0

I have two Subnets and the Routing works like this: enter image description here Client A can Ping (ICMP) Client B
Client B can't Ping (ICMP) Client A

There are no Routes manually configured in the Access Point (Google Wifi Wlan Router - hasn't got a lot of options, let alone routing tables) in Subnet A and there are only unmanaged switches in between.

The only thing that is connected to both Subnets is a Sonicwall Firewall but I don't know if the traffic is routed through that? Because technically there is a more direct route between the Subnets.

There is no Client-Side firewall on either device. In fact I am very certain it has nothing to do with the clients at all (Same behavior for different Clients)

The Default gateway in Subnet A is the Google Wifi Access Point. In Subnet B the Default Gateway is a Windows Server (which has the DHCP Server on it).

My questions are:

  1. Why can Client A ping Client B and not the other way around?
  2. Where should I look if I want to search for a badly configured routing rule?
  3. How can I achieve it that the routing works between all Clients from Subnet A and B?
Dominik
  • 103
  • 4
  • What is the default gateway for client A and client B? If in both cases it is the ip of the sonicwall then that is the device doing the routing and the most likely source of your problem. If it is the sonicwall, check the logs for dropped icmp packets from client A to client B. – mmccowan Aug 02 '18 at 12:02
  • Thanks for the comment! For Subnet A the default Gateway it the Google Wifi Router and for Subnet B it is the DHCP Server (a Windows Server). So these two devices will get all the Pakets and from then get distributed to the destination? – Dominik Aug 02 '18 at 12:13
  • Packets with a destination outside of the current subnet will be sent to the default gateway. In this case Client B sending to Client A will be sent to the DHCP server for routing. Does the DHCP server have multiple NICS with addresses on different subnets? – mmccowan Aug 02 '18 at 12:20
  • The Google Access Point in Subnet A has one NIC in each Subnet. The other DHCP Server has only one NIC for Subnet B. – Dominik Aug 02 '18 at 12:23
  • Ah, so the Google AP is multi-homed and is on both subnets. From your description it sounds like the AP is providing NAT for everything on subnet A. If that is the case you would have to add a route either on the windows server or the sonicwall (I'm assuming it is the default gw for the windows server). The route would essentially send anything bound for subnet A to the subnet B address of the google AP. – mmccowan Aug 02 '18 at 12:48
  • Okay that told me I am on the right path, I thought so too but my routes didn't do anything. Maybe I still have some errors in the Sonicwall Config... Can you Post your comment as an answer so I can accept it? – Dominik Aug 02 '18 at 12:55

2 Answers2

2

First, 192.168.15.0/21 (255.255.248.0) isn't the proper way to name this network, it's actually 192.168.8.0/21 (255.255.248.0), ranging from 192.168.8.0 - 192.168.15.255.

Second, there is no real security between the two subnets if they are on the same switch/VLAN on the switch as indicated in your diagram, or if the wifi AP on subnet A simply has a drop into the switch on subnet B from an AP port that isn't configured to be on a different VLAN.

If, on any client device, you add a zero metric route for subnet B on subnet A, and do the reverse on subnet B (add a zero metric route for subnet A on subnet B), the systems will see themselves as being connected to both networks. Traffic from that system to the other subnet will just use ARP and send directly to the other subnet, bypassing any layer 3 devices (routers, l3 firewalls), and communicating directly.

For instance, if on a linux host on subnet B, you did something like: 

ip route add 192.168.86.0/24 metric 0 dev eth0
The linux host would try to send packets directly to nodes on subnet A by ARPing. Obviously if you are depending on the firewall or routers to provide some sort of security between the two subnets this would defeat it.

Now that that's out of the way, this is a fairly simple IP routing problem. You need a route on the default gateway for subnet A which points to a valid gateway for 192.168.86.0/24 (subnet B). You need a route on the default gateway for subnet B which points to a valid gateway for 192.168.8.0/21 (subnet A). A valid gateway is a router which is directly reachable from the source router/gateway, which knows how to get to the destination network, either by having a next-hop route, or being directly connected to the destination network.

Once this is established, you must make sure that any firewalls are not blocking traffic between the subnets. Windows Firewall has fairly strict rules by default. If it's enabled, it's almost certainly blocking traffic in some way between the two subnets. If the AP's drop on subnet B is layer 3 (e.g., a VLAN port not just another switch port), then its firewall (presuming it has one) could also be blocking traffic.

Overall, you may want to take a look at this network architecture and come up with something a bit more sane. For instance, you should likely have a router in the center, not just a switch. If it's a l3 switch, you can simply separate the ports onto different VLANs and have the switch act as the core router between the two subnets, get rid of the drop from the AP into subnet A, and let the router do the routing.

jbgeek
  • 51
  • 7
1

Ah, so the Google AP is multi-homed and is on both subnets. From your description it sounds like the AP is providing NAT for everything on subnet A. If that is the case you would have to add a route either on the windows server or the sonicwall (I'm assuming it is the default gw for the windows server). The route would essentially send anything bound for subnet A to the subnet B address of the google AP.

mmccowan
  • 116
  • 4