Loosing internet connection when attach additional interface
We have a zyxel usg flex 500 with 8 ports (one fiber, 7 RJ45). The fiber port (port 1) is not used. Port 2 is used as a WAN port (configured as external), PPP is not configured, since that is done on a router managed by our provider. Port 3 is connected to our LAN (configured as internal) over a switch. This is working so far well and everyone has internet access.
Now i would like to connect Port 4 and Port 5 of the firewall to a server used for Virtual Machines (HyperV). This server has 7 ports. One port is connected to the switch, so that the server has internet access. Two additional ports on this server could be used to connect to the firewall. Port 4 and 5 are configured internal, and are mapped to their own zone on the firewall. As soon as I connect the server to one of the Ports 4 or 5 I have some package loss if I ping the internet. If I connect the server to both ports 4 and 5, then I loose the internet connection compleatly. I also did a ping directly on the firewall from the CLI. Even that ping is not working anymore. For port 4 and 5 I used one able for each port directly without a switch inbetween.
The target of the whole setup is, that I can create 2 VM's on the server, each of them would be mapped to a dedicated interface of the server which is connected to a dedicated interface on the firewall. This way I can create firewall rules for those VM's.
Has anyone an idea why the WAN interface goes down?
Many thanks!
Accepted Solution
-
In the meanwhile we did further testing with the firewall. My assumption is currently a hardware failure.
To do further testing we reset our firewall with the default configuration, by pressing the reset switch until the system led starts flashing. P2 (WAN1), I connected to our gateway. On P4 (LAN1) with DHCP enabled, I connected my laptop and got the IP 192.168.1.33. The firewall has 192.168.1.1. Over the webaccess I answered all questions of the wizard, entered a static ip for the firewall on the WAN1 and the gateway address. Afterwards I had access from my laptop to the internet. On the cli of the webinterface I entered "ping google.com forever". The ping was working no packet loss. Then I connected a little 8 port Zyxel (GS-108B v2) switch to P5 and no other devices connected to that switch. I did again a ping from the firewall with the following result:
--- google.com ping statistics ---12 packets transmitted, 4 received, 66% packet loss, time 11002msrtt min/avg/max/mdev = 3.420/3.769/4.175/0.308 ms
Then I connected a second 8 port Zyxel switch to P6, and then I had 100% packet loss, so I lost connection to the webinterface from my laptop. Then I unplugged the two switches, and the firewall was working again as expected. Then I plugged in the switches on P7 and P8 which leaded again to total outage without reaching the webinterface anymore. I tested further ports, always with the same result. As soon as one switch was connected, I had package loss and two switches connected I lost the connection completely.
So now I have to convince the support, that this strange situation really happened, so that we hopefully get a replacement device.
Please if anyone still has an Idea what could cause this issue, or if someone has any idea what I could try out next, please answer me.
Kind regards
Richard0
All Replies
-
So you loss ping to the internet on port 3 when connecting ports 4 and 5?
Are the internal subnets not conflicting?
0 -
PeterUK said:So you loss ping to the internet on port 3 when connecting ports 4 and 5?
Are the internal subnets not conflicting?
I don't know where to start to look for this issue. I could imagine that a security feature could be the cause, but I don't know what it could be.
0 -
I simplified the set up.
Port2: WAN
Port3: Switch with office network
Port4: Laptop1
Port5: Laptop2
Port4 Config:
192.168.30.1/24, DHCP enabled
Port5 Config:
192.168.40.1/24, DHCP enabled
When I connect one of the laptops (doen't matter which one), they get a correct IP from the DHCP, but I start to loose packages if I ping the internet. I can also ping the laptop from the office network, but also some packages get lost. If I connect both laptops, the internet connection is dead.
Can sombody give me a hint what that could be?0 -
What zones are assigned to your ports? I have ports 2 & 3 as WAN1, ports 4 & 5 as LAN1 without issues on my USG Flex 500 4.62. Port 6 is also LAN1, ports 7 & 8 are DMZ, On another USG Flex 500 I use ports 1, 2, and 3 as WAN ports. I avoid the OPT zone for historical reasons. VLANs are on one but not the other. Both work great.Can sombody give me a hint what that could be?
0 -
dkyeager said:
What zones are assigned to your ports? I have ports 2 & 3 as WAN1, ports 4 & 5 as LAN1 without issues on my USG Flex 500 4.62. Port 6 is also LAN1, ports 7 & 8 are DMZ, On another USG Flex 500 I use ports 1, 2, and 3 as WAN ports. I avoid the OPT zone for historical reasons. VLANs are on one but not the other. Both work great.Can sombody give me a hint what that could be?
Thanks for your help!0 -
Hi @RichardSteiner,
Can you share some information with us;
1- What’s the switch’s model name and firmware version?
2- Can you check if you activated Loopguard in the switch?
3- Did you check related log in the switch?
4- Can you draw detailed topology with IP addresses on it?
5- Can you capture packets for WAN1 and LAN interfaces?
0 -
RichardSteiner said:dkyeager said:
What zones are assigned to your ports? I have ports 2 & 3 as WAN1, ports 4 & 5 as LAN1 without issues on my USG Flex 500 4.62. Port 6 is also LAN1, ports 7 & 8 are DMZ, On another USG Flex 500 I use ports 1, 2, and 3 as WAN ports. I avoid the OPT zone for historical reasons. VLANs are on one but not the other. Both work great.Can sombody give me a hint what that could be?
Thanks for your help!Zyxel_Can said:Hi @RichardSteiner,
Can you share some information with us;
1- What’s the switch’s model name and firmware version?
2- Can you check if you activated Loopguard in the switch?
3- Did you check related log in the switch?
4- Can you draw detailed topology with IP addresses on it?
5- Can you capture packets for WAN1 and LAN interfaces?
2. Spanning-Tree is active on the switch. As you can see in the Picture below, the switch does not really matter in this case. (At least as far as I can see)
3. Yes, nothing special
4. The simplified topology. As soon I connect the two Laptops the connection to the internet is gone. If one Laoptop is connected some packages are lost. The ping is done on the firewall itself towards google.com
5. If it's possible to do a TCP dump on the Zyxel itself, it should be possible. But I would like not to disclose the dump in the internet if possilbe.
I already tried different IP ranges for the subnets, like 192.168.x.0/24. No overlapping of the subnets. Default gateway is only set on the Port2 (WAN).
I still hope for some ideas. Many thanks for reading!
0 -
Port2 static ip is part of any of the other subnets?Is Port1 disabled?0
-
Your drawing does not seem to match up with what your saying....
Try with a PC/laptop only to ports 3,4 and 5 if that works add the switch to port 3 with just a PC/laptop to the switch.
0 -
mMontana said:Port2 static ip is part of any of the other subnets?Is Port1 disabled?
The RJ45 ports are starting with 2.
Yes it is a small subnet from the provider. In the zyxel firewall its statically configured: ip, gateway, correct subnetmask, and the two dns. Very standard setup.0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight