GS1900-48HP Voice VLAN stopped working after firmware upgrade. . .

2

All Replies

  • YiHsien
    YiHsien Posts: 25  Freshman Member
    First Comment Second Anniversary
    Hi Tim,

    Thanks for the instructions.

    We are using Fortigate 30E.  I think the approach of setting VLAN is the same as VM64 except that only 'lan', or 'wan' can selected in the 'interface' menu.   We will select 'lan.'

    You said
    'modify TWO network ports, as follows -
    VLAN2, PVID2, Untagged
    VLAN1 Forbidden.'

    I am a little bit confused her.   I don't understand the meaning of 'modify' here.   Do we need to reserver two ports on  GS1900 for NEC controller with the above settings, and all other ports on GS 1900 are still 'VLAN1, PVID1, Untagged. VLAN2, Tagged'? Why does our phones controller needs a different vlan settings from the IP phones?

    There does exist a manual VLAN setting inside the NEC phones.  So it is not bad idea to set it inside the phones?

    BTW, I guess it is very important that we need a subnet for IP phones to successfully establish the Voice-Vlan but I am still curious why cann't we let the phone system stay in the same subnet with our PCs and other devices?

    Finally, we are using external DNS server provided by our ISP.

    Regards,
    Yi-Hsien
  • TiggerLAS
    TiggerLAS Posts: 64  Ally Member
    First Answer First Comment Third Anniversary
    If you are placing your IP phones onto a different VLAN/subnet
    from the rest of your office equipment, it is best to have the phone controller
    on that same VLAN/subnet to facilitate communication.

    Yes, you COULD keep the phone controller on VLAN1,
    and then set up firewall and routing rules on the FortiGate
    to allow them to communicate via NAT,
    but you'll take a performance hit.

    Generally speaking, data between devices
    on the same VLAN will move transparently
    across your network switch at top speed.

    However, data on VLAN1 can only reach devices
    on VLAN2 (and vice-versa) via your router.

    Not only will that increase the workload on your router,
    but it will reduce the amount of bandwidth you have on
    the network cable between your router and your switch.

    In our office, our phone system controller, and all of our phones
    are on VLAN2.  The communicate directly with each other via
    the network switch, so they're not contending for bandwidth.

    A firewall rule allows the phone system to reach the internet
    as needed, as well as letting us reach the phone system's
    web inferface.   However, this traffic is minimal, and has
    virtually no impact on network bandwidth.

    -------------------------------------------------------------------------
    Ports -

    Yes, if the phone system controller is to move moved to VLAN1,
    then it will need its own port set up, as VLAN2, PVID2, Untagged.

    Some phone system controllers don't have a static VLAN setting,
    and instead rely upon the port of the network switch to handle
    the VLAN tagging.

    By assigning a dedicated port for your phone system,
    and setting the port to VLAN2, PVID2, Untagged,
    the data sent from the phone system will ultimately
    get tagged for VLAN2.  Trust me, it just works.

    Temporarily setting up an extra port the same way
    will allow you to plug in an ordinary PC or laptop,'
    and gain access to the VLAN2 subnet for testing purposes.

    --------------------------------------------------------------------------------

    I guess I should have asked a long time ago. . .

    What is prompting you to move your IP phones to a VLAN?



  • YiHsien
    YiHsien Posts: 25  Freshman Member
    First Comment Second Anniversary
    We want to move our IP phones to VLAN because our calls are breaking up on IP phones and we think moving to VLAN might solve this problem.

    I agree that we should put the phone controller and phones on the same VLAN2.

    And I guess the key part to make VLAN2 works, is due to the VLAN2/subnet setting on our Fortigate firewall, am I right?

    BTW, how can VLAN2 get internet access while using an external DNS from our ISP?

    Thank you.
  • YiHsien
    YiHsien Posts: 25  Freshman Member
    First Comment Second Anniversary
    edited February 2021
    We are now in step 3. 
    And I have added some policies to allow traffic from VLAN1 to VLAN2, VLAN2 to VLAN1, and VLAN2 to Internet. 
    The results are:
    1. We can PING 192.168.2.1 and our other devices in VLAN1.
    2  We can also ping the internet via IP address (like 8.8.8.8).
    3. We can access the internet via IP address.
    4. We can access our NAS, GS1900, and our Wifi AP in VLAN1 via IP address.
    5. We can access our firewall via IP (192.168.2.1 or 192.168.0.1)
    5. We cannot access the internet via domain name.


