CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 11 of 11

Thread: Sonos across vlan defined in a 600 appliance

  1. #1
    Join Date
    2007-10-12
    Posts
    127
    Rep Power
    10

    Default Sonos across vlan defined in a 600 appliance

    I have a CP 600 running our office. I defined a Vlan on the DMZ port to create a seperation between our work network and what we use as a guest network. So work network is 172.16.1.x and dmz is 192.168.200.x and Vlan 4 is 192.168.201.x. Works.

    I have some remotes on the 192.168.201.x network that need to see a particular ip on the 172 network and I defined a rule allowing that and it worked just fine.

    I have a sonos system on the 172 network which uses a hand full of ports (80, 443 and I believe one other) and they can't be seen on the 192 network. I believe they are sent around the network on multicast.

    Is there a way I can allow the multicast from the 172 network to the 192 network and possibly add some rules that would allow devices on the guest network to see the sonos?

    In reading other threads, specifically this one: https://en.community.sonos.com/troub...solution-30950 I need to allow multicast to the 192 network so the Sonos controller that is on that network knows about the sonos systems on the 172 network. Then I need to allow the devices to pass traffic. Is there a way to allow the multicast from 172 to 192? The 2nd part should just be some access policy rules (I would think).

    Thanks,

    Roveer
    Last edited by roveer; 2017-02-28 at 17:44.

  2. #2
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,068
    Rep Power
    10

    Default Re: Sonos across vlan defined in a 600 appliance

    What version do you have on the 600? I recently updated a 1450 with the R77.20.51 firmware and after that my VLAN's no longer worked, they were on the DMZ port as well..
    Regards, Maarten.
    Dual P1 R77.30, VSX, IPSO, SPLAT, GAIA mostly.

  3. #3
    Join Date
    2007-10-12
    Posts
    127
    Rep Power
    10

    Default Re: Sonos across vlan defined in a 600 appliance

    Quote Originally Posted by msjouw View Post
    What version do you have on the 600? I recently updated a 1450 with the R77.20.51 firmware and after that my VLAN's no longer worked, they were on the DMZ port as well..
    Right now I'm sitting at R77.20.20 (990170830) with an update showing. I'm always so hesitant to upgrade because I assume I need 10-15 hours to fix whatever stops working afterward. Guess I'm going to stay on the version I'm on as I don't have 10-15 hours to give right now.

    Roveer

  4. #4
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,266
    Rep Power
    7

    Default Re: Sonos across vlan defined in a 600 appliance

    Quote Originally Posted by msjouw View Post
    What version do you have on the 600? I recently updated a 1450 with the R77.20.51 firmware and after that my VLAN's no longer worked, they were on the DMZ port as well..
    I thought you said that was R77.20.50 (which was yanked btw)?

  5. #5
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,266
    Rep Power
    7

    Default Re: Sonos across vlan defined in a 600 appliance

    Quote Originally Posted by roveer View Post
    I have a CP 600 running our office. I defined a Vlan on the DMZ port to create a seperation between our work network and what we use as a guest network. So work network is 172.16.1.x and dmz is 192.168.200.x and Vlan 4 is 192.168.201.x. Works.

    I have some remotes on the 192.168.201.x network that need to see a particular ip on the 172 network and I defined a rule allowing that and it worked just fine.

    I have a sonos system on the 172 network which uses a hand full of ports (80, 443 and I believe one other) and they can't be seen on the 192 network. I believe they are sent around the network on multicast.

    Is there a way I can allow the multicast from the 172 network to the 192 network and possibly add some rules that would allow devices on the guest network to see the sonos?

    In reading other threads, specifically this one: https://en.community.sonos.com/troub...solution-30950 I need to allow multicast to the 192 network so the Sonos controller that is on that network knows about the sonos systems on the 172 network. Then I need to allow the devices to pass traffic. Is there a way to allow the multicast from 172 to 192? The 2nd part should just be some access policy rules (I would think).

    Thanks,

    Roveer
    Multicast.. um.. its fun?

    I think you need to enable PIM and IGMP on both interfaces. What I don't understand is if you'll need to configure a RP, i'm thinking not since the firewall is connected to both networks, but i really am no pro at multicast.

    You'll need to allow all those protocols in addition the multicast with *I think* with the source of the multicast server and a destination of the multicast address.

  6. #6
    Join Date
    2007-10-12
    Posts
    127
    Rep Power
    10

    Default Re: Sonos across vlan defined in a 600 appliance

    Quote Originally Posted by jflemingeds View Post
    Multicast.. um.. its fun?

