Policy Rule on XGS1930
Hello, Currently, all inter-vlan traffic goes through the ATP700 Firewall which serves as a gateway and DHCP server for all vlans.
We use Active Backup for Business software on a Synology Plus series NAS as a backup system.
However, when the backup of the 50 PCs starts (5 simultaneously), the firewall saturates and it even happens to restart (more rare).
I had created a priority rule (BWM) to avoid the loss of other services but that does not prevent the firewall from crashing.
I would like to direct traffic from TCP port 5510 (Active backup for business) to ports 16 of the XGS1930-28 switch so as to no longer go through the firewall.
I configured a "classifier" and a "policy rule" to direct the flow directly to the NAS but this cuts the service and the server becomes unreachable (the Active Backup for Business agent can no longer find the server on TCP port 5510) I attach the photos as well as the simplified diagram of part of the network.
Thank you for your help
Accepted Solution
-
Hi and thank you for your feedback.
- I solved my firewall saturation problem by creating a route on each PC using the backup service. like that, only access to the backup device is direct and inter-vlan traffic is always blocked.
Thanks
Julien0
All Replies
-
The Send the packet to the egress port does not do things you may think it does and only works a given way.
So the problem you have is the ATP700 does all the routing so VLAN10 to VLAN 50 each on its own subnet.
What you want should be doable by the XGS1930 L3 but some changes will need to be done to do it
so I take it you have the one port from XGS1930 to ATP700 and the VLAN like 1 that switch is setup like 192.168.1.2 with default gateway 192.168.1.1 will be the next hop for all your VLAN's
You want to setup static routes on ATP for all your VLAN's like VLAN10 192.168.2.0/24 to point to your switch 192.168.1.2
You then setup interface IP's on the switch like 192.168.2.254/24 this is the gateway you want to point your VLAN devices too which you set on your ATP DHCP setup for Custom Defined for default router
So with all this setup VLAN10 to get to VLAN50 goes to gateway 192.168.2.254 which the switch seeing its Destination for the VLAN50 network routes to it without going to ATP700
And for internet traffic goes to ATP700
0 -
Hello and thank you for your answer.
(Sorry for any errors, my English level is not great!)
To avoid congestion on a port, I have about 1 connection per vlan to the firewall (no LAG).
Basically, the networks should not communicate with each other.
Only a few exceptions set on the firewall such as connections to databases, etc....
The most important inter-vlan traffic is done by the backup software which makes a carbon copy per day (differential and space-saving thanks to the BTRFS format)
If I set the gateways of each vlan on the XGS1930-28, all the networks will communicate with each other if I am not mistaken and I would like to avoid this.0 -
You can use ACL on the switch to limit access between VLAN's subnet
But really the issue with running the backup needs to be looked into.
0 -
Another way is to use Hyper-V on each device with VLAN50 LAN no gateway along side its untag network that then tag to a VLAN10 with the idea each device has two networks
0 -
Hi @Julien44,
From your topology, the clients seem like they are in VLAN 10~40, but the server is in VLAN 50.
Since the VLANs/subnets differ, you still need the firewall to do routing. The ACL policy you set only redirects the packet to port 16. However, it does not route the packets to the subnet where the server is located.
Could you help connect a console to ATP700 to collect the debug console logs for us to check? Please enter this command before collecting the console logs.
debug keernel console level 8
0 -
Hi and thank you for your feedback.
- I solved my firewall saturation problem by creating a route on each PC using the backup service. like that, only access to the backup device is direct and inter-vlan traffic is always blocked.
Thanks
Julien0
Categories
- All Categories
- 414 Beta Program
- 2.3K Nebula
- 134 Nebula Ideas
- 92 Nebula Status and Incidents
- 5.5K Security
- 190 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 40 Wireless Ideas
- 6.2K Consumer Product
- 238 Service & License
- 376 News and Release
- 80 Security Advisories
- 24 Education Center
- 5 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 80 About Community
- 70 Security Highlight