    I feel:  DNS is not working in VLAN2.


    Any advises?
    Thank you.
  • TiggerLAS
    TiggerLAS Posts: 64  Ally Member
    First Answer First Comment Third Anniversary

    Just for clarification -

    Are you saying that DNS doesn't work at all,
    or are you saying that it doesn't work on VLAN2 ?

    If it is just VLAN2 that isn't working,
    the, depending on how your FortiGate is set up,
    it might be a fairly simple fix.

    I don't know what you have for DNS Server settings
    inside of your FortiGate.

    I wasn't able to find the FortiGate 30E manual on-line,
    but I found a screen-shot from a FortiGate 600.

    The process should be similar on the 30E.

    See the screen-shot below. . .




    You probably have an entry, like the one listed for Port 10, in the example above.

    I can see two scenarios here. . .

    I don't know how the FortiGate30E works its magic,
    so this first one is hypothetical -

    When you add a VLAN on to a port, some routers will
    automatically create multiple (new) interfaces for that port.

    Ubiquiti, for example, will create something similar to this -

    Eth1       << Ethernet Port 1
    Eth1.1    << VLAN1 on Port 1
    Eth1.2    << VLAN2 on Port 1

    Again, without knowing the specifics of the FortiGate 30E,
    if you click on the drop-down box under "Interface", you might
    see something similar to above.

    If that is the case, then simply selecting "Port1" by itself
    might enable DNS listening on all of your VLANS.

    However, it is equally as likely that you may have
    separate interface entries in your drop-down list.

    If that is the case, then you'd simply click on "Create New"
    under the "DNS Service on Interface" setting, and add a new
    entry, with settings identical to the one that is already there.
    Then simply choose VLAN2 as the interface.

    Let me know how that goes.

    If it doesn't work, see if you can post a screen-shot of your
    FortiGate DNS server entries, and include a view of the
    drop-down menu for "interfaces".


  • YiHsien
    YiHsien Posts: 25  Freshman Member
    First Comment Second Anniversary
    Thank you.
    Yes, our problem is DNS just doesn't work on VLAN2.
    I just checked and found there is Nothing on the DNS server entries.
    I have added one and selected our VLAN2 in the drop-down box under "Interface".   (Other options are 'lan', 'wan', and 'SSL VPN').   I'll see if it works in the office tomorrow morning.
  • YiHsien
    YiHsien Posts: 25  Freshman Member
    First Comment Second Anniversary
    Hi 
    Our DNS still doesn't work on VLAN2.  (We can ping a outside IP but we cannot access a outside website via domain name)

    Here are the screen shots (sorry in Chinese):


  • TiggerLAS
    TiggerLAS Posts: 64  Ally Member
    First Answer First Comment Third Anniversary
    Gotcha.

    Yeah, I had forgotten that you said that your network uses
    external DNS servers directly.

    I think what that means is that (on VLAN1),
    your DHCP server is probably handing out the
    external DNS servers to each of your computers.

    I think what you'll want to do there then
    is to manually assign a DNS server on your
    phone system itself.

    (I don't think the individual phones need DNS,
     though I could be mistaken.)

    Or, if you wanted to see if it is somehow
    a firewalling issue, you could connect a PC/Laptop
    to the "diagnostic" port that I was talking about earlier,
    and, once you confirmed it was on VLAN2,
    you could try dropping to a DOS prompt,
    and doing something like. . .

    NSLOOKUP - 8.8.8.8

    To see if Google DNS servers respond.

    At the NSLOOKUP prompt, try resolving  www.ebay.com,
    or some other website.


  • YiHsien
    YiHsien Posts: 25  Freshman Member
    First Comment Second Anniversary
    edited February 2021
    We have tried your last steps using PING command.  And Yes, we can get 8.8.8.8 respond, but failed if we ping a domain name. I feel we should add a DNS to our whole VLAN2 not only the phone system.   I know we can set the DNS in the phone system and in the PC individually.   Can we set the DNS in firewall and apply to all devices in VLAN2 ? 
  • TiggerLAS
    TiggerLAS Posts: 64  Ally Member
    First Answer First Comment Third Anniversary
    It looks like you should be able to create a DNS server service
    on the FortiGate, and then assign the listen-on interface to be
    "VLAN for Voice"

    Then, you should be able to manually set your VLAN2 devices
    to use 192.168.2.1 as their DNS server.

    (The only way to automatically apply it to all devices
    would be via DHCP, of course.)