No management traffic/DHCP from upstream firewall/router to three GS1900 switches over PVID 1

markgb

I have two GS1900-24E and one GS1900-24 switches connected to the three internal ports on my Firewalla Gold Plus router/firewall. I created 6 VLANs with DHCP support from the Firewalla connected to port 24 on each switch and they all work as expected. However, I seem to have inconsistent functionality on the uplink/trunk port for lan management traffic provided by the Firewalla with DHCP over port 24. Sometimes it works and other times it doesn’t. After adding the two GS1900-24E switches and making some minor port assignment changes (changing PVID on some access ports) and then rebooting the GS1900-24 switch, I no longer have management traffic on port 24 and have to use static IPs to connect to the switch. I have a few ports set to PVID 1 and untagged to allow connectivity to the management interface on the Firewalla, but right now I am not able to ping the Firewalla management gateway or the other switches. I can work around this with static IPs, but it seems odd that I am having this inconsistent behavior. The Firewalla has not been changed since I initially installed it and all three ports are set for use as both VLAN ports (tagged) and native LAN (untagged). This was the default configuration for the Firewalla, after creating the 6 VLANs. Any ideas?

PeterUK

If Management VLAN on the switch is set to 1 you have to be on that VLAN

markgb

The management traffic from the firewall is untagged, but on the same interface as the VLAN tagged traffic. That is on port 24 of each switch which is set to the default PVID 1. Tagged traffic is being sent to each access port that has the same PVID as the VLANs that I created on the firewall. I have a couple of additional untagged ports assigned to PVID 1 which I intended to use with my laptop for configuration and troubleshooting on the management network. More than once, I have had this configuration working for this purpose, but it does not appear to be stable. I have the startup and running configs saved, just in case. My understanding was that Zyxel switches did not consider PVID 1 to be a VLAN, which I would think would require tagging. Since I did not designate a VLAN 1 on my firewall, I assumed this would work. The options I have on the firewall for management traffic network type is either LAN or VLAN. Should I change the network type on the Firewalla to a VLAN designation? I had considered that, but didn’t see why that would make a difference if port 24 on the switch is configured as untagged on PVID 1. It would seem that I would then have to add a tagged designation on port 24 for PVID 1.

PeterUK

Maybe the problem is Firewalla?

So you have native LAN at like 192.168.1.0/24 and a VLAN101 192.168.2.0/24 if your on the VLAN and your switch is at IP 192.168.1.254 the problem might be the that the subnet your connecting from is not the same as the switch?

Edit update: However testing here with a GS2210-24 it works unless its a bug with the GS1900? or Firewalla is not allowing the traffic? maybe disable it firewall and check

Not sure if Firewalla can have a routing/NAT rule where you go the to virtual IP like 192.168.2.250 to NAT to 192.168.1.254 and SNAT from virtual IP 192.168.1.250

markgb

When I first added in the 2 new switches, the Firewalla registered both of them as devices on its native LAN management network. I had configured each switch to use a static IP on the Firewalla management network. I could then ping each of the switches from a laptop on a PVID 1 port of any of the switches. I could also access the Internet, if needed. Then, after rebooting the original switch (GS1900-24), all three switches became isolated and the Firewalla now reports them as disconnected. So, that’s why it appears to be an unstable configuration. Prior to adding the switches, I was able to connect my laptop to any of the three internal (natted from public IP) interfaces and pull an IP (DHCP) from the Firewalla management network, as well as accessing the Internet. I just wanted the same access through the switches. The native LAN on the Firewalla is a standard 192.168.x.0/24 network. So, pretty straight forward implementation, or so I had thought…

markgb

I am thinking of creating a VLAN 1 on the Firewalla and change the network type to VLAN to see if that will work. That should send tagged traffic to the GS1900, so I will need to tag the trunk port 24 to accept that traffic.

Zyxel_Melen

Hi @markgb,

Since VLAN 1, the default management VLAN of GS1900, is untagged all ports by default, you don't need to configure VLAN on the switch or firewall.

