USG60 LAN1 virtual interface - cannot ping to LAN1 real IPs, but other IP connectivity to LAN1 works
Hi,
I have several virtual machines sharing one LAN port - LAN1. LAN2 is used for another purpose. I would like some of the virtual machines to use a subnetwork different from what is configured on LAN1. I would also like them to ignore DHCP from LAN1. I added a virtual interface using a different subnet (192.168.10.x versus 192.168.1.x), and then added a host on the virtual interface (static IP) that has connectivity to the real LAN1, but I cannot ping hosts on the real LAN1 subnet. File shares work but ping does not. Of course, DHCP hosts on the LAN1 continue to get DHCP leases from the LAN1 pool.
I added a static route but could not ping from LAN1:1 to LAN1. Is there anything I can do on the USG60, to leave LAN2 unchanged, and have two other subnets on LAN1 with IP and ICMP connectivity? I do not necessarily need all the virtual machines to use LAN1, but I do not know of any other way to get the virtual machines on a different subnet. There is a DMZ ethernet port. but am ignorant about zyxel zone routing and don't feel comfortable trying to "re-purpose" it on my own.
Thanks.
I have several virtual machines sharing one LAN port - LAN1. LAN2 is used for another purpose. I would like some of the virtual machines to use a subnetwork different from what is configured on LAN1. I would also like them to ignore DHCP from LAN1. I added a virtual interface using a different subnet (192.168.10.x versus 192.168.1.x), and then added a host on the virtual interface (static IP) that has connectivity to the real LAN1, but I cannot ping hosts on the real LAN1 subnet. File shares work but ping does not. Of course, DHCP hosts on the LAN1 continue to get DHCP leases from the LAN1 pool.
I added a static route but could not ping from LAN1:1 to LAN1. Is there anything I can do on the USG60, to leave LAN2 unchanged, and have two other subnets on LAN1 with IP and ICMP connectivity? I do not necessarily need all the virtual machines to use LAN1, but I do not know of any other way to get the virtual machines on a different subnet. There is a DMZ ethernet port. but am ignorant about zyxel zone routing and don't feel comfortable trying to "re-purpose" it on my own.
Thanks.
0
All Replies
-
What your trying to do likely does not work you need to do a VLAN on LAN1 with a VLAN switch.0
-
Just to be sure, all of the connectivity between LAN1 and LAN1:1 works, except for ping. This isn't really critical per se, but it would help to test connectivity when changes are made in the virtual machines. I have a few security policy rules configured for VPN and they work OK. I don't think these policies are blocking ICMP but you never know.
Thanks.0 -
Well maybe I'm wrong or don't get your setup, maybe draw out your setup would help
Do the logs show dropped ICMP?
What NAT rules do you have?
0 -
Thank you very much for the follow up. I appreciate it. I don't think it's a zyxel issue and probably should have started a packet trace but I'm a little short on time.
Just FYI, I was test Windows Server WinRM connectivity to non-domain servers when I noticed the problem. I had added firewall rules in the VMs but ping kept failing. I bludgeoned through and just joined the VMs on the domain, and just like magic they are pingable. I'll start over at some point and just disable the windows firewall service to test this again and really see "what's what". I should have done that before - thanks for your help. Again it is appreciated.1
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 218 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 245 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight