Loosing internet connection when attach additional interface

RichardSteiner
RichardSteiner Posts: 9
Friend Collector First Comment
edited April 2021 in Security
Hello!

We have a zyxel usg flex 500 with 8 ports (one fiber, 7 RJ45). The fiber port (port 1) is not used. Port 2 is used as a WAN port (configured as external), PPP is not configured, since that is done on a router managed by our provider. Port 3 is connected to our LAN (configured as internal) over a switch. This is working so far well and everyone has internet access. 

Now i would like to connect Port 4 and Port 5 of the firewall to a server used for Virtual Machines (HyperV). This server has 7 ports. One port is connected to the switch, so that the server has internet access. Two additional ports on this server could be used to connect to the firewall. Port 4 and 5 are configured internal, and are mapped to their own zone on the firewall. As soon as I connect the server to one of the Ports 4 or 5 I have some package loss if I ping the internet. If I connect the server to both ports 4 and 5, then I loose the internet connection compleatly. I also did a ping directly on the firewall from the CLI. Even that ping is not working anymore. For port 4 and 5 I used one able for each port directly without a switch inbetween. 

The target of the whole setup is, that I can create 2 VM's on the server, each of them would be mapped to a dedicated interface of the server which is connected to a dedicated interface on the firewall. This way I can create firewall rules for those VM's. 

Has anyone an idea why the WAN interface goes down?

Many thanks!

Accepted Solution

  • RichardSteiner
    RichardSteiner Posts: 9
    Friend Collector First Comment
    Answer ✓
    In the meanwhile we did further testing with the firewall. My assumption is currently a hardware failure.

    To do further testing we reset our firewall with the default configuration, by pressing the reset switch until the system led starts flashing. P2 (WAN1), I connected to our gateway. On P4 (LAN1) with DHCP enabled, I connected my laptop and got the IP 192.168.1.33. The firewall has 192.168.1.1. Over the webaccess I answered all questions of the wizard, entered a static ip for the firewall on the WAN1 and the gateway address. Afterwards I had access from my laptop to the internet. On the cli of the webinterface I entered "ping google.com forever". The ping was working no packet loss. Then I connected a little 8 port Zyxel (GS-108B v2) switch to P5 and no other devices connected to that switch. I did again a ping from the firewall with the following result:

    --- google.com ping statistics ---
    12 packets transmitted, 4 received, 66% packet loss, time 11002ms
    rtt min/avg/max/mdev = 3.420/3.769/4.175/0.308 ms

    Then I connected a second 8 port Zyxel switch to P6, and then I had 100% packet loss, so I lost connection to the webinterface from my laptop. Then I unplugged the two switches, and the firewall was working again as expected. Then I plugged in the switches on P7 and P8 which leaded again to total outage without reaching the webinterface anymore. I tested further ports, always with the same result. As soon as one switch was connected, I had package loss and two switches connected I lost the connection completely. 

    So now I have to convince the support, that this strange situation really happened, so that we hopefully get a replacement device. 

    Please if anyone still has an Idea what could cause this issue, or if someone has any idea what I could try out next, please answer me. 

    Kind regards

    Richard
«1

All Replies

  • PeterUK
    PeterUK Posts: 2,653  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 2021
    So you loss ping to the internet on port 3 when connecting ports 4 and 5?

    Are the internal subnets not conflicting? 
  • PeterUK said:
    So you loss ping to the internet on port 3 when connecting ports 4 and 5?

    Are the internal subnets not conflicting? 
    each internal interface has it's own subnet with a 24 bit subnet mask. They are not overlapping. 

    I don't know where to start to look for this issue. I could imagine that a security feature could be the cause, but I don't know what it could be.
  • I simplified the set up. 
    Port2: WAN
    Port3: Switch with office network
    Port4: Laptop1
    Port5: Laptop2

    Port4 Config:
    192.168.30.1/24, DHCP enabled

    Port5 Config:
    192.168.40.1/24, DHCP enabled

    When I connect one of the laptops (doen't matter which one), they get a correct IP from the DHCP, but I start to loose packages if I ping the internet. I can also ping the laptop from the office network, but also some packages get lost. If I connect both laptops, the internet connection is dead. 

