Loosing internet connection when attach additional interface

RichardSteiner
RichardSteiner Posts: 7
edited April 14 in Security
Hello!

We have a zyxel usg flex 500 with 8 ports (one fiber, 7 RJ45). The fiber port (port 1) is not used. Port 2 is used as a WAN port (configured as external), PPP is not configured, since that is done on a router managed by our provider. Port 3 is connected to our LAN (configured as internal) over a switch. This is working so far well and everyone has internet access. 

Now i would like to connect Port 4 and Port 5 of the firewall to a server used for Virtual Machines (HyperV). This server has 7 ports. One port is connected to the switch, so that the server has internet access. Two additional ports on this server could be used to connect to the firewall. Port 4 and 5 are configured internal, and are mapped to their own zone on the firewall. As soon as I connect the server to one of the Ports 4 or 5 I have some package loss if I ping the internet. If I connect the server to both ports 4 and 5, then I loose the internet connection compleatly. I also did a ping directly on the firewall from the CLI. Even that ping is not working anymore. For port 4 and 5 I used one able for each port directly without a switch inbetween. 

The target of the whole setup is, that I can create 2 VM's on the server, each of them would be mapped to a dedicated interface of the server which is connected to a dedicated interface on the firewall. This way I can create firewall rules for those VM's. 

Has anyone an idea why the WAN interface goes down?

Many thanks!
«1

All Replies

  • PeterUK
    PeterUK Posts: 878  Guru Member
    edited April 1
    So you loss ping to the internet on port 3 when connecting ports 4 and 5?

    Are the internal subnets not conflicting? 
  • PeterUK said:
    So you loss ping to the internet on port 3 when connecting ports 4 and 5?

    Are the internal subnets not conflicting? 
    each internal interface has it's own subnet with a 24 bit subnet mask. They are not overlapping. 

    I don't know where to start to look for this issue. I could imagine that a security feature could be the cause, but I don't know what it could be.
  • I simplified the set up. 
    Port2: WAN
    Port3: Switch with office network
    Port4: Laptop1
    Port5: Laptop2

    Port4 Config:
    192.168.30.1/24, DHCP enabled

    Port5 Config:
    192.168.40.1/24, DHCP enabled

    When I connect one of the laptops (doen't matter which one), they get a correct IP from the DHCP, but I start to loose packages if I ping the internet. I can also ping the laptop from the office network, but also some packages get lost. If I connect both laptops, the internet connection is dead. 

    Can sombody give me a hint what that could be?
  • dkyeager
    dkyeager Posts: 20  Freshman Member
    edited April 2

    Can sombody give me a hint what that could be?
    What zones are assigned to your ports? I have ports 2 & 3 as WAN1, ports 4 & 5 as LAN1 without issues on my USG Flex 500 4.62.   Port 6 is also LAN1, ports 7 & 8 are DMZ, On another USG Flex 500 I use  ports 1, 2, and 3 as WAN ports.  I avoid the OPT zone for historical reasons.  VLANs are on one but not the other.  Both work great.
  • dkyeager said:

    Can sombody give me a hint what that could be?
    What zones are assigned to your ports? I have ports 2 & 3 as WAN1, ports 4 & 5 as LAN1 without issues on my USG Flex 500 4.62.   Port 6 is also LAN1, ports 7 & 8 are DMZ, On another USG Flex 500 I use  ports 1, 2, and 3 as WAN ports.  I avoid the OPT zone for historical reasons.  VLANs are on one but not the other.  Both work great.
    I created new custom Zones for each interface. I will try out what happens if I just use the predefined zone LAN1 on port4 and 5.

    Thanks for your help!
  • Zyxel_Can
    Zyxel_Can Posts: 151  Zyxel Employee

    Hi @RichardSteiner,

     

    Can you share some information with us;

    1-    What’s the switch’s model name and firmware version?

    2-    Can you check if you activated Loopguard in the switch?

    3-    Did you check related log in the switch?

    4-    Can you draw detailed topology with IP addresses on it?

    5-    Can you capture packets for WAN1 and LAN interfaces?

     

    Best regards.
  • RichardSteiner
    RichardSteiner Posts: 7
    edited April 13
    dkyeager said:

    Can sombody give me a hint what that could be?
    What zones are assigned to your ports? I have ports 2 & 3 as WAN1, ports 4 & 5 as LAN1 without issues on my USG Flex 500 4.62.   Port 6 is also LAN1, ports 7 & 8 are DMZ, On another USG Flex 500 I use  ports 1, 2, and 3 as WAN ports.  I avoid the OPT zone for historical reasons.  VLANs are on one but not the other.  Both work great.
    I created new custom Zones for each interface. I will try out what happens if I just use the predefined zone LAN1 on port4 and 5.

    Thanks for your help!
    Using the predefined Zones did not solve the issue. 

    Zyxel_Can said:

    Hi @RichardSteiner,

     

    Can you share some information with us;

    1-    What’s the switch’s model name and firmware version?

    2-    Can you check if you activated Loopguard in the switch?

    3-    Did you check related log in the switch?

    4-    Can you draw detailed topology with IP addresses on it?

    5-    Can you capture packets for WAN1 and LAN interfaces?

     

    Best regards.
    1. The switch model is  a HP V1910-24G (Software Version 5.20). 
    2. Spanning-Tree is active on the switch. As you can see in the Picture below, the switch does not really matter in this case. (At least as far as I can see)
    3. Yes, nothing special
    4. The simplified topology. As soon I connect the two Laptops the connection to the internet is gone. If one Laoptop is connected some packages are lost. The ping is done on the firewall itself towards google.com
    5. If it's possible to do a TCP dump on the Zyxel itself, it should be possible. But I would like not to disclose the dump in the internet if possilbe. 

    I already tried different IP ranges for the subnets, like 192.168.x.0/24. No overlapping of the subnets. Default gateway is only set on the Port2 (WAN). 

    I still hope for some ideas. Many thanks for reading!
  • mMontana
    mMontana Posts: 109  Ally Member
    Port2 static ip is part of any of the other subnets?
    Is Port1 disabled?
  • PeterUK
    PeterUK Posts: 878  Guru Member
    edited April 14

    Your drawing does not seem to match up with what your saying....

    Try with a PC/laptop only to ports 3,4 and 5 if that works add the switch to port 3 with just a PC/laptop to the switch. 


  • RichardSteiner
    RichardSteiner Posts: 7
    edited April 14
    mMontana said:
    Port2 static ip is part of any of the other subnets?
    Is Port1 disabled?
    The physical port 1 is for fiber, but no sfp module is installed. 

    The RJ45 ports are starting with 2.

    Yes it is a small subnet from the provider. In the zyxel firewall its statically configured: ip, gateway, correct subnetmask, and the two dns. Very standard setup.
Sign In to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click on this button!