Nebula NCC blocked by firewall

GiuseppeR

Hello everyone,

we are replacing hardware on different companies and we are experiencing some problems like being blocked by their old firewalls.

I see that this should be the guide:

But I would like to know if Zyxel has a batch to execute inside a PC in those networks to check which of the above rules are missing.

I'm at your disposal to test a new *.bat file for this purpose

PeterUK

It would not help to run a test on a PC if the PC tests fine but not from the firewall itself under different rules.

So whats the problem? you have a FLEX that can't connect to Nebula due to another firewall in front?

GiuseppeR

I have some switches that could not communicate to Nebula due to some Sophos in front of them. I have no password to change the config on those Sophos, so I would like to have a *.bat to check if those requested ports are all open or not and to report in a written txt which rules are missing so I would be able to give this result to the owner of the Company

PeterUK

well unless these Sophos are locked down and only give limited out going traffic I don't see why it would be blocked as its not inbound.

Just say to the Company allow TCP 443, 4335, 6667 and UDP 123 outgoing

 

Zyxel_Judy

Hi @GiuseppeR ,

Currently, there is no batch file (*.bat) available on PCs in the network to check for missing rules.

To troubleshoot connection issues, you can access the Switch's local GUI through Nebula Discovery and check the 3 status circles, which will indicate why the switch cannot connect to Nebula.

If you need additional support, please provide us with a remote session so we can assist you further.

GiuseppeR

Hello @Zyxel_Judy

I have a XGS2220-54HP that is working as switch (LAN and VLANs are working on site) but is unable to get a dynamic IP from an old Sophos so I cannot find it with ZON utility.

The switch is in DHCP.

Maybe there is a problem with DHCP server, so I want to assign a static IP to that switch so I can access its web interface.

How can I manage this without going on site and plugin another firewall/router with DHCP server inside it and manage the switch's IP?

I tried to connect remotely on a PC on that network and I could not ping the switch IP with a IP scanner.

It is the first time that I struggle so much with a switch, I configured it easily as usual and now that is on site at the client Organization I'm unable to reach it

PeterUK

If the switch is not getting a IP its a local network problem that the switch can't get a IP on it LAN the default IP is 192.168.1.1 VLAN1 if DHCP fails if the router has no network for the switch to connect too then you need to config that switch on the VLAN on the site.

GiuseppeR

OK @PeterUK

so I should go on site and enter its 192.168.1.1 webpage with any of its port?

PeterUK

It be HTTP port 80

But who setup the switch should know the reason? its as if the switch was setup to not be connected to the router LAN and needing a PC connected on a given port of the switch to access it

GiuseppeR

I setup the switch.

When I plug it in another "basic" Fritzbox everything goes smoothly, the problem is only when I plug it in the Sophos. It is unable to get an IP, so it does not go online on Nebula. The Sophos DHCP server is not giving an IP blocking its outbound connections.

Internally the switch works.

GiuseppeR

Hello everyone,

there were 2 problems.

First one:

When that DHCP Server Guard was enabled (green switch) it was impossible to get an IP from Sophos firewall.

Now the switch gets the IP in DHCP, but it has blocked ports:

It is really strange to see that with DHCP Guard everything was unreacheable, also locally