Zywall 110 Inter-VLAN (intra-Zone) routing problem

Matthias_AUT · August 2020

3 tagged VLANs on single port from switch, one additional LAN on firewall; All machines can access internet, all machines can ping and transfer data within VLAN and each individual VLAN can ping and connect to lan1.

Problem: Inter-VLAN routing is not working; In my understanding default behaviour should be to allow inter-VLAN traffic? I tried adding static routes, did not change anything; I disabled Security Policies/ Policy Control, did not help.

Every suggestions on what could be wrong appreciated.

Best regards, Matthias

Image: https://us.v-cdn.net/6029482/uploads/editor/5w/6xs234tm5h04.jpg

Image: https://us.v-cdn.net/6029482/uploads/editor/ow/fvx7apzarggt.png

Image: https://us.v-cdn.net/6029482/uploads/editor/o5/mzrs44ucr359.png

Zyxel_Emily · August 2020

Hi @Matthias_AUT,

About the symptom "devices from other VLANs cannot connect to VLAN587 devices", try to use the following steps for troubleshooting.

PC1 in vlan587: 128.130.77.67

PC2 in vlan883: 128.130.77.99

Step 1: Go to Diagnostics > Network Tool. Select PING IPv4 and enter the IP address of PC1 128.130.77.67.

Remember to disable Windows firewall on PC1. Check if ping PC1 from ZyWALL successfully.

Step 2:

On PC2 (128.130.77.99), ping vlan587’s gateway 128.130.77.65.

Check if PC2 is able to ping vlan587’s gateway IP address.

Matthias_AUT · August 2020

Forum did not like .conf, configuration file as .txt

PeterUK · August 2020

You shouldn't need static routes so remove that and try Policy Control off which should work.

When you say Inter-VLAN you mean VLAN77 can't connect to VLAN587 ?

unplug the WAN and see if that works

Matthias_AUT · August 2020

PeterUK said:

You shouldn't need static routes so remove that and try Policy Control off which should work.

When you say Inter-VLAN you mean VLAN77 can't connect to VLAN587 ?

unplug the WAN and see if that works

Dear Peter, thanks for your help!

1) I tried without the static routes and policy control off which also did not change connectivity (can still connect from VLAN77 to lan1 and from VLAN587 to lan1 but not from VLAN77 to VLAN587

2) Yes exactly, VLAN77 can't connect to VLAN587 or VLAN883, same for the other VLANs, each can connect to lan1 but no other VLAN

3) Unplugging the WAN resulted in lost connectivity from VLANs to lan1! Still no connectivity between VLANs...

I really wonder why connectivity to lan1 is dependent on WAN being connected.

Best regards, Matthias

PeterUK · August 2020

Make some zones for VLAN77, VLAN587 and VLAN883 then go to each VLAN interface and set zone from LAN1 to a given zone this way their not all on LAN1.

Test again Policy Control off which should work.

Will all VLAN's to zone LAN1 you would of needed to make a Policy Control rule from LAN1 to LAN1 and with each VLAN in its zone you make Policy Control rules from given zone to given zone.

PeterUK · August 2020

tested here between two VLANs with a ZyWALL 110 on V4.38 works fine

VLAN4091 10.255.251.2 ping 10.255.252.2
VLAN4090 10.255.252.2 replies to 10.255.251.2

Matthias_AUT · August 2020

PeterUK said:

Make some zones for VLAN77, VLAN587 and VLAN883 then go to each VLAN interface and set zone from LAN1 to a given zone this way their not all on LAN1.

Test again Policy Control off which should work.

Will all VLAN's to zone LAN1 you would of needed to make a Policy Control rule from LAN1 to LAN1 and with each VLAN in its zone you make Policy Control rules from given zone to given zone.

I made individual zones for each VLAN; like this?

Tested with policy control off; I cannot ping between VLANs and neither to lan1 which works when all are in the same zone.

I can (and always could) ping all the gateways, but not the machines connected to them.

I tried both variants with policy control, all on zone LAN1 and LAN1toLAN1 as well as separate zones and LAN1toVLANxxx, did not work;

I wonder if there is something fundamentally wrong with the way I set up the VLANs, this is how it looks

And all the VLANs itself:

Thanks for your effort!

Best regards, Matthias

EDIT: Latest FW Version, V4.38

Matthias_AUT · August 2020

PeterUK said:

tested here between two VLANs with a ZyWALL 110 on V4.38 works fine

VLAN4091 10.255.251.2 ping 10.255.252.2
VLAN4090 10.255.252.2 replies to 10.255.251.2

Dear Peter, could you please upload the conf file of your working Zywall 110 so I can check for differences to my config?

Thanks a lot,

Matthias

PeterUK · August 2020

I can't upload my config as I like to keep it private.

Can you change the port role so LAN1 is not linked to other ports for testing.

Zyxel_Emily · August 2020

Hi @Matthias_AUT,

FW: 4.38(AAAA.0)

I applied your configuration file to a ZyWALL 110 to run the test.

Inter-VLAN routing is working successfully even if firewall is enabled.

PC1 in vlan587 is able to ping PC2 in vlan883 and vice versa.

Hence, there is no problem with the settings on ZyWALL110.

Try to check the configuration on the switch.

Topology:

ZyWALL 110(P4)----(P10)GS2210(P2)-----PC1(128.130.77.66)

(P3)-----PC2 (128.130.77.98)

Image: https://us.v-cdn.net/6029482/uploads/editor/jb/ax46xmy8m84o.jpg

Image: https://us.v-cdn.net/6029482/uploads/editor/wu/o9p0md04i7rx.jpg

Image: https://us.v-cdn.net/6029482/uploads/editor/95/gl2lfvwfc0vd.jpg

Matthias_AUT · August 2020

Topology:

ZyWALL 110(P4)----(P10)GS2210(P2)-----PC1(128.130.77.66)

(P3)-----PC2 (128.130.77.98)

Hi Zyxel_Emily, are P4 and P3 in your topology different physical ports on the Zywall? My VLANs come all in as trunk on P4, can this be the problem?

Do I have to configure virtual interfaces for the VLANs?

I have no idea what could be wrong with the switch settings as all 3 VLANs successfully connect to the Internet, any suggestions?

Best regards, Matthias

Zywall 110 Inter-VLAN (intra-Zone) routing problem

Accepted Solution

All Replies

Categories

Security Help Center