The ZyWall doesn't give me an option to view it's routing table (at least through the web interface which is all they document).
My guess is that it is set as you describe. It has the static routes to the other subnets (added via the web interface), and it passes traffic to the internet w/no problem from any machine on the local subnet. I did the static routes on the machines on the subnets in order to ensure they had a path to the other subnets when I set their default gateways to the ZyWall address - Originally they used their routers as default gateways but we couldn't even ping the Zywall in that case. I'm down to the assumption that the main problem is likely in the routers and the key here is getting the routers straightened out. I'm stuck in this case - the routers are controlled by another company and they are not cooperative at all. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2003 8:33 PM To: NT 2000 Discussions Subject: Re: OT: Routing 101 On the 10.77.154.45 ZyWall your routing table should look something like this: network subnet gateway interface 0.0.0.0 0.0.0.0 a.b.c.d a.b.c.e 10.77.154.0 255.255.255.0 10.77.154.45 10.77.154.45 10.77.153.0 255.255.255.0 10.77.154.x 10.77.154.45 10.77.152.0 255.255.255.0 10.77.154.y 10.77.154.45 a.b.c.d = IP address of Internet router a.b.c.e = IP address assigned to ZyWall external interface x = 4th octet number of the IBM router interface that connects the 153 network y = 4th octet number of the IBM router interface that connects the 152 network y is assumed to be a separate router, if the 2 networks converge into one router then x will be the pointer for 152 network. You may see multicast statements in the routing table as well. Do not delete them. If that is not there, traffic will get out, but will be dropped at the internal interface as it has no where to route to. Do NOT do an internal route of 0.0.0.0 to 10.77.154.x Copy the routing table into an email if you want help debugging it Question: Why add static routes tot he machines? Why not let the router handle the routing. on 153, have everything go to 153.1 (or whatever) and let the router do it's job and decide where to route the traffic. I would remove those statics. -James At 19:53 6/23/2003, you wrote: >I am trying to finish up a ZyWall 10-II Firewall installation and have >one remaining issue.. > >My customer has 3 subnets spread between 3 towns connected via 64K Frame >relay using IBM routers. Subnets are 10.77.154.0, 10.77.153.0, >10.77.152.0 with mask 255.255.255.0. > >Each has a router at on their respective 10.77.15x.3 address. These had >been the default gateways for all machines on their respective subnets >prior to the installation of the ZyWall. > >Originally we had a WinGate proxy server at 10.77.154.45 that all >machines specified as their proxy server in IE and all worked well for >all subnets. > >We have replaced the WinGate with the ZyWall on a hub on the 10.77.154.0 >network at 10.77.154.45 mask 255.255.255.0. I have set that as the >default gateway for the machines on the 10.77.154.0 network and everyone >on the 10.77.154.0 network can access the internet w/no problem. > >I have added static routes on the 10.77.154.0 machines that point to the >10.77.154.3 router for traffic to the other subnets. I have added those >static routes to the Zywall as well. The 10.77.154.0 machines (computers >anyway - not sure about the ZyWall) have no problem communicating with >machines on the other subnets. > >We have set IE to not use a proxy server and not detect settings. > >We have added static routes on machines on the remote subnets pointing >to their respective routers for traffic to the other subnets. We have >defined the default gateway on those machines as 10.77.154.45 (the >ZyWall). > >Machines on the remote subnets (10.77.153.0 and 10.77.152.0) can >communicate with machines on the other subnets. They can ping the ZyWall >successfully. They can't communicate with the internet using IE or >Tracert or FTP or NSLOOKUP. Tracert fails on the first hop (Destination >address cannot be reached). > >To me it appears that the ZyWall is not returning traffic to the >machines on the remote subnets. I'm wondering if it is treating the >remote subnets as external address and maybe is returning traffic to >them via the WAN port? > >I talked to the guy who supports the IBM routers for my customer and he >spent some time on it and is stumped. > >Life would be simple if the customer would realize that they would be >much better off getting local internet access at their remote locations >rather than stuffing internet traffic into their already overloaded 64K >circuits but listening isn't a strong point in this situation. > >Any suggestions? What am I missing? > >------ >You are subscribed as [EMAIL PROTECTED] >Web Interface: >http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&lang=english >To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&lang=english To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&lang=english To unsubscribe send a blank email to [EMAIL PROTECTED]
