VLans Not Working
Zyxian
Newbie ✭
Hello All.
I have a TZ350. On three ports I've created VLANs. All ports and VLANs are in their own zone. Each zone is connected to a web server. The NAT and Access Rules are the same for all ports/VLANs. On the ports that are not a VLAN, the websites come up. The websites on a VLAN do not come up. Those servers show "No Internet Connection".
I numbered my VLANs by adding a number after the port number, i.e. X3:V31, V32 - X5:V51 V52 etc. (Since the internal VLANs start at 3968 I figured they could be numbered like this) I didn't assign a server to either port X3 or X5.
As a test, I moved what was on X3:V32 to X3 and the server got internet connection (didn't move everything to get the website up. Moved it back to V32)
I also changed Access Rules for a VLAN to be completely open but still no access
Is there something different that needs to be done for VLANs?
Zyxian
Answers
Does this work at the lowest level? I.e., when you move your server into the VLAN, do you see ARP entries on the firewall for it on the expected interface?
If you don't see any ARP entries then start a packet capture on that VLAN and see if there is anything there at all.
Arkwright,
When I do an arp -a -v I'm getting:
10.34.69.2 00-00-00-00-00-00 invalid
That is the address/gateway for the VLAN. I have PING enabled for that VLAN. When I do ping, I get destination unreachable.
What does Generated mean? Why doesn't the dropped ping requests show the VLAN?
Again, both policies, NAT and Access, are exactly the same as the ones on just the ports. I can ping the gateway address on the port only servers.
I know that you have to reboot the firewall if you make changes to the internal VLAN. So I rebooted hoping that was the missing piece but nothing changed.
You left out the bit of the capture that would show why it's dropped - my guess is that the packets aren't coming in on VLAN 34 [but then surely ingress would be "X3" not "--"].
I am not sure about the references to "internal VLANs". I've never need to mess with that when adding VLANs to a Sonicwall, but I don't know off the top of my head what the internal VLAN IDs are. I know that when adding a VLAN ID that isn't used internally by the Sonicwall, they work immediately on being added, no reboots required.
Arkwright,
There was nothing to the left so I didn't screen capture that. Here are all the columns:
Rows 1 - 80 are all the same. What do those rows indicate?
Rows 84 - 90 are the server trying to ping the gateway.
What does Generated mean? Does it mean that the gateway just touched the server?
The reference to the internal VLAN was because I saw another topic where someone mentioned internal VLAN and suggested to start his VLAN at 50 so as to avoid a possible conflict. I did some research and found that if you make any changed to it you need to reboot. The default is 3968 (or least that is what mine shows) - Device -> Firewall -> Advance if you want to see. I only rebooted in hopes it would resolve my issue.
Thank you for your help.
Thought I found something but didn't. Couldn't delete the message...
I am guessing it's a TZ370 not TZ350 as those screenshots are from the Gen 7 UI.
You need to click the twisty to see the actual detail in the packet capture.
Arkwright,
It is a TZ370. Thank you catching my typo.
I didn't even notice the spin down arrow ►. When I did spin it open this is the reason:
I had noticed yesterday, in the ARP table that all the MAC Address for VLANS matched the MAC of the parent port. I made the assumption that the parent port would handle getting info to the correct VLAN.
How do I correct this?
I made the assumption that the parent port would handle getting info to the correct VLAN.
Yes - but it seems like your issue here is that the packets aren't coming in on the correct VLAN, hence them being dropped. In the 'Packet Detail - Decode' it does not show the VLAN headers, so if I assume that your packet detail screenshot is associated with the highlighted packet in your first screenshot, then that's the problem.
Yes, I've been using the same server every time.
I do have servers on parent ports that are working. So I copied the NAT and Access rules for the parent to each VLAN not knowing that something different has to be done to point to the right VLAN.
What do I have to do differently to get the VLAN headers to go where they need to be?
You need to tell whatever is connected to X3 to tag the traffic on the appropriate VLAN. If the Sonicwall is expecting traffic arriving on an interface to be tagged, and it comes in not tagged, then there is not much you can do on the Sonicwall end.
Thank You @Arkwright
I have moved my search to my servers and getting them to see the VLAN ID.