SWITCH01

no logging console

ip ssh server

ip ssh password-auth

clock timezone CEST +1

!

interface vlan 1

ip address 10.10.10.2 255.255.255.0

no ip address dhcp

!

interface vlan 2

name VIRTUAL-MANAGEMENT

ip address 10.10.21.1 255.255.255.224

!

interface gigabitethernet1

description ESXI01:VMNIC0:MGMT

switchport trunk allowed vlan add 2

!

interface gigabitethernet20

description UPLINK

exit

ip route 0.0.0.0 /0 10.10.10.1 metric 15

The routes I have defined is:

Destination IP

Subnet Mask

Default Gateway

Hop Count

Interface
10.10.21.0255.255.255.22410.10.10.21eth0
10.10.10.0255.255.255.0*0eth0
255.255.252.0*0eth1
239.0.0.0255.0.0.0*0eth0
default0.0.0.040eth1

Just to reiterate the problem, I am able to connect to hosts on VLAN 2 from my computer on VLAN 1, but I am disconnected a minute or so later.  When the firewall is disabled, I have no issues with connecting to the host across VLANs and maintaining that connection.  Maybe I have a misconfiguration somewhere that is causing some issues?  I appreciate the help. 

0 Helpful

Davasaurus
Level 1
Level 1
In response to Davasaurus

‎12-28-2013 02:34 PM

After doing some research, I found this in the admin guide for the RV042G:

---

Typically, a Cisco RV0xx Series router is used as an access router, with a single

LAN subnet. By default, the firewall is pre-configured to deny LAN access if the

source IP address is on a different subnet than the router’s LAN IP address.

However, you can enable multiple subnets to allow this router to work as an edge

device that provides Internet connectivity to different subnets in your LAN.

---

So, I guess my question is "how do I overrule the default behavior?"  I have tried manually putting in access rules to allow traffic between different VLANs, but I'm not getting much luck.  Thanks for any help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card