Port link from VPN300 on V4.60 causes VLAN problems for USG60W

PeterUK
PeterUK Posts: 2,651  Guru Member
First Anniversary 10 Comments Friend Collector First Answer
edited April 2021 in Security

So this is the setup

v9lqvcve2wox.png (2590×2455) (v-cdn.net)


Whats not shown is VLAN's 6,53,443 on based port LAN1 with tagged ports 1 and 2 on NETGEAR M4100-D12G for the VLAN's

on USG60W

VLAN6

192.168.255.241/255.255.255.192

VLAN53

192.168.53.11/255.255.255.240

VLAN443

192.168.44.6//255.255.255.248


So with VPN300 on V4.60 and I ping to 192.168.53.11 from 192.168.53.2 I get timeouts if I inactivate ge6 on the VPN300 same problem but here is when things get odd if I unplug ge6 then ping to 192.168.53.11 works! I go back to V4.39(ABFC.0)ITS-WK38-r96153 with ge6 plugged in and a activate no problem.


Comments

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    @PeterUK
    When the issue occur, can you packet capture Vlan53 interface, and VPN300's ge6 for check further.
  • PeterUK
    PeterUK Posts: 2,651  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    So I have gone back to the V4.60 for more testing and things get odder if I unbound MAC rule on the Netgear M4100-D12G G2toG3 which mirrors the ARP then ping works fine but if I bound G2toG3 and put a switch between VPN300 G6 port to Netgear M4100-D12G port 3 that works too!

    So whats going on here? I can connect VPN300 G6 port to Netgear M4100-D12G port 3 on V4.39(ABFC.0)ITS-WK38-r96153 fine but with V4.60 I need a switch between VPN300 G6 port to Netgear M4100-D12G port 3 for the same setup to work!


  • PeterUK
    PeterUK Posts: 2,651  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Tried 460ABFC0ITS-WK48-r97191 same problem.
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    edited December 2020
    @PeterUK
    Regarding to this case,
    we would like to compare the routing trace, and IP route on issued situation and non-issued environment on USG60W and VPN300. Please private message the compared result which you have got.
    Reproduce the issue
    Ping: 192.168.53.2 to 192.168.53.11 continuously. Go to USG60W's and VPN300's routing traces press capture. The screenshot the result.
    Type the "show ip route" via console
    EX:


  • PeterUK
    PeterUK Posts: 2,651  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    I think I might know the cause of this and change between V4.39 and V4.60 the ingress to ge6 it not filtering untag and tag packets so for ge6 there are no VLAN to it base port but V4.60 is seeing these tag VLAN packets and causing the problem instead of dropping them?


  • PeterUK
    PeterUK Posts: 2,651  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    So this is a mystery and case left open why everything works fine with V4.39 so I have done another way to DHCP the LAN which works with V4.60.

Security Highlight