test bandwidth with iperf behind two firewalls
mimiz
Newbie ✭
hello !
i have to perform a bandwidth test on a link behind two firewalls.
i have a link on interface X18 with ip ad 172.172.172.1 on SW-A linked to X18 with ip 172.172.172.2 on SW-B
LAN and WAN are on another class and other interfaces .
i have two host behind each firewall, and i'm connected remotely to them.
how can i perform a test with iperf3 between those two hosts ?
i'm stuck on the first host : i c'ant ping my X18 interface, I have configured a second LAN interface on the network configuration of the host A with the ip 172.172.172.3 with gateway 172.172.172.1. I also set up a LAN to LAN rule to allow traffic from the host to X18, but the ping fails.
thank you
Category: Entry Level Firewalls
0
Answers
@mimiz you cannot have the same subnet on both sides because you expect Layer 2 to work over Layer 3, this might work with EoIP which is not the case here.
A local ping will (should) work if enabled on the X18 interface, but will not work for the remote side because the packet is not routed and the ARP lookup will fail, basic networking.
--Michael@BWC
ok, thanks @BWC
I will better explain my work plan: we have just set up a 10 GB black fiber (mpls) between two sites already interconnected (1 GB black fiber), site-to-site VPN. I would have to test the bandwidth of this link, what is the method that I should use in this case?
@mimiz look at the X18 subnet as some form of transfer network, I would create a seperate zone for that and rate it as public.
Create the the needed network routes for each side (-A routes networks via X18 IP address of -B and vice versa) and make sure it's used prior to your VPN. Allow the traffic from LAN to DARKFIBER-Zone and vice versa, this should be it.
--Michael@BWC
wow ! thanks @BWC ! but i'm very newbie, and I'm afraid that I need more details than that to implement what you suggest, so what I understand is to create a new public zone, I put it to the two X18 interfaces, I route the two machines to these interfaces, can you share me a KB or a tutorial to follow, because there, I can't do it at all, especially since I can't even ping from the local machine to the local interface on X18
thanks a lot
@mimiz don't put any machines in the "DARKFIBER" Zone, this will not work. They need to be in the LAN (or any other zone) and then it comes down to simple routing and access rules.
--Michael@BWC
I finally reached to do this test, but what's weird is that when I do a traceroute between the two hosts, it tells me that the address is directly connected, it doesn't show me the two addresses of the X18 interfaces.
and also I have cuts, it is as if the hosts were disconnected; I can't do my test for more than 15 minutes
thank you a lot !
@mimiz you will not see the SNWL Interfaces in the traceroute until the Option "Decrement IP TTL for forwarded traffic" is enabled in the Firewall Advanced settings on your SNWL Appliances.
--Michael@BWC
You can create network monitor policies on each firewall to ping various things to help you narrow down where the connectivity issue is.