This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9.308-16 Routing to VLAN Gateway

Hello,

I am attempting to replicate my fully working existing pfsense firewall with a UTM9 system.  I am using ESX5.5 and passing a lag (with 2 interfaces) through trunking several VLANs including my Internet connection and local LANs.  This has been working very well with pfsense for a year but with much encouragement from a friend I'm trying the UTM.  I'm close, but not quite.

Support pics:  https://www.dropbox.com/sh/zftlw6qj0hjkz2g/AACc3bJZcc8Oamo6rEzGsS3_a?dl=0#/

Note: Attaching them in groups of 5 in following posts also.. #security

Basically I have the following:

eth0, eth1 aggregated into lag0
eth2 Guest Network (physical interface) - DHCP enabled
eth3 Management (physical OOB management network interface) - DHCP enabled
lag0 Trunk which carries the following vlans:

VLAN10-Shed1 - DHCP Enabled
VLAN5-Home - DHCP Enabled
VLAN666-NBN - Set to Dynamic IP and IPv4 Default GW

The internet connection is brought to the UTM via VLAN666, it is assigned via DHCP a single IP address and is set to be the Default Gateway

VLAN 5 and 10 as well as Guest are just seperate Networks for isolating different devices on seperate subnets assigned with varying DHCP settings.

Everything seems great, all the interfaces come up including VLAN666 which is assigned my IP address from the ISP (I have NBN in Australia) and the default gateway shown (Please note I removed the last 2 octets for privacy on the images, they are there and correct).

The only problem is I have no internet connectivity.  I've tried all sorts of rules and playing with routes (which i know shouldnt need to be done).  The rules shown in the pic are from the default of a UTM setup with the wizard and simply should work.

Fault finding:

You can see the firewall live log shows it's functioning wanting to pass the correct traffic (DNS and web)

A ping check of the gateway fails with the support tool which is odd, something to note though when checking the 'Ping over Inferface' dropdown theres the choice of Use Closest Route, Guest, Management and Trunk only.  Interesting, no VLAN interfaces.  Could this be the issue?

At this stage after quite a bit of experimentation I'm not certain that this isn't a bug of some sort.  Routing my internet traffic via a default gateway on a trunked vlan interface.

Now, I know this works.. I do it now with pfsense and I can turn off the UTM interfaces and power up pfsense and away it goes perfectly.  I'm close with UTM, but if anyone could help I'd much appreciate it.

I _could_ bring out VLAN 666 on a single port from the switch to a single physical interface on the ESX host and pass it through as a single interface to UTM, but given pfsense works fine with the inbound vlan/gateway I would have expected UTM to do at least the same no?

Regards..

PP

This thread was automatically locked due to age.

Parents

0 Scott_Klassen over 10 years ago

Please edit your post to add the pics directly to the post. Click on Go Advanced, scroll down a little to choose Manage Attachments. Many people here will not open links to other sites for screenshots, due to increased security risk.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel
0 pumpkinpower over 10 years ago in reply to Scott_Klassen

More pics for diagnosis
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 pumpkinpower over 10 years ago in reply to Scott_Klassen

More pics for diagnosis
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 pumpkinpower over 10 years ago in reply to pumpkinpower

the last of the pics..
Cancel
Vote Up 0 Vote Down

Cancel
0 pumpkinpower over 10 years ago in reply to pumpkinpower

Issue is resolved!

I thought I'd share what I found with the journey to maybe help someone else.

Basically no matter what I tried I could NOT get UTM to accept the default gateway on a VLAN interface which was part of a Lag trunk to my switch.

First step, I removed the vlan from the trunk and brought it to the UTM virtual machine on a single physical interface.

Success!  It worked... well.. kind of.  Basically strange things were still happening such as dropped packets on the local network to the UTM appliance (and the internet at the same time) every 20-30 seconds.  Enough that it was not usable and very annoying.  I also found DHCP did not work at all, it would not dish out addresses.

I also updated to the latest version.. No luck, still poor performance.

Second step, I removed the LACP Lag from my switch and turned it into a single trunk on a single physical port.

Success!  I now have a functional (without issues that I've found yet) UTM virtual machine.

Observations..

My ESX box had plenty of overhead, the UTM VM was no where near using the CPU and ram allocated to it so I don't believe this was the issue.

Clearly there's an issue with using a VLAN/Link aggregated connection that people need to be wary of.  It seems fine with a single interface trunk and the gateway on its own interface.

I had to dumb down my environment to a level that the UTM works where even the older 2.1.5 pfsense had no dramas.

In the middle of all the changes I spun up a pfsense 2.2.2 machine as well and it was flawless as well..  So now I'll test both but I must say as pretty as the UTM software looks, I'm a bit put off by what seems a tad buggy and strange for no reason which I'm not a fan of.   Still, its been a journey and I'm going to give it a while to redeem itself [:)].
Cancel
Vote Up 0 Vote Down

Cancel

UTM9.308-16 Routing to VLAN Gateway

Submitted a Tech Support Case lately from the Support Portal?