To better help you resolve this problem, I want to clarify some details:

1. After adding the two GS1900-24E switches and making some minor port assignment changes (changing PVID on some access ports) and then rebooting the GS1900-24 switch, I no longer have management traffic on port 24 and have to use static IPs to connect to the switch.
   What static IP is it?
2. How did you determine there's no management traffic on port 24?
3. Is the problem that your switch cannot get a DHCP IP address? If yes, can your laptop get an IP address?
4. Then, after rebooting the original switch (GS1900-24), all three switches became isolated and the Firewalla now reports them as disconnected.
   Does this mean the link to the switches is down? Could you collect the tech support from GS1900 for me to check if there are any related logs for this problem? Please reference the screenshot below to collect.
   

markgb

Hi Zyxel Melen,

I wrote an extensive reply to you, but since I didn’t send it until later in the day it was lost when I tried to post it! At this point, I believe the issue is likely due to the Firewalla router/firewall. I power cycled the Firewalla after some issues I was having and the management traffic with DHCP fixed itself! All is well for the moment, but I am monitoring the situation. Thanks for your help!

Zyxel_Melen

Hi @markgb,

I am happy to receive your feedback that everything works fine. If there is any other problem, please don't hesitate to create a post on Zyxel community~

markgb

Hi Zyxel Melen,

Before I answer your questions, I should mention that I discovered that all three switches were isolated from each other through the Firewalla ports, so I moved the two new GS1900-24E switches to a master/slave arrangement where their uplinks connect to the original GS1900-24. This has eliminated the isolation issue and allowed all devices in the same VLAN on any switch to communicate with each other, as intended.

Now, to answer your questions:

1. After adding the two GS1900-24E switches and making some minor port assignment changes (changing PVID on some access ports) and then rebooting the GS1900-24 switch, I no longer have management traffic on port 24 and have to usestatic IPsto connect to the switch.
   What static IP is it?

The static IPs I was referring to are for management traffic on each switch. I used the same IP scheme as the management traffic on the Firewalla. I prefer to use static IPs on infrastructure devices, so I did not check whether the switches worked with DHCP from the Firewalla. However, when I previously had this working, I was able to connect my laptop to an untagged PVID 1 port on the GS1900-24 and pull an IP from the Firewalla DHCP pool for management traffic. This allowed me to easily connect to the switch using its static IP. It also allowed me to access the Internet. I can’t remember whether the Firewalla allows ICMP ping traffic to the gateway, by default.

2. How did you determine there's no management traffic on port 24?

I could no longer pull an IP from the Firewalla. After adding a static IP on my laptop, I could ping the switch and manage it, but could not access the Internet or ping the management gateway on the Firewalla. Also, I could not ping the other switches which were connected to the other two LAN ports on the Firewalla.

3. Is the problem that your switch cannot get a DHCP IP address? If yes, can your laptop get an IP address?

Never tested as I use static IPs for the switches. No, my laptop does not get an IP address.

4.Then, after rebooting the original switch (GS1900-24), all three switches became isolated and the Firewalla now reports them as disconnected.
Does this mean the link to the switches is down? Could you collect the tech support from GS1900 for me to check if there are any related logs for this problem? Please reference the screenshot below to collect.

The link works for VLAN traffic as all switches are providing Internet connectivity from each VLAN.

Yes, I can send diagnostic logs for this issue. However, after attempting to remove the VLAN support for the two now unused ports on the Firewalla, the firewall/router went offline for a while and did not complete the requested changes. Also, I lost most of my DHCP VLAN support on switch ports, so I power cycled the firewall. When it came back up, the changes had still not been implemented. However, I now had management traffic with DHCP support from the firewall, again! I can now ping all three switches and the gateway and can access the Internet. In addition, all DHCP VLAN support is back up on the switches. So, it appears that this may be an issue with the Firewalla. I will monitor the situation. Thanks for your help!