Port link from VPN300 on V4.60 causes VLAN problems for USG60W

PeterUK
PeterUK Posts: 3,645  Guru Member
100 Answers 2500 Comments Friend Collector Seventh Anniversary
edited April 2021 in Security

So this is the setup

v9lqvcve2wox.png (2590×2455) (v-cdn.net)


Whats not shown is VLAN's 6,53,443 on based port LAN1 with tagged ports 1 and 2 on NETGEAR M4100-D12G for the VLAN's

on USG60W

VLAN6

192.168.255.241/255.255.255.192

VLAN53

192.168.53.11/255.255.255.240

VLAN443

192.168.44.6//255.255.255.248


So with VPN300 on V4.60 and I ping to 192.168.53.11 from 192.168.53.2 I get timeouts if I inactivate ge6 on the VPN300 same problem but here is when things get odd if I unplug ge6 then ping to 192.168.53.11 works! I go back to V4.39(ABFC.0)ITS-WK38-r96153 with ge6 plugged in and a activate no problem.


Comments

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    @PeterUK
    When the issue occur, can you packet capture Vlan53 interface, and VPN300's ge6 for check further.
  • PeterUK
    PeterUK Posts: 3,645  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    So I have gone back to the V4.60 for more testing and things get odder if I unbound MAC rule on the Netgear M4100-D12G G2toG3 which mirrors the ARP then ping works fine but if I bound G2toG3 and put a switch between VPN300 G6 port to Netgear M4100-D12G port 3 that works too!

    So whats going on here? I can connect VPN300 G6 port to Netgear M4100-D12G port 3 on V4.39(ABFC.0)ITS-WK38-r96153 fine but with V4.60 I need a switch between VPN300 G6 port to Netgear M4100-D12G port 3 for the same setup to work!


  • PeterUK
    PeterUK Posts: 3,645  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    Tried 460ABFC0ITS-WK48-r97191 same problem.
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    edited December 2020
    @PeterUK
    Regarding to this case,
    we would like to compare the routing trace, and IP route on issued situation and non-issued environment on USG60W and VPN300. Please private message the compared result which you have got.
    Reproduce the issue
    Ping: 192.168.53.2 to 192.168.53.11 continuously. Go to USG60W's and VPN300's routing traces press capture. The screenshot the result.
    Type the "show ip route" via console
    EX:


  • PeterUK
    PeterUK Posts: 3,645  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    I think I might know the cause of this and change between V4.39 and V4.60 the ingress to ge6 it not filtering untag and tag packets so for ge6 there are no VLAN to it base port but V4.60 is seeing these tag VLAN packets and causing the problem instead of dropping them?


  • PeterUK
    PeterUK Posts: 3,645  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    So this is a mystery and case left open why everything works fine with V4.39 so I have done another way to DHCP the LAN which works with V4.60.

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)