Router on a stick? How to accomplish with a TZ router?
Hello,
Thank you first and foremost for your time and attention.
I have read various posts about this and am unable to get it to work. When I look at my sonicwall's packet monitor, it's dropping my ping attempts as " unknown ether type ", and I think that's happening at Layer 2.
I'm trying to segment my switching environment into the following VLANs :
VLAN 1 default VLAN, internet access
VLAN 5 management VLAN, no internet access, not accessible from other VLANs
VLAN 10 untrusted VLAN, internet access only, no access to / from other VLANs
VLAN 20 slightly trusted VLAN internet access and limited access to VLAN 1
I am using Netgear ProSafe switches. I think I know how to configure the switches, but I don't understand what I'm missing on the Sonicwall TZ
I have configured uplink port 50 on the switch to tag traffic from VLAN10 and VLAN1, and made ports 10-13 Untagged members of VLAN10
Port 50 on the switch uplinks to port X0 on the Sonicwall, which is in the LAN zone.
I tried creating a logical interface with PVID of 10 and giving that it's own new ZONE, but was unable to pass traffic to the internet, despite creating an access rule allowing any from VLAN10 to WAN. I am also unable to get a ping reply from the X0:V10 interface I created, though I enabled ping and gave it an IP which my test machine was on the same subnet with....
What am I missing here? Has anyone managed to accomplish this?
I realize that I can " give up " and use a dedicated uplink port on the TZ400 for each VLAN, but I will now be out of ports entirely and would like to avoid that. This isn't a terribly non-standard thing I'm doing, right?
Thanks in advance
BM
Best Answer
-
BartMan Newbie ✭
ADDITIONAL UPDATE:
This is working now. The Internet access issue was caused by a routing table fubar on my test box, rebooting it fixed that problem. The initial issue was caused by my own mistake of which uplink I was configuring on the switch. The sonicwall and netgear were not to blame. The configuration is sound, though there were a couple of other issues ( interface trust, make sure vlan zone is not public ).
😎
CONCLUSION:
The trouble was all in my head, the KB was not wrong and router on a stick with a TZ totally works.....
I leave us with the following bit of wisdom ( largely because I need to hear it right now )🧐
Yoda:
So certain, are you? Always with you, it cannot be done. Hear you nothing that I say?
Luke:
Master, moving stones around is one thing, but this is... totally different!
Yoda:
No! No different! Only different in your mind. You must unlearn what you have learned.
Luke:
All right, I'll give it a try.
Yoda:
No! Try not. Do... or do not. There is no try.
[Luke tries to use the Force to levitate his X-Wing out of the bog, but fails in his attempt.]
Luke:
I can't. It's too big.
Yoda:
Size matters not. Look at me. Judge me by my size, do you? Hmm? Hmm. And well you should not. For my ally is the Force, and a powerful ally it is. Life creates it, makes it grow. Its energy surrounds us and binds us. Luminous beings are we, not this crude matter. You must feel the Force around you; here, between you, me, the tree, the rock, everywhere, yes. Even between the land and the ship.
Luke:
You want the impossible. [sees Yoda use the Force to levitate the X-Wing out of the bog and gets flustered when he does it] I don't... I don't believe it!
Yoda:
That is why you fail.
0
Answers
Did you create the VLANs on the firewall before you created the VLANs on the switches? I had this issue with the same switches and I found that if I created the VLANs on the firewall first with the DHCP pool then I could get it to work correctly, otherwise the switch wouldn't be able to see the default gateway for that VLAN. This was precisely why we decided not to keep using netgear switches actually
Hi @BartMan , VLAN 1 should be untagged on the uplink and the other VLANS 5,10 & 20 should be tagged, any VLAN - Sub Interface on the SonicWall should always be tagged on the uplink from the Switch.
If you want to Ping the Interfaces make sure you have a rule set I.E. from LAN to VLAN5 (management Zone) X0:V5 IP for ping set to allow, or just tick enable management on the Advanced tab in the default any allow Access rule.
Thanks for your suggestion Preston, but I'm not looking to reach the VLAN I spent a lot of time outlining ( VLAN10 ) from the LAN zone. What's failing to happen is that I cannot pass traffic through X0:X10 to the WAN from a node attached to an untagged port which is member of VLAN10 - DESPITE an access rule allowing any from X0:X10 to WAN ( I gave X0:X10 its own zone to seperate it from the LAN, per requirements ). Also, I can't even ping the X0:X10 logical interface from a node ( with static IP assigned on the VLAN10 subnet ) that is connected to one of the untagged VLAN10 member ports of the switch. YES, I clicked the box for ping on the settings of X0:X10, and verified that the automatically generated rule allowing ping traffic was created. Yet the TZ's packet monitor only shows frames dropped with "invalid ether type" when I try my ping tests. So, it appears to me that either the TZ is failing to recognize the tagged packets or the switch is failing to tag them. Why, is the big mystery. I have used a netgear switch for a VLAN setup with VoIP before, and it worked fine once set, nothing horribly complex involved. Though, admittedly, I didn't have to manage the router in that deployment, just set the tagged / untagged ports on the switch and marveled at the apparent simplicity.
Hmmm, that's an interesting possibility, thanks Drew. I'll give that a try and report back.
Yea I thought it was really weird. It took me 4 hours to figure it out. It was one of the most frustrating things ever. I hope that works for you!
Hi Drew,
No luck trying to set up the DHCP scopes on the Sonicwall first, unfortunately.
Could you re-confirm with me how you have your Netgear switch set? Just for the sake of my sanity.
Also, unfortunately the Sonicwall support agent I spoke with wasn't able to provide ANY Layer 2 insight whatsoever. He pretty much focused on Layer 3 exclusively, despite lots of polite nudges from me that we needed to confirm the Layer 2 functionality, because that's where I thought the problem appeared to be.
His response was: " so you're saying it's a hardware issue? " Frustrating. He also suggested that the NSA product line was what was really required to get granular control over switching. But, I was welcomed to call back if I found anything new. I could go on a loonnnng rant here. I worked product support on the phones for a couple of years, and I have many years in customer service. I usually know when someone's full of it and trying to end the call without getting in trouble vs. genuinely being helpful. But, he did help me locate that I'd neglected to set the new subif as trusted ( though the packet monitor probably would have caught that... )
Granted, it's been some time since completing my CCNA, but I did it the old-fashioned way (studied the cisco course material only), and completed a CCNP boot camp as well, so I'm not completely out of my scope here, just rusty.
I guess at this point I'm just going to confirm that I can trunk back and forth between two switches before I get rid of my Sonicwall for something a little fancier. Hopefully it won't come to that. Sonicwall has added many good features over the years, but if they can't Layer 2 properly, and if support is this impotent with no escalation path, then.....well. I'll have to find something else that can fill those gaps better.
UPDATE (partially working now, my fault):
Well, so far I found something I missed and discovered that I CAN now ping the Sonicwall's X0:V10 interface successfully while hooked up to an untagged member port on VLAN10, and I can also get DHCP from the Sonicwall's DHCP server successfully.
STILL BROKEN:
Not able to browse internet. Oddly, I can do DNS lookups successfully.
But, I can't ping past the gateway I've configured, and the TZ's packet monitor does not see my attempted pings to the internet, only my successful pings to the X0:V10 interface.
REVIEWED:
Confirmed that I have an access rule that allows ANY from X0:V10 to WAN.
Confirmed that I have a default gateway set on my test machine.