Nebula NCC blocked by firewall

13»

All Replies

  • GiuseppeR
    GiuseppeR Posts: 368  Master Member
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Nebula First Comment Friend Collector

    Yes @PeterUK

    disabling DHCP Guard (and then opening ports…) let me to use remote switch via Nebula.

  • GiuseppeR
    GiuseppeR Posts: 368  Master Member
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Nebula First Comment Friend Collector

    Hello @Zyxel_Judy

    I'm going to ask my Client if he can let me place there another switch with DHCP Guard active and see if I can replicate the problem.

    I cannot revert back the config with the switch in production, it could lead to malfunctions with PCs, VoIP phones and cameras.

    If I can reproduce it with another Nebula model, could it be good for you?

    I have a spare GS1920-8HP somewhere, so we can see if there is a bug with "V4.80(ABXQ.4) | 04/10/2024" firmware for XGS2220-54HP

    Please let me know also via PM

  • PeterUK
    PeterUK Posts: 3,762  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    DHCP Guard is not just a enable/disable option there is more options

    Screenshot 2025-05-02 120957.png

    Sophos can see DHCP Discover which is why the switch is 0.0.0.0 but if you don't setup a port to be trusted the offer will be blocked by the switch

  • Zyxel_Judy
    Zyxel_Judy Posts: 2,148  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula
    edited 3:11AM

    Hi @PeterUK ,

    The behavior of DHCP Server Guard varies based on the mode of operation. There is no setting for trusted ports for DHCP servers when operating in cloud mode.

    • Cloud Mode: In this mode, only the first DHCP server that assigned an IP address to the Nebula device is permitted to assign IP addresses to devices in the management VLAN.
    • Standalone Mode: Allows setting multiple trusted ports for DHCP servers, offering more flexibility in designating trusted DHCP sources.
  • Zyxel_Judy
    Zyxel_Judy Posts: 2,148  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    Hi @GiuseppeR ,

    Thank you for your willingness to cooperate and test this issue.

    We need to point out that testing with a GS1920 model may not produce relevant results for your original situation. Since you would be using a different model (GS1920 vs XGS2220-54HP) on a different Nebula site, even if connected to the same Sophos device, the test results would not be directly comparable. This approach would not effectively determine whether there's an issue with the DHCP server guard functionality or a bug in the GS2220 firmware.

    Without access to your customer's initial Sophos configuration and complete network scenario, attempts to replicate this issue in alternative setups may lead to inconsistent or misleading results.

    We recommend that if this issue recurs with your customer, please follow the steps we provided earlier to confirm the problem and then share the switch tech-support logs with us for proper analysis.

  • GiuseppeR
    GiuseppeR Posts: 368  Master Member
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Nebula First Comment Friend Collector

    Hi @PeterUK

    as said by @Zyxel_Judy I could not select the port for DHCP Guard because my config was Nebula based, so I would like to understand how to cooperate with Zyxel to replicate this issue trying to fix it

Categories

Nebula Tips & Tricks


    Read more

    Nebula Help Center

    EnglishTiếng ViệtРусскийไทย中文(台灣)