Ruijie Community

Title: How to Troubleshoot Internet Access Failures of RG-WALL Series Firewalls [Print this page]

Author: zhangqiao@ruiji    Time: 2024-8-22 14:10
Title: How to Troubleshoot Internet Access Failures of RG-WALL Series Firewalls
Step 1: Check the topology and VLANs on the intranet.
Check the firewall deployment location and all VLANs on the intranet. As shown in the following figure, the firewall is deployed at the egress, and the intranet gateway address is on the core switch. The core switch is configured with VLANs100 and 200, using subnets 172.16.100.0/24 and 172.16.200.0/24, respectively.

Step 2: Check the configuration.
1. Check if the interfaces on the firewall are assigned to the corrected zone.
a. In general, intranet interfaces on a firewall are added to the Trust zone, while extranetinterfaces are added to the Untrust zone.
b. Ensure the interface types are correct: intranet and management interfaces should be set as LAN interfaces, while extranet interfaces must be set as WAN interfaces. For interfaces connected to a private line (without Internet access), do not enable the default route on this interface, as it could cause abnormal Internet access on the intranet.

2. Check the routing configuration.
Ensure the firewall is configured with both a default route and a reverse route. The default route should point to the extranet interfaces, while the reverse routes should point to the intranet interfaces. For the topology described in step 1, the firewall must have two reverse routes configured: 172.16.100.0/24 and 172.16.200.0/24, each pointing to the next hop.

3. Check if the security policy permits data transmission.
To access the Internet, the trust-to-untrust policy needs to be permitted, as shown in the following figure.

4.Configure NAT rules.
Configure a NAT rule to allow traffic to pass from the Trust zone to the Untrust zone.


Step 3: Perform network connectivity diagnosisin the Diagnostic Center.
Ping the external DNS server from an internal PC and perform diagnosis on the firewall.(If the firewall does not have the Diagnostic Center feature, upgrade thefirewall version to R3P2 or later.)


Click Diagnose. Configure the Src. Address to the IP address of the PC, Inbound Interface to a LAN interface on the firewall, and Dest. Address to the IP address of the ping operation. After the diagnosis is complete, the results will be displayed. These results can be used to verify if the firewall is forwarding packets correctly and if the configuration is correct.
Step 4: Collect information.

If the fault persists after troubleshooting with the Diagnostic Center feature, collect the following information:
1.Topology information and intranet VLAN information.
2. Diagnostic results of the Diagnostic Center.





Welcome to Ruijie Community (https://community.ruijienetworks.com/) Powered by Discuz! X3.2