01-16-2014 06:33 AM
we've got some issues with the configuration of vlans between a HP 2920-24G switch and a WatchGuard XTM330 Firewall.
We have configured 2 VLANs on the Switch. VLAN-21 and VLAN-24.
VLAN-21 192.168.2.1 Ports 3-12 untagged
VLAN-24 192.168.4.1 Ports 13-22 untagged
We enabled Routing and configured DHCP-Helper IP for DHCP-Server which is in VLAN-21 to work also in VLAN-24.
The Interface on the Firewall which is connected to Port1 of the Switch has the IP 192.168.1.254.
In The Firewall Configuration this Interface is configured as TAGGED with VLAN-21 and VLAN-24.
Also Port1 (2, 23/24) on the Switch is TAGGED with both VLANs (VLAN-21 and VLAN-24).
If we now plug in a client in VLAN-21 or VLAN-24 Port we cannot reach/ping the Firewall (192.168.1.254).
But clients/devices can communicate with each other from VLAN-21 to VLAN-24 and vice versa, that works.
And also the DHCP-Server in VLAN-21 can provide IP-Adresses to clients in the VLAN-24.
We did test several things but do not know why we cannot communicate with the firewall from the VLAN-21 or VLAN-24 on the Switch Side.
Even if we plug the firewall directy to a VLAN-21 or VLAN-24 Port communication is not possibly.
Did we miss something elementary?
Would be great if you could provide us some input what we can do to solve this problem.
Here's the Config of the Switch:
; J9726A Configuration Editor; Created on release #WB.15.12.0010
; Ver #04:01.ff.35.0d:c2
module 1 type j9726a
ip default-gateway 192.168.0.254
snmp-server community "public" unrestricted
snmp-server contact "XXX" location "YYY"
no untagged 13-22
ip address 192.168.1.1 255.255.255.0
ip address 192.168.4.1 255.255.255.0
ip helper-address 192.168.1.1
no dhcp config-file-update
no dhcp image-file-update
Basically we want to achieve, that the Switch does the internal LAN routing, so that the Firewall Load isn't additionally getting stressed by doing LAN routing. Firewall should only do "WAN-Stuff". One Interface from the Firewall should be connected to Switch. And via this Interface both VLANs should exchange their Traffic.
Perhaps there's a better way or other approach to accomplish that!?
Any Ideas and inout is appreciated...
02-03-2014 05:03 PM
Firstly fix the names of your VLANs to match their VLAN numbering to avoid confusion :-)
We could have a simple VLAN1 & VLAN2 for clients as 192.168.1.0/24 and 192.168.2.0/24 make the switch IP 192.168.x.1 in each subnet with a 255.255.255.0 mask.
Or use .2 and .4 it really doesn't matter but tr yand keep it as simple as possible.
Secondly your IP helper address in vlan 2 is pointing to the switch IP in vlan 1? It should be the IP of the DHCP serving server in 192.168.1.x not the switch L3 interface.
Create a third VLAN (say VLAN 99) and put the uplink port of the switch (to the firewall) in vlan99 as an untagged port.
You only need 2 IP addresses in this subnet but lets have some wriggle room just in case we need to do something else with it one day - with 192.168.99.1 255.255.255.248 on the switch and 192.168.99.2 255.255.255.248 on the firewall.
Create a static route 0.0.0.0 0.0.0.0 192.168.99.2
This sends any unknown traffic out towards the firewall / internet.
You should then be routing between VLANs 1& 2 and routing via VLAN99 whenever you need to go elsewhere (via the firewall).
You don't need "tagged" ports in this design as you are routing between all your VLANs which are connected on the same switch.
We found the problem.
It was a missmatch of the vlan name.
I did the switch configuration and my workmate did the firewall configuration.
For me it would be obvious to name the vlans identical on both sides (firewall and switch)
but my workmate thought only vlan id had to be identical.
So this problem is fixed.