This article should explain a common issue our customers are reporting on a regular basis. The reason for this is not a firewall misconfiguration or a bug, but rather an issue in the network topology.
2. The root cause for this symptom
3. How to prove that the topology is the reason for this
1. Symptoms of the issue
You might notice that LAN clients are not able to access the internet. Under Monitor > Log you might notice that the default deny firewall rule is blocking traffic for these devices.
2. The root cause for this symptom
We have noticed that in these cases the topology was looking like this. The goal was maybe to save hardware like a switch and using VLANs to separate the switch into "two different separated logical switches".
While the above topology is very much simplified, in a real life scenario it might be hard to see this right away. But the basic idea is clear: The WAN and LAN zone are not separated properly!
3. How to prove that the topology is the reason for this
While checking the calbing and VLAN tagging on the switch might be time consuming, the easiest way to check this right away is by checking the ARP table of your firewall. You need to login via SSH and use the command:
show arp-table
In the above example, you see that private IPs which belong to the LAN had been learned on the WAN port. Therefore this is already proof that there is something wrong with your cabling or the VLAN tagging of your switch.
4. How to fix this issue
If you wanted to save hardware and maybe use one and the same switch on the LAN and WAN side of your firewall, please make sure the VLAN tagging is correct. It is actually possible to make "two separated switches" out of one hardware switch by using VLANs.
Make sure there is only one PVID and untagged VLAN per port and exclude all other unneeded VLANs from each port! Further info about VLAN tagging on switches here: VLANs on Zyxel Switches
5. Checking the result
You might have to clear the ARP table at first: Clearing the ARP table of your firewall
Then run the command
show arp-table
again to check if the LAN MACs and IPs are only learned on the LAN interface instead of the WAN interface.
Comments
0 commentsPlease sign in to leave a comment.