    I think you need to enable PIM and IGMP on both interfaces. What I don't understand is if you'll need to configure a RP, i'm thinking not since the firewall is connected to both networks, but i really am no pro at multicast.

    You'll need to allow all those protocols in addition the multicast with *I think* with the source of the multicast server and a destination of the multicast address.
    Ya huh...

    So I assume this stuff would have to be done at command line not GUI correct? I have to decide if it's worth it. If it's really difficult it's easier to just put the devices that need to see sonos on the inside network. I have to be realistic on how far off the beat'n path I really want to take my configuration.

    Is there a way to enable PIM and IGMP in easy commands that can be reversed? I'd be willing to give it a shot.

    Roveer

  7. #7
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    584
    Rep Power
    4

    Default Re: Sonos across vlan defined in a 600 appliance

    Quote Originally Posted by roveer View Post
    Ya huh...

    So I assume this stuff would have to be done at command line not GUI correct? I have to decide if it's worth it. If it's really difficult it's easier to just put the devices that need to see sonos on the inside network. I have to be realistic on how far off the beat'n path I really want to take my configuration.

    Is there a way to enable PIM and IGMP in easy commands that can be reversed? I'd be willing to give it a shot.

    Roveer
    Had a quick look on cli guide

    IF you have the time, you can play with this. I admit I am curious of the outcome if you try it :).
    Now I had my small share with multicast on Cisco some years ago and although there can get much more complicated there, Cisco offers in depth documentation and above the average implementation of multicast.
    If we would bet, I would put my money that CP didn't invest that many resources on multicast code so you might easily waste your time here.
    I can tell you I spent more than 1/2h year with unfinished OSPF code on 1100 appliances while knowing very well the tech/theory behind. And I find multicast a bit more twisty than OSPF (probably because I spent much more time on the latter).

    Keep us posted, please!

  8. #8
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,266
    Rep Power
    7

    Default Re: Sonos across vlan defined in a 600 appliance

    Quote Originally Posted by roveer View Post
    Ya huh...

    So I assume this stuff would have to be done at command line not GUI correct? I have to decide if it's worth it. If it's really difficult it's easier to just put the devices that need to see sonos on the inside network. I have to be realistic on how far off the beat'n path I really want to take my configuration.

    Is there a way to enable PIM and IGMP in easy commands that can be reversed? I'd be willing to give it a shot.

    Roveer
    From clish
    set pim mode sparse
    set pim interface LAN1 on
    set igmp interface LAN1 version 2

  9. #9
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,068
    Rep Power
    10

    Default Re: Sonos across vlan defined in a 600 appliance

    Quote Originally Posted by jflemingeds View Post
    I thought you said that was R77.20.50 (which was yanked btw)?
    It could very well be, I'm on R77.20.40 at the moment for this one.
    Regards, Maarten.
    Dual P1 R77.30, VSX, IPSO, SPLAT, GAIA mostly.

  10. #10
    Join Date
    2007-10-12
    Posts
    127
    Rep Power
    10

    Default Re: Sonos across vlan defined in a 600 appliance

    Quote Originally Posted by jflemingeds View Post
    From clish
    set pim mode sparse
    set pim interface LAN1 on
    set igmp interface LAN1 version 2
    Dumb question. If I were to put these commands in, what would I need to do to reverse them? Thanks.

  11. #11
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    584
    Rep Power
    4

    Default Re: Sonos across vlan defined in a 600 appliance

    Quote Originally Posted by roveer View Post
    Dumb question. If I were to put these commands in, what would I need to do to reverse them? Thanks.
    set pim interface LAN2 off

    for IGMP default is 2, so no need to reverse it:

    set igmp interface LAN2 version
    Default: 2.

Similar Threads

  1. VLAN Configurations on 2012 Appliance
    By cidic007@gmail.com in forum Check Point Security Gateway Appliances
    Replies: 3
    Last Post: 2013-05-31, 07:28
  2. Replies: 8
    Last Post: 2013-05-04, 03:01
  3. Pre-defined filtering for users possible?
    By WolfgangMueller in forum SmartView Tracker
    Replies: 13
    Last Post: 2011-02-25, 11:16
  4. 2 MLMs defined - how can I confirm syncing ?
    By WinchesterVA in forum Provider-1 (Multi-Domain Management)
    Replies: 3
    Last Post: 2007-04-23, 08:25
  5. User Defined Alerts
    By roadrunner in forum SmartView Tracker
    Replies: 0
    Last Post: 2005-08-13, 14:59

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •