Zywall 110 Inter-VLAN (intra-Zone) routing problem

Zyxel_Emily

Hi @Matthias_AUT,

Topology

ZyWALL 110(P4)----(port 10)GS2210(port 2)-----PC1(128.130.77.66)

                                                           (port 3)-----PC2 (128.130.77.98)

In my topology, ZyWALL 110 is connected to the switch GS2210 with one physical port only.

P4 of ZyWALL 110 is connected to port 10 of the switch.

PC1 is connect to port 2 of the switch.

PC2 is connect to port 3 of the switch.

On the switch, you need to configure vlan, untagged settings and pvid.

You can consult your switch vendor about vlan configuration.

Matthias_AUT

Zyxel_Emily said:

Hi @Matthias_AUT,

Topology

ZyWALL 110(P4)----(port 10)GS2210(port 2)-----PC1(128.130.77.66)

                                                           (port 3)-----PC2 (128.130.77.98)

On the switch, you need to configure vlan, untagged settings and pvid.

Hi Zyxel_Emily,

Just to clarify, ZyWALL 110(P4)---(port 10)GS2210 has to be tagged, correct? I'm aware that the PCs can only receive untagged data and the corresponding Switch ports have to tag packets with the correct PVID.

I'm in a campus environment, there are several switches between PC and the final layer 2 switch I've access to. The last layer 2 switch receives tagged packets of all 3 VLANs via switchPort 5 and forwards it to switchPort 4 (also tagged).

ZyWALL 110(P4)--(tagged?)--(switchPort3)NetgearS3300(switchPort5)--(tagged)--unknownSwitch(es)--portX(PVID, untagged) -- PC1

Thanks for your help,

Matthias

Matthias_AUT

I redid the configuration of the firewall from scratch, now almost everything is working as expected

VLANs can communicate with lan1 and with each other with one exception:

VLAN587 can ping and connect to all networks (outgoint) but no Network is able to connect into VLAN587; I tried both with security policy enabled and disabled;

Any ideas?

Best regards Matthias

PeterUK

Do devices in VLAN587 have the gateway IP set?

Matthias_AUT

Yes, devices receive Gateway from the VLAN587 DHCP Server, 587 devices can connect to the internet and other VLANs, but devices from other VLANs cannot connect to VLAN587 devices.

Zyxel_Emily

Hi @Matthias_AUT,

About the symptom "devices from other VLANs cannot connect to VLAN587 devices", try to use the following steps for troubleshooting.

PC1 in vlan587: 128.130.77.67

PC2 in vlan883: 128.130.77.99

Step 1: Go to Diagnostics > Network Tool. Select PING IPv4 and enter the IP address of PC1 128.130.77.67.

Remember to disable Windows firewall on PC1. Check if ping PC1 from ZyWALL successfully.

Step 2:

On PC2 (128.130.77.99), ping vlan587’s gateway 128.130.77.65.

Check if PC2 is able to ping vlan587’s gateway IP address.

Matthias_AUT

Hi Emily,

Zywall can ping the PCs in VLAN587

Other PCs (e.g. VLAN883) can only ping the Gateway of VLAN587 but not the PCs

PCs from VLAN587 can ping PCs in all VLANs and even remote connect to them but other direction does not work...

Thanks for your help!

Matthias

Zyxel_Emily

Hi @Matthias_AUT,

In the packet trace of vlan587, there is no reply packet from the PC 128.130.77.66.

It seems to be a problem with Windows Firewall or some other program blocking pings from remote networks.

After you connect another PC and this one replies to the ping.

Glad you have resolved it