Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 3 answers
  • Subscribers 29 subscribers
  • Views 1471 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SOPHOS XG Home Inter LAN Traffic

Don Fisher1

So, still in the middle of migrating from UTM9 to XG and experiencing growing pains.  Totally retooling my network and I am having trouble understanding a problem that I have run up against.  I have a managed switch that I have my wireless VLANs on (ports 1 and 2).  I also have an NVR connected to the same switch on port 3.  Ports 1-4,8 all have the PVID of 20.  On XG, I have assigned a static IP to the NVR and after rebooting, the NVR receives that IP address and it is properly assigned for the 20 VLAN, so I know that it is talking to the XG.  If I plug my laptop into port 4, I also get a proper IP address on the 20 VLAN, but I am not able to 'see' the NVR.  Ping returns 'host unreachable' or similar and all packets fail.

I guess my question is - does the traffic from my laptop go all the way back to the XG or does the switch send it straight to the NVR?  I am not a network pro or anything but as I understand it, the traffic should not go back to the XG.  Can someone educate me?  I have been wrestling with it for hours and I would appreciate it if someone could set me on the right path so that any more time that I spend is not wasted.  Also, I don't see any dropped traffic in the XG logs.

Here is my network map:

Thanks in advance for any assistance.



This thread was automatically locked due to age.
  • 0

    Hi,

    if you are receiving an IP address when you plug your laptop into port 4 you do not have your VLANs setup correctly. The switch connection to the XG should be on a tagged port all other devices should be on untagged ports.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hello rfcat.

    I figured that there is something wrong with the VLAN setup, but I do not know much about them.  I have read through about a hundred forums, but I just can't find someone explain my setup exactly.  Ports 1 and 2 have my WAPs connected to them and each of them are broadcasting the 4 VLANs.  Port 8 goes back to the XG.  Below is my switch setup.  Can you offer advice on this setup?

  • 0 in reply to Don Fisher1

    Hi,

    you seem to have too  many ports on each VLAN? Further you seem to have too many VLANs for the capacity of your switch, you will loose  4 ports, one for each VLAN that connects the various XG ports.

    You will need the port that connects to the XG for each VLAN to be tagged. The Netgear WAX only need one device connected to the XG in mesh.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0
    Don Fisher1 said:
    I guess my question is - does the traffic from my laptop go all the way back to the XG or does the switch send it straight to the NVR?

    When two devices or more are on the same VLAN, the Switch will manage the traffic between them and It won't reach the Firewall.

    But when they are on different VLAN's, the traffic will be sent to the Firewall - If you don't have a matching Firewall Rule that allows traffic between those internal networks the traffic will be dropped.

    Be aware, depending on how the AP is programmed, when two devices that are on the same SSID/VLAN  are connected through the same AP, the AP itself will route the traffic between them - when this happens neither the Firewall nor the Switch will see (route) the traffic.

    PS; I've already used the same switch before. (And your VLAN's setup looks weird, you should look at tp-link websites for more examples.)

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

  • 0 in reply to Prism

    Thanks Prism.

    well, that's what I thought.  If I have 2 hosts on the same VLAN, they should be able to talk without any firewall traffic. If I have my laptop physically connected to port 4 on the switch and the NVR connected to port 3 on the switch, the NVR is not accessible from the laptop.  Same if I am connected to the wireless with the laptop.

    i think there is a problem with the VLAN setup too, but I have read many many posts on the TP-Link forum about this switch and VLANs in general and I am still unable to resolve the issue.  Do you have suggestions on what is wrong with the VLAN setup on the switch?

  • 0 in reply to rfcat_vk

    I'm not sure I understand.  Isn't the purpose of the VLAN to have more than one logical network on one physical port?  I have multiple VLANs configured on the XG and on the switch, so it seems the logic is correct if the configuration is not.

  • 0 in reply to Don Fisher1

    There's a big difference between Tagged and Untagged, as an fast example: (I'm bad at explaining anything and this information can be wrong.)


