Policy Rule on XGS1930

Julien44
Julien44 Posts: 4  Freshman Member
First Comment Friend Collector

Hello, Currently, all inter-vlan traffic goes through the ATP700 Firewall which serves as a gateway and DHCP server for all vlans.
We use Active Backup for Business software on a Synology Plus series NAS as a backup system.
However, when the backup of the 50 PCs starts (5 simultaneously), the firewall saturates and it even happens to restart (more rare).
I had created a priority rule (BWM) to avoid the loss of other services but that does not prevent the firewall from crashing.
I would like to direct traffic from TCP port 5510 (Active backup for business) to ports 16 of the XGS1930-28 switch so as to no longer go through the firewall.
I configured a "classifier" and a "policy rule" to direct the flow directly to the NAS but this cuts the service and the server becomes unreachable (the Active Backup for Business agent can no longer find the server on TCP port 5510) I attach the photos as well as the simplified diagram of part of the network.

Thank you for your help

Accepted Solution

  • Julien44
    Julien44 Posts: 4  Freshman Member
    First Comment Friend Collector
    Answer ✓

    Hi and thank you for your feedback.

    • I solved my firewall saturation problem by creating a route on each PC using the backup service. like that, only access to the backup device is direct and inter-vlan traffic is always blocked.

    Thanks
    Julien

All Replies

  • PeterUK
    PeterUK Posts: 3,216  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited September 20

    The Send the packet to the egress port does not do things you may think it does and only works a given way.

    So the problem you have is the ATP700 does all the routing so VLAN10 to VLAN 50 each on its own subnet.

    What you want should be doable by the XGS1930 L3 but some changes will need to be done to do it

    so I take it you have the one port from XGS1930 to ATP700 and the VLAN like 1 that switch is setup like 192.168.1.2 with default gateway 192.168.1.1 will be the next hop for all your VLAN's

    You want to setup static routes on ATP for all your VLAN's like VLAN10 192.168.2.0/24 to point to your switch 192.168.1.2

    You then setup interface IP's on the switch like 192.168.2.254/24 this is the gateway you want to point your VLAN devices too which you set on your ATP DHCP setup for Custom Defined for default router

    So with all this setup VLAN10 to get to VLAN50 goes to gateway 192.168.2.254 which the switch seeing its Destination for the VLAN50 network routes to it without going to ATP700

    And for internet traffic goes to ATP700

  • Julien44
    Julien44 Posts: 4  Freshman Member
    First Comment Friend Collector

    Hello and thank you for your answer.
    (Sorry for any errors, my English level is not great!)
    To avoid congestion on a port, I have about 1 connection per vlan to the firewall (no LAG).
    Basically, the networks should not communicate with each other.
    Only a few exceptions set on the firewall such as connections to databases, etc....
    The most important inter-vlan traffic is done by the backup software which makes a carbon copy per day (differential and space-saving thanks to the BTRFS format)


    If I set the gateways of each vlan on the XGS1930-28, all the networks will communicate with each other if I am not mistaken and I would like to avoid this.

  • PeterUK
    PeterUK Posts: 3,216  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    You can use ACL on the switch to limit access between VLAN's subnet

    But really the issue with running the backup needs to be looked into.

  • PeterUK
    PeterUK Posts: 3,216  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Another way is to use Hyper-V on each device with VLAN50 LAN no gateway along side its untag network that then tag to a VLAN10 with the idea each device has two networks

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,175  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @Julien44,

    From your topology, the clients seem like they are in VLAN 10~40, but the server is in VLAN 50.

    Since the VLANs/subnets differ, you still need the firewall to do routing. The ACL policy you set only redirects the packet to port 16. However, it does not route the packets to the subnet where the server is located.

    Could you help connect a console to ATP700 to collect the debug console logs for us to check? Please enter this command before collecting the console logs. debug keernel console level 8

    Zyxel Melen

    Don't miss this great chance to upgrade your Nebula org. for free! 


  • Julien44
    Julien44 Posts: 4  Freshman Member
    First Comment Friend Collector
    Answer ✓

    Hi and thank you for your feedback.

    • I solved my firewall saturation problem by creating a route on each PC using the backup service. like that, only access to the backup device is direct and inter-vlan traffic is always blocked.

    Thanks
    Julien