Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 3 subscribers
  • Views 7007 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Route from untagged default internal lan to tagged vlan?

widdde

Hello! 
I have setup my UTM with several VLANS alongside with the default internal lan (this is untagged). 
As I have understood the UTM creates routes to the different interfaces itself and the only thing
I have to do is to allow traffic through the firewall from one interface to another.. Am I right?

I have this issue right now;

Currently I have a computer connected (the one I am writing this text on) to the default internal lan that was
setup during the installation. As I have understood this is totally untagged, no VLAN at all.. I also have set up VLAN 10 on the same physical interface.
From version 9.3x the UTM seems to support this configuration.. I have a second VLAN set up (VLAN 2), also on the same interface.


My switch is setup as following: (it is a Zyxel GS1910-24):

UTM connects to port 2 on the switch and this port (2) has
Ingress acceptance: Tagged and Untagged
Egress tagging: Untag Port VLAN
Port VLAN: 1
Allowed VLANs: 1,2,10

My first server is connected to port 3 on the switch and this port (3) has

Ingress acceptance: Tagged and untagged
Egress tagging: Untag Port VLAN
Port VLAN: 2
Allowed VLANs: 2

My other server is connected to port 10 on the switch and this port (10) has
Ingress acceptance: Tagged Only
Egress tagging: Untag Port VLAN
Port VLAN: 10
Allowed VLANs: 10 (I have also tried 1,10)

I have made a firewall rule that is accepting traffic from the internal lan (the untagged default lan) to VLAN 10 with "Web surfing" (port 80, 443 and so on..)

The issue I have is that I get "No route to host" from my sophos and the traffic is blocked.. 

On the first server (connected to port 3) the ingress acceptance is accepting both Tagged and untagged traffic, but the switch
will untag traffic from VLAN 2. In this case I also have a firewall rule that is accepting traffic from internal lan (the untagged default interface) to VLAN 2.
In this case I reach the web page on the server.. 

Can you see any misconfiguration in my case? 
Is it any issues to route from the default internal lan that is totally untagged to a tagged VLAN? 
When UTM creates it's routes does the UTM tag the traffic from the untagged internal lan to VLAN 10? 
I think I am correct when configuring port 10 on the swith to only allow tagged traffic, or Am i wrong there? 
This is only the beginning of my set up and in the end I think I will only accept tagged frames in my switch
so all traffic is tagged in some way, but currently I have the normal default internal lan that is untagged "enabled".

One more question;
Is it possible to disable the default internal interface (without VLAN) when using VLANs on the same interface? 
Or what happens with the VLANs on that interface in that case? 

Thanks in advance! Hope you understand my questions, otherwise ask!



This thread was automatically locked due to age.
  • 0

    Well, I think I figured this out exactly when I hit the post button! :P
    Port 10 is, as I wrote several times, set up to only accept Tagged VLANs and the network I am currently surf from is totally untagged (the default internal interface that was set up during installation)..

    Am I right?
    If I am right, I have one more question, a question I kinda asked in the post above;
    When I try to reach my server in VLAN 10 or in VLAN 2 what does the ethernet frame
    look like from the UTM when passing the request to the port in the switch that my server(s)
    are connected to? Are the frames tagged with VLAN 10 or 2 or are they untagged there too?
    As It seems that I can't reach VLAN 10 when the port on the switch is configured as TAGGED ONLY
    I think the frames are untagged if my request come from an untagged lan? Am I right?
    If i send a request from VLAN 2 and UTM routes to the server that is in VLAN 10 does the frame still
    have VLAN 2 when it hits the switch port that is allowing and is untagging VLAN 10? (port 10 in this case)

    I am kinda new to VLANs in general and english is not my native language so please be patient if the grammar
    aren't correct everywhere.. I'm a swede :)