GS1900-48HP Voice VLAN stopped working after firmware upgrade. . .
Thanks for the instructions.
We are using Fortigate 30E. I think the approach of setting VLAN is the same as VM64 except that only 'lan', or 'wan' can selected in the 'interface' menu. We will select 'lan.'
modify TWO network ports, as follows -
VLAN2, PVID2, Untagged
I am a little bit confused her. I don't understand the meaning of 'modify' here. Do we need to reserver two ports on GS1900 for NEC controller with the above settings, and all other ports on GS 1900 are still '
VLAN1, PVID1, Untagged.
'? Why does our phones controller needs a different vlan settings from the IP phones?
There does exist a manual VLAN setting inside the NEC phones. So it is not bad idea to set it inside the phones?
BTW, I guess it is very important that we need a subnet for IP phones to successfully establish the Voice-Vlan but I am still curious why cann't we let the phone system stay in the same subnet with our PCs and other devices?
Finally, we are using external DNS server provided by our ISP.
If you are placing your IP phones onto a different VLAN/subnet
from the rest of your office equipment, it is best to have the phone controller
on that same VLAN/subnet to facilitate communication.
Yes, you COULD keep the phone controller on VLAN1,
and then set up firewall and routing rules on the FortiGate
to allow them to communicate via NAT,
but you'll take a performance hit.
Generally speaking, data between devices
on the same VLAN will move transparently
across your network switch at top speed.
However, data on VLAN1 can only reach devices
on VLAN2 (and vice-versa) via your router.
Not only will that increase the workload on your router,
but it will reduce the amount of bandwidth you have on
the network cable between your router and your switch.
In our office, our phone system controller, and all of our phones
are on VLAN2. The communicate directly with each other via
the network switch, so they're not contending for bandwidth.
A firewall rule allows the phone system to reach the internet
as needed, as well as letting us reach the phone system's
web inferface. However, this traffic is minimal, and has
virtually no impact on network bandwidth.
Yes, if the phone system controller is to move moved to VLAN1,
then it will need its own port set up, as VLAN2, PVID2, Untagged.
Some phone system controllers don't have a static VLAN setting,
and instead rely upon the port of the network switch to handle
the VLAN tagging.
By assigning a dedicated port for your phone system,
and setting the port to VLAN2, PVID2, Untagged,
the data sent from the phone system will ultimately
get tagged for VLAN2. Trust me, it just works.
Temporarily setting up an extra port the same way
will allow you to plug in an ordinary PC or laptop,'
and gain access to the VLAN2 subnet for testing purposes.
I guess I should have asked a long time ago. . .
What is prompting you to move your IP phones to a VLAN?
We want to move our IP phones to VLAN because our calls are breaking up on IP phones and we think moving to VLAN might solve this problem.
I agree that we should put the phone controller and phones on the same VLAN2.
And I guess the key part to make VLAN2 works, is due to the VLAN2/subnet setting on our Fortigate firewall, am I right?
BTW, how can VLAN2 get internet access while using an external DNS from our ISP?
edited February 17
We are now in step 3.
And I have added some policies to allow traffic from VLAN1 to VLAN2, VLAN2 to VLAN1, and VLAN2 to Internet.
The results are:
1. We can PING 192.168.2.1 and our other devices in VLAN1.
2 We can also ping the internet via IP address (like 22.214.171.124).
3. We can access the internet via IP address.
4. We can access our NAS, GS1900, and our Wifi AP in VLAN1 via IP address.
5. We can access our firewall via IP (192.168.2.1 or 192.168.0.1)
5. We cannot access the internet via domain name.
I feel: DNS is not working in VLAN2.
Just for clarification -
Are you saying that DNS doesn't work at all,
or are you saying that it doesn't work on VLAN2 ?
If it is just VLAN2 that isn't working,
the, depending on how your FortiGate is set up,
it might be a fairly simple fix.
I don't know what you have for DNS Server settings
inside of your FortiGate.
I wasn't able to find the FortiGate 30E manual on-line,
but I found a screen-shot from a FortiGate 600.
The process should be similar on the 30E.
See the screen-shot below. . .
You probably have an entry, like the one listed for Port 10, in the example above.
I can see two scenarios here. . .
I don't know how the FortiGate30E works its magic,
so this first one is hypothetical -
When you add a VLAN on to a port, some routers will
automatically create multiple (new) interfaces for that port.
Ubiquiti, for example, will create something similar to this -
Eth1 << Ethernet Port 1
Eth1.1 << VLAN1 on Port 1
Eth1.2 << VLAN2 on Port 1
Again, without knowing the specifics of the FortiGate 30E,
if you click on the drop-down box under "Interface", you might
see something similar to above.
If that is the case, then simply selecting "Port1" by itself
might enable DNS listening on all of your VLANS.
However, it is equally as likely that you may have
separate interface entries in your drop-down list.
If that is the case, then you'd simply click on "Create New"
under the "DNS Service on Interface" setting, and add a new
entry, with settings identical to the one that is already there.
Then simply choose VLAN2 as the interface.
Let me know how that goes.
If it doesn't work, see if you can post a screen-shot of your
FortiGate DNS server entries, and include a view of the
drop-down menu for "interfaces".
Yes, our problem is DNS just doesn't work on VLAN2.
I just checked and found there is Nothing on the DNS server entries.
I have added one and selected our VLAN2 in the drop-down box under "Interface". (Other options are 'lan', 'wan', and 'SSL VPN'). I'll see if it works in the office tomorrow morning.
Our DNS still doesn't work on VLAN2. (We can ping a outside IP but we cannot access a outside website via domain name)
Here are the screen shots (sorry in Chinese):
Yeah, I had forgotten that you said that your network uses
external DNS servers directly.
I think what that means is that (on VLAN1),
your DHCP server is probably handing out the
external DNS servers to each of your computers.
I think what you'll want to do there then
is to manually assign a DNS server on your
phone system itself.
(I don't think the individual phones need DNS,
though I could be mistaken.)
Or, if you wanted to see if it is somehow
a firewalling issue, you could connect a PC/Laptop
to the "diagnostic" port that I was talking about earlier,
and, once you confirmed it was on VLAN2,
you could try dropping to a DOS prompt,
and doing something like. . .
NSLOOKUP - 126.96.36.199
To see if Google DNS servers respond.
At the NSLOOKUP prompt, try resolving www.ebay.com,
or some other website.
edited February 18
We have tried your last steps using PING command. And Yes, we can get 188.8.131.52 respond, but failed if we ping a domain name. I feel we should add a DNS to our whole VLAN2 not only the phone system. I know we can set the DNS in the phone system and in the PC individually. Can we set the DNS in firewall and apply to all devices in VLAN2 ?
It looks like you should be able to create a DNS server service
on the FortiGate, and then assign the listen-on interface to be
"VLAN for Voice"
Then, you should be able to manually set your VLAN2 devices
to use 192.168.2.1 as their DNS server.
(The only way to automatically apply it to all devices
would be via DHCP, of course.)
It looks like you're new here. If you want to get involved, click on this button!
Nebula Status and Incidents
Service & License
New Firmware Release
Zyxel Help Center