    When two ports are used in "Tagged Ports" - when there's any traffic with a VLAN ID, the same will be sent between those "Tagged Ports" without modifying the VLAN ID, this allows you to have multiple VLAN's within a single port. (Trunk)

    Meanwhile if you have a "Untagged Port", the Switch will send the traffic but It will remove the VLAN ID before transmitting to the packet.

    At last PVID allows you to remove the VLAN ID of a single VLAN of a Trunk on a dedicated port. (Which allows devices to connect with the same VLAN that you set on the PVID transparently.)

    A easy example of VLAN's would be:

    • Port 1 is connected to the Firewall which sends the VLAN's and sends VLAN 20, 30 and 40.
    • Port 2 is connected to a Computer, and you want this traffic to use only VLAN 20.
    • Port 3 is connected to an Access Point, and you want this AP to have both VLAN 30 and VLAN 40.

    On the Port 2 configuration, you will Tag the Port 1 and leave Port 2 as untagged while using the VLAN 20, at last you will use a PVID of 20 on the same port. This allows the device to use VLAN 20 without having to care about the VLAN ID's by itself.

    On the Port 3 you will leave both Port 1 and Port 3 as "Tagged", this allows the Access Point to see the VLAN ID and manage/create SSID's using those VLAN's, If you want those AP's themselves to be connected over a certain VLAN instead of the default VLAN 1, then you also need to use the PVID of the desired VLAN,which could be either 30 or 40.

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

  • 0 in reply to Prism

    OK, so in my scenario above, I have ports 1,2 and 8 as tagged ports.  1 and 2 have the APs connected to them and since the APs are 'tag aware' then having them on tagged ports is correct, right?  Port 8 goes back to XG.  On the XG and both APs, I have 5 VLANs set up.  On the XG, all VLANs are configured to travel over the same interface (port 4 on the XG) which goes to port 8 on the switch. 

    The APs are set up the same way, but they are on ports 1 and 2 on the switch.

    On XG, the switch, and both AP's, I have VLAN 20 set up to carry all of my IP camera traffic.

    I included ports 3 and 4 on the switch in VLAN 20 so that I could have the NVR (which is not VLAN aware) be able to 'see' all the IP cameras on VLAN 20.  I have tried ports 3 and 4 as tagged and untagged and I am still unable to communicate from port 3 to port 4.  Both devices (NVR on port 3 and laptop on port 4) have a proper IP address assigned in the 10.20.40.x range and I can see traffic from them in the XG logs so both are communicating properly to the XG to get DHCP and so on.

    So, back to my original question, in the above configuration, ports 3 and 4 on the switch should be able to communicate, right?  

    All of this is making me rethink my decision to move from UTM9 to XG.......

  • 0 in reply to Don Fisher1

    Sorry, I misunderstood your diagram, to me it looks like you have a VLAN on 4 ports of the XG, not all on one port.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Ok, I figured it out.  I had a couple of things going on that I did not fully understand and accidentally fixing one led me to fixing the other.  Non-VLAN aware traffic that is going to traverse a VLAN has to travel over ports that are untagged.  I 'knew' that based on the research I had done regarding the switch and VLANs in general, but making changes to that setting did not make any difference, so I questioned its veracity.  

    The second part is that I had Client Isolation set up on the VLAN on the APs.  I misunderstood this feature to mean that the VLANs were separate from each other, but that is the nature of a VLAN in the first place.  Once I turned that off, the members of the same VLAN (both VLAN-aware and non VLAN-aware clients) were able to communicate.

    After fixing that, I went back to the VLAN settings on the switch and changed the incorrectly tagged ports to untagged and then everyone was happy.

    I am now seeing weird denied traffic in the logs and I have to start digging around in the rules and policies to figure that part out.

    Thanks to Prism and rfcat_vk for commenting.  You helped bump me in the right direction.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?