DrayTek and Netgear Managed Switch

[D3LL]

Hi all,

I am trying to setup a DrayTek firewall (DrayTek Vigor 2830) with my Netgear 24port Managed Switch (Netgear GS724TS).

The DrayTek works fine when plugged directly into a PC however once plugged into the switch the computers connected cannot seem to get an IP even when setting statically.

I have been told things like multicast need to be off for the data to translate this is off on my settings, I must be missing a setting? Anyone got any suggestions?

Thank-you,

 

[doubled822]

Are you using the firewall as a DHCP server that hands out addresses to the PC's connected to the switch? I'm not familiar with either of these products, but if the switch supports VLANs, make sure that all ports are on the same VLAN.

 

[D3LL]

Yes the Draytek is DHCP'ing. Vlan's are different so other people cannot see each other etc.. however they are all tagged to port 1 so traffic can go through...

 

[doubled822]

Yes the Draytek is DHCP'ing. Vlan's are different so other people cannot see each other etc.. however they are all tagged to port 1 so traffic can go through...

What exactly do you mean by "tagged to port 1"? Meaning VLAN 1?

The DHCP server/firewall is only going to hand out addresses in the VLAN that it is assigned to, unless your router allows the traffic across the VLANs. Even then, you would need different DHCP scopes for each VLAN on the firewall.

 

[D3LL]

Tagged basically means assigned to all Vlans. I know the switchs are setup correctly as it works fine without the firewall. Its just something like Multicast stopping it however I can't seem to find what would be stopping it.

 

[doubled822]

I'm not sure what a firewall would be multicasting to disrupt traffic to that degree. Are you sure your VLANs are set up properly? Maybe give a little more detail about your VLANs, default gateway, firewall port settings on the switch, etc.

You could use Wireshark and maybe see what's going on with the firewall hooked up--that will let you know if there is multicasting going on, or possibly broadcast storms if your VLANs aren't set up properly..althought I'm not sure your network is large enough for that.

 

[D3LL]

No the neither the Firewall or Switch is multicasting. I was told that a setting like this could muck up the data translation. This is off completely. I am defiantly sure the Vlans are setup correctly.

 

[doubled822]

Could you maybe provide a diagram or info about your VLANs and switch config? That would be helpful to others, even if you are sure the VLANs are set up properly. Amount of vlans, their config, your router/gateway, etc. It's possible the problem lies with the router forwarding traffic across the VLANs.

 

[D3LL]

Sure here's a network Diagram.

Power routers are on 192.168.1.1, 192.168.1.2, 192.168.1.3., 192.168.1.4,

The DrayTek is on 192.168.1.250 which is the gateway being used on the computers

 

[doubled822]

Wow, ok. Apologies in advance for my confusion...are these 4 internet connections combined w/ the firewall for maximum throughput and/or redundancy?

And, when you plug a PC into just the firewall (bypassing the netgear switches), all works well?

 

[D3LL]

Hi there,

Yes sorry I forgot to mention it is a bonded solution.

Yes that's correct, when plugging directly into the firewall with ANY computer it works fine.

 

[doubled822]

OK, got it. Interesting issue indeed. So with the 24-port switch, how many VLANs do you have configured on it? You might have to trunk the firewall port to allow all VLANs access to it. It seems to me to be a routing issue. If you put a PC on the switch in the same VLAN as the firewall and set its IP information statically, can you ping or do anything?

 

[D3LL]

I have about 23 Vlans configured. I believe it already is trunked as the connection currently works fine without the Firewall. I can't do that test at the connection is being highly used at the minute.

 

[doubled822]

Wow, 23 vlans on a 24-port switch? So you have each client on their own subnetwork? That sounds a little crazy to me

 

[D3LL]

4 Switches are currently stacked... All 24 port each.

 

[doubled822]

ohh, whoops! LOL. Still a lot of VLANs but shouldnt be an issue. Sounds like the firewall is the culprit here. I take it the firewall isn't currently hooked up due to this problem. Wish I knew more about that particular firewall. You may want to go over the firewall rules with a fine-tooth comb, and make sure all VLAN subnets are allowed to pass.

 

[Parman]

what's the default gateway when connected to the switch vs straight into firewall.

When connected to the switch can the PCs in the same VLan connect to each other?

 

[D3LL]

I have been over the firewall rules about a million times and they all seem okay to me

I get some random 169.xxx.xxx.xxx gateway from the switch. When plugged directly into the firewall i get 84.xxx.xxx.xxx which is what it should be.

Yes they can see each other

 

[doubled822]

You don't happen to have DHCP server enabled on the switches do you? (assuming they support it) or another DHCP server that could be causing a conflict?

 

[Parman]

When logged on the switch can you ping the firewall?

   Warning

If you dont have ICMP traffic allowed on the firewall you will not be able to ping the target

Dhcp uses port 67 and 68.

You should also have a firewall log to tell you what's being denied access and allowed access.

You don't happen to have DHCP server enabled on the switches do you? (assuming they support it) or another DHCP server that could be causing a conflict?

I dont think that would be the case, because the PC's would be getting and address from the switches DHCP server. They're not getting an address because they're unable to connect to a DHCP server (the Firewall).