Routing Tips for Bridge (transparent) mode

Correct identification of the default-route device and internal static-routes will provide orderly traffic handling. The correct way to configure routes is illustrated below, and includes an example of how routing loops occur.

Routing Device: In the illustrations below, "Routing Device" means "Layer 3" support, or the ability to forward traffic between different networks. This would typically include "Layer 3 Switches," "Routers" or "Segment Routers," and "Routing Hosts." This would not include "Hubs," or "Layer 2 Switches."

In brief, the following suggestions will ease iPrism installation and use:

Suggestion-1: Do NOT run the internal and external NIC cables to thesame switch. This causes traffic to be routed from iPrism to iPrism, instead of from iPrism to the Internet.
Suggestion-2 (See below): The "Default-Route" regardless of where the iPrism is placed in the network, should always point outward towards the next hop (from iPrism's location) that will forward traffic out to the Internet, not inward. The reason for this is illustrated below.
Suggestion-3 (See below): The "Static-Route" is for traffic sourced (generated) from the iPrism, like "block" notifications. Static-Routes point to an inward facing routing device enabling iPrism to forward self-generated traffic to clients. So,If one or more Layer-3 devices exists between iPrism and its clients, Static-Route(s) MUST be configured, or traffic will be sent to the default route and most probably dropped or lost. In summary,a Static-Route, regardless of where the iPrism is placed in the network, should always point inward towards the next hop (from iPrism's location) so that client traffic can be properly forwarded.

Setting an iPrism Default Route to Prevent Routing Loops

Avoiding "Routing Loops" or "Ping-Ponging" of traffic is easy, simply ensure the iPrism Default Route is the next hop towards the Internet. In the illustration below, the firewall is the next outbound hop towards the Internet.

Note that It is possible to install iPrism inside your core "Routing Device," instead of between the Routing Device and Firewall (as shown below). This places iPrism closer to the user communities. A simple example is "User > Router2 > iPrism > Router1 > Firewall > Internet." Router1 would be the Default Route since it is the next hop towards the Internet. For examples of why you might install iPrism this way, see:

Bridge (transparent) mode Intranet Installations

To check or set your current default route, go to:

Appliance Manager > System Configuration > System > Networking tab > Routing > Default Route

Verify the Default Route is NOTan internal core router, but an Internet facing firewall/router.

Warning! Do NOT do anipconfig /all from the command line, read the Default Gatewayand assume that the IP address is a correct address for the Internet facing firewall/router. Client systems typically list a Default Gateway that is an internal core router, such as the Layer 3 Switch shown at left. Configuring this address in iPrism WILL cause routing loops, as illustrated next.

Incorrectly configured default-route information will cause one of the following:

No Internet access whatsoever, but internal network functions. Traffic ping-pongs between iPrism and the internal core router, as shown at left. The default route of the switch or router is pointing at the firewall, but when the traffic gets to iPrism, the default route is pointing back to the internal switch/router, so the traffic goes back to the switch/router which resends to the firewall, iPrism resends to the switch/router, etc. Effectively, iPrism and the switch/router are in a "deadly embrace."
Internet access, but degraded network and filtering performance. Depending on the switch/router in use, traffic may eventually pass through iPrism with a MAC address for routing. However, the network is incurring unnecessary overhead, and the traffic may not be filtered by iPrism, which means "blocks" will not occur as expected.

Setting iPrism Static Route(s) to Prevent Dropped iPrism Traffic

A prompt for Static Routes is part of the installation dialogue, but is often overlooked. If you are evaluating in Bridge (transparent) mode you may test from the subnet iPrism is a member of (at least initially) and add more Static Routes to expand your network coverage later. Use the Advanced button (highlighted above) to configure Static-Routes.

Bridge (transparent) mode requires Static-Routes so iPrism-generated traffic can be sent back to clients. This would include:

iPrism "block" pages or other iPrism messaging or transactions
Messaging that establishes authenticated sessions for users

Note: Return traffic from the web transparently passes through iPrism and is routed back to clients by the internal routing device.

Incorrectly configured, or missing Static-Route information may manifest as:

Authentication failures, particularly during initial setup and use... or
Lack of proper iPrism "Block page" messaging.

When no Static Routes are defined, iPrism does not know where to forward client bound traffic originating from iPrism itself. In this case iPrism has no choice but to use the Default Route as the route of "last resort." Note: In TCP/IP, "Default Route" means "the route to use when I don't have routing information for the destination IP address in hand." Since no Static Routes are defined, iPrism sends self-generated client bound traffic back OUT to the firewall via the Default Route definition. Typically, the packets don't make it to the client, causing messaging or authentication problems.

Note: Static Route information is not needed for

To configure Static Routes, see the following links:

Other FAQs

Why does iPrism only filter some of my networks, but not others?

Should iPrism be my users' new default route (gateway)?

Should I place iPrism inside or outside of my firewall, proxy server, or NAT device?

Why do I need to specify Static Routes for iPrism?