Forum Discussion

Abn's avatar
Abn
Meteor
26 days ago
Solved

Local VLAN routing

I have configured multiple VLANs at site. Client on VLAN A is unable to ping VLAN B interface on the same socket. Decided to use the Local Firewall rules to allow Any Any between VLAN A and B but still unable to ping.

Note: No issue with IP assignment and Clients can ping their gateways.

What could I be missing?

Another question.

From the KB, the default behavior for the Socket is to forward all traffic to the PoP for security inspection. My question is - what is the default policy on the PoP side if a LAN firewall rule is not configured?

 

  • andy's avatar
    andy
    22 days ago

    LAN Firewall is the right thing. You only have to take care, according to Cato Support, you cannot Ping the Vlan Interface itself on Socket. But of course, devices behind Socket VlanA can reach to devices to same Socket VlanB over local Socket LAN Firewall.

6 Replies

  • andy's avatar
    andy
    Meteor
    22 days ago

    Hi Abn

    I think you have the same topic that I once had. I asked Cato Support about that.

    Maybe Cato Support explanation helps you:

    If the source is on the socket LAN/VLAN - then each GW address should respond only to pings from the appropriate subnet. For example, you have a VLAN subnet 10.32.8.0/24 and a gateway of 10.32.8.241. Ping to the gateway IP responds only to the IP address within that same subnet.
     
    If pings come from Cato tunnel - socket answers only to the echoes going to native GW IP destination (not VLAN ones).

    Best regards,

    andy

  • michaelsaw's avatar
    michaelsaw
    Icon for Cato Employee rankCato Employee
    25 days ago

    HI Abn, 

    Would it be a good idea to perform a pcap on the traffic and check on the bi-directional traffic?

    Thank you.

  • Abn's avatar
    Abn
    Meteor
    25 days ago

    Client IP on VLAN A - 192.168.180.22 and VLAN B interface is 192.168.181.1. Pcap taken on the LAN interface of the socket.

    LAN Firewall: VLAN A -Data(180.0/24) and VLAN B- Voice(181.0/24)

     

  • Abn's avatar
    Abn
    Meteor
    22 days ago

    I thought having  LAN firewall rules to allow bi-directional among the VLANs, will allow the pings but it does not.

  • andy's avatar
    andy
    Meteor
    22 days ago

    LAN Firewall is the right thing. You only have to take care, according to Cato Support, you cannot Ping the Vlan Interface itself on Socket. But of course, devices behind Socket VlanA can reach to devices to same Socket VlanB over local Socket LAN Firewall.