    Can sombody give me a hint what that could be?
  • dkyeager
    dkyeager Posts: 69  Ally Member
    First Anniversary 10 Comments Friend Collector
    edited April 2021

    Can sombody give me a hint what that could be?
    What zones are assigned to your ports? I have ports 2 & 3 as WAN1, ports 4 & 5 as LAN1 without issues on my USG Flex 500 4.62.   Port 6 is also LAN1, ports 7 & 8 are DMZ, On another USG Flex 500 I use  ports 1, 2, and 3 as WAN ports.  I avoid the OPT zone for historical reasons.  VLANs are on one but not the other.  Both work great.
  • dkyeager said:

    Can sombody give me a hint what that could be?
    What zones are assigned to your ports? I have ports 2 & 3 as WAN1, ports 4 & 5 as LAN1 without issues on my USG Flex 500 4.62.   Port 6 is also LAN1, ports 7 & 8 are DMZ, On another USG Flex 500 I use  ports 1, 2, and 3 as WAN ports.  I avoid the OPT zone for historical reasons.  VLANs are on one but not the other.  Both work great.
    I created new custom Zones for each interface. I will try out what happens if I just use the predefined zone LAN1 on port4 and 5.

    Thanks for your help!
  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    Friend Collector First Answer First Comment

    Hi @RichardSteiner,

     

    Can you share some information with us;

    1-    What’s the switch’s model name and firmware version?

    2-    Can you check if you activated Loopguard in the switch?

    3-    Did you check related log in the switch?

    4-    Can you draw detailed topology with IP addresses on it?

    5-    Can you capture packets for WAN1 and LAN interfaces?

     

    Best regards.
  • RichardSteiner
    RichardSteiner Posts: 9
    Friend Collector First Comment
    edited April 2021
    dkyeager said:

    Can sombody give me a hint what that could be?
    What zones are assigned to your ports? I have ports 2 & 3 as WAN1, ports 4 & 5 as LAN1 without issues on my USG Flex 500 4.62.   Port 6 is also LAN1, ports 7 & 8 are DMZ, On another USG Flex 500 I use  ports 1, 2, and 3 as WAN ports.  I avoid the OPT zone for historical reasons.  VLANs are on one but not the other.  Both work great.
    I created new custom Zones for each interface. I will try out what happens if I just use the predefined zone LAN1 on port4 and 5.

    Thanks for your help!
    Using the predefined Zones did not solve the issue. 

    Zyxel_Can said:

    Hi @RichardSteiner,

     

    Can you share some information with us;

    1-    What’s the switch’s model name and firmware version?

    2-    Can you check if you activated Loopguard in the switch?

    3-    Did you check related log in the switch?

    4-    Can you draw detailed topology with IP addresses on it?

    5-    Can you capture packets for WAN1 and LAN interfaces?

     

    Best regards.
    1. The switch model is  a HP V1910-24G (Software Version 5.20). 
    2. Spanning-Tree is active on the switch. As you can see in the Picture below, the switch does not really matter in this case. (At least as far as I can see)
    3. Yes, nothing special
    4. The simplified topology. As soon I connect the two Laptops the connection to the internet is gone. If one Laoptop is connected some packages are lost. The ping is done on the firewall itself towards google.com
    5. If it's possible to do a TCP dump on the Zyxel itself, it should be possible. But I would like not to disclose the dump in the internet if possilbe. 

    I already tried different IP ranges for the subnets, like 192.168.x.0/24. No overlapping of the subnets. Default gateway is only set on the Port2 (WAN). 

    I still hope for some ideas. Many thanks for reading!
  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Port2 static ip is part of any of the other subnets?
    Is Port1 disabled?
  • PeterUK
    PeterUK Posts: 2,653  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited April 2021

    Your drawing does not seem to match up with what your saying....

    Try with a PC/laptop only to ports 3,4 and 5 if that works add the switch to port 3 with just a PC/laptop to the switch. 


  • RichardSteiner
    RichardSteiner Posts: 9
    Friend Collector First Comment
    edited April 2021
    mMontana said:
    Port2 static ip is part of any of the other subnets?
    Is Port1 disabled?
    The physical port 1 is for fiber, but no sfp module is installed. 

    The RJ45 ports are starting with 2.

    Yes it is a small subnet from the provider. In the zyxel firewall its statically configured: ip, gateway, correct subnetmask, and the two dns. Very standard setup.

Security Highlight