in

Cable Modem, Firewall, Unmanaged Switch, Different Subnet

Hello EE,

I am probably going to mess this question up, but, I'm pulling my hair out trying to get this to work.  So, here goes!

Cable Modem (10.1.15.X)
- Subnet 255.255.255.0
- Gateway 10.1.15.1
- DNS 68.87.68.166
- DMZ 10.1.15.5

Firewall (Fortinet 80C)
- WAN 10.1.15.5
- LAN 10.1.10.225
- Static Routes:
      - 0.0.0.0/0.0.0.0                GW:  10.1.15.1      WAN1
      - 10.1.15.0/255.255.255.0            GW:  10.1.15.5      WAN1
      - 10.1.10.0/255.255.255.0            GW:  10.1.10.225      Internal LAN

Routing Monitor
      - Static      0.0.0.0/0            GW:  10.1.15.1      WAN1
      - Connected      10.1.10.0/24            GW:  0.0.0.0            Internal LAN
      - Connected       10.1.15.0/24            GW:  0.0.0.0            WAN1

IP/Netmask (Address)
      - Internal Subnet      10.1.10.0/255.255.255.0            Any Interface
      - WAN1 Port            10.1.15.0/255.255.255.0            WAN1

Local Domain (10.1.17.X)
- Subnet 255.255.255.0
- Gateway 10.1.17.1
- DNS 10.1.17.20

Here’s what I’m trying to accomplish:

I would like to have one PC work on both subnets.  For example, on the LAN I want to be able to access network resources (file servers, printers) but also, utilize a faster cable modem for internet access.

I’ve setup my NIC to utilize two IP addressing schemes.

Local Domain IP Addressing Scheme (static):
- IP 10.1.17.137
- Subnet 255.255.255.0
- GW 10.1.17.1
- DNS 10.1.17.20
      Comcast IP Addressing Scheme (static):
- IP 10.1.15.137
- Subnet 255.255.255.0
- GW 10.1.15.1
- DNS 10.1.15.1

Now, when I try and tracert a server on our domain (e.g. server61) the tracert goes out through the Comcast Modem (10.1.10.225)

When I try and tracert www.google.com it does the same thing.

If I switch the order of the Gateways in TCP/IP settings of NIC card, server61 goes through the 10.1.17.1 gateway, but then when I tracert www.google.com, it also goes through that same gateway (10.1.17.1).  Since that gateway is designed to utilize an MPLS connect to an overseas centralized network, I can’t be sending internet traffic through this connection.

As it stands, I have four clocks that reside on the Comcast Modem and are communicating with a server at the vendor’s location just fine.  But that setup is going directly through the switch (Linksys SR2024 – Unmanaged) and out the cable modem.  I want to put those four clocks behind the firewall as well as the PC I mentioned earlier.

Part of my frustration has to do with the firewall needing both the LAN port and WAN port to be on two different subnets.  That’s why I went with 10.1.15.X for the Comcast LAN connection, and 10.1.10.225 for the LAN port on the firewall.  Obviously I can’t utilize an IP address from our domain as these two subnets need to stay separated.

So, anyone have any ideas?  I’m sure I’ve missed something I could have added to this post, so any further questions will be answered ASAP!  I’ve attached a diagram…it shows how I created a VLAN to support the clocks running across our LAN.  The clocks have static IP addresses (10.1.15.X) and the Comcast Modem has DHCP turned off.

Thanks for taking the time to look at this and I hope to hear from you soon!

Getnoldfast

Solution: Cable Modem, Firewall, Unmanaged Switch, Different Subnet

It's somewhat counter-intuitive, I know.  What happens is more than one gateway route is added to your systems routing table, but additional routes have a higher "metric" and only the available route with the lowest metric is used. If your current default gateway should become unavailable for some reason, your system would simply go up the list to the one with the next-highest metric.

I know that by default wired NIC's have a lower metric than wireless ones, but other than that I'm not sure how Windows decides which one should be used.

The gateway that you want your internet traffic to go through should be your default route, don't set a gateway on the other interface.

Then you need to add routes to direct MPLS-destined traffic through the appropriate router - you'd probably want to add those routes to the firewall, but you could add them to your system as well.

I'm not familiar with your firewall, but if you wanted to add the routes on your system you can use the "route" command - so, for example, if 192.168.1.1 through 192.168.255.254 are on the MPLS cloud, you could use the command (the -p option makes it permanent, otherwise it's only good until reboot)

route -p add 192.168.0.0 mask 255.255.0.0 10.17.1.1

Popular Tags

Browse All Tags