Bridging VLAN with physical port

martinmarusinec · April 2022

Hello,
due to historic reasons, we have networks separated by ports and zones on our Zywall USG 700 device. Now, we bought a Layer 3 switch to re architecture the network step by step, however I am stuck at the beginning. I connected the new switch (2 stacked physical switches) over two physical ports to Zywall, created LAG over them (lag1), created two VLANs on the LAG (vlan1 and vlan2), and bridged physical port ge10 (no VLAN assigned) with vlan2 (br2). I configured VLAN2 on port on the switch, where I plugged the test device in. I can ping the test device from Zywall, and I can ping the Zywall from the test device. However, I cannot ping the test device from anything behind port ge10, neither vice versa. In short, I can see the test device from router, but the devices in both physical segments do not see each other. Could you please try to point me to the right direction? I suspected the problem could be in zones (LAG and vlan2 do not have zone assigned, br2 and ge10 has zone DMZ), however I am not sure how the Zone membership is enforced between slave and master devices.
thanks,
Martin

Fred_77 · April 2022

Hi @martinmarusinec

I'm not sure have understand your scenario, anyway you should configure 3 vlan on your switch. example
Vlan 100 with interface ip 192.168.100.254

Vlan 200 with interface ip 192.168.200.254

and the vlan 254 that will be the one shared with your usg (Vlan ip 192.168.254.250)
Configure the default GW of the switch with the ip of the USG Es. 192.168.254.254.

Now the default gw of your clients in vlan 100 will be 192.168.100.250 and 192.168.200.250 for clients in vlan 200.

By default L3 switch should route traffic between vlans.

USG in this case will be invoked only to route traffic to/from internet.

So on your USG you need to configure only vlan 254 with ip 192.168.254.254.

Remember that you need 2 static route to allow traffic from wan to vlans 100-200 that are behind switch.
Hope this help

martinmarusinec · April 2022

Hello, I do not have problem with routing, I have problem that my hosts from one segment in the same subnet do not see hosts on other segment in same subnet. Both segments are connected with bridge interface, while first segment is connected physically to one port, and second segment is connected with VLAN interface on top of the LAG interface. I can see all hosts from the router. ARP packets seems not passing.

Fred_77 · April 2022

Hello,
thanks for clarification. I have replicated your scenario and it works for me.
Maybe your issue could be the zone.
Vlan2 and Br2 must be on the same zone. (example "Br2_Zone")
Moreover for your tests a security policy "Br2_to_Any" is needed to allow traffic.

martinmarusinec · April 2022

It makes no difference whether I set the same zone on bridge, vlan2 and Lag. However I think (may be I am wrong) that zones specifies which firewall rules should be applied, and I even do not have ARP populated. Could be the problem lies in tagging? vlan2 is obviously tagged as VLAN2, while the ge10 port has no VLAN configuration at all (default VLAN1 I suppose)...

Fred_77 · April 2022

mmm no
i've done the same thing: vlan tagging between switch and USG (lag) and no tag/vlan on the other port/segment. Obviously the hosts on vlan2 must be connected to untagged ports members of vlan2 with pvid 2 on switch

Fred_77 · April 2022

hosts on the same segment can ping each other?

martinmarusinec · April 2022

on legacy segment I can ping hosts from each other and also a gateway, on the new segment on new switch I have only singe test device, but I can ping the gateway

Fred_77 · April 2022

i suppose also the gw is the same in each segment

martinmarusinec · April 2022

gateway is the IP address assigned to the bridge br2 interface. so technically both segments see the router, which imho implies the LAG and VLAN2 works. I have no idea what should I try next....