I have my switches behind a Watchguard Firewall- I have 2 vlans set up no trunking
Vlan 10 - 10.10.10.1
Vlan 20- 10.10.20.1
I have my servers on Vlan 20 with a Default-Gateway of 10.10.20.1
I have one management server on Vlan 10 with a Default-Gateway of 10.10.10.1
I have IP Routing enabled on the switch I also have a route 0.0.0.0 0.0.0.0 10.10.20.254
On the Firewall I have 2 interfaces 1 for servers and 1 for management traffic
Server interface is 10.10.20.254
Manage interface is 10.10.10.254
I am able to access my management server via the correct gateways (I hit the firewall and it goes through the Manage Interface)
My servers can access the internet via route 0.0.0.0 0.0.0.0 10.10.20.254 which points to the FW interface of 10.10.10.254
I was told that I have to allow the Management server access to the internet. Below is the "show ip route"
Gateway of last resort is 10.10.20.254 to network 0.0.0.0
10.0.0.0/24 is subnetted, 3 subnets
C 10.10.10.0 is directly connected, Vlan10
C 10.10.20.0 is directly connected, Vlan20
C 10.10.50.0 is directly connected, Vlan50
S* 0.0.0.0/0 [1/0] via 10.10.20.254
Here is my issue. I only have one server - 10.10.10.50 on this management network that needs to get out. The firewall sees the traffic coming from 10.10.20.254 (I guess because of the route above it doesnt know where to go so it goes to the Server interface) Is there ANY way I can tell my switch to allow 10.10.10.50 access to the internet via vlan 10 only.
I set up 2 ip routes and the servers could not get out- so I had to remove the last one.
0.0.0.0 0.0.0.0 10.10.20.254
0.0.0.0 0.0.0.0 10.10.10.254
I had taken out the Gateway of last resort and what ended up happening was I was getting responses from the servers Gateways as
10.10.10.1 destination unreachable
10.10.20.1 destination unreachable
**This was frustrating because I thought that would work- the vlans should only communicate within its own network and having 10.10.10.254 as the next number in the route it would be technically the next hop. Someone please help me on this, I am sure its in my face but I have been staring at it for weeks and to no avail...
Am I correct in understanding that the subnet/VLAN for the management server in 10.10.10 is the same subnet/VLAN as the server that needs to get to the Internet? I am puzzled why there would be a connection from this VLAN to the firewall and the devices on that VLAN would not have the address of the firewall as their default gateway.
I was told to keep the Firewall as minimal as possible and keep all the routing within the switches. This server acts as a management server to collect logs and access just the management devices and the firewall manager also. This device also houses a VM Manager - which was pre-configured with a gateway of 10.10.10.1 which pointed to vlan 10. Basically I wanted to remove this management server from the rest of the bunch because of its importance and decided to split the Firewall interfaces into 2 interfaces, after all it has 5 interfaces why not use a few to seperate the management traffic and the server traffic. When I say "server" traffic I have several application servers running on the 10.10.20.1 vlan - This is a Virutal Server Environment which is centrally controlled by a management server. There are several layers at work here so in essence to divide it up was logical at the time