Struggling with DHCP relay on VLAN
Name XTM_3_Series
Model XTM33
Version 12.1.3.B586018
Serial Number 70AA042C6ED71
I have an external internet router on 192.168.1.254 which acts as DHCP.
On the firebox, I created a VLAN with an IP range of 192.168.0.x.
Ideally, I'd want any computers on this VLAN to have an IP of 192.168.1.x, which would save me from some manual IP changes, so I configured the VLAN to relay DHCP from 192.168.1.254.
However, I cant seem to get it to work.
If I allow the VLAN to handle DHCP, my client PC obtains an IP of 192.168.0.2 and I can ping the gateway.
Just can't seem to get it uise DHCP from the gateway.
Quite clearly I don't know enough about this, any pointers where I might be going wrong ?
0
Sign In to comment.
Comments
A number of issues here:
1) you can't have the same subnet on external interface and on an internal firewall interface when in Mixed Routing mode
2) a device's initial request for a the DHCP IP address is a broadcast packet. Broadcast packets do not cross firewall routed interfaces, which is what you have. So you can't use the DHCP server on external - you need to use one inside the firewall - perhaps using the firewall DHCP function.
3) 192.168.1.0/24 is a commonly used IP address for home type Internet routers. If you ever want to have remove users VPN in, then using 192.168.1.0/24 could cause some issues. Consider not using 192.168.1.0/24 internally.
My bad on the VPN reference, I meant VLAN.
I'm guessing what I'm trying to achieve is unachievable.
I've a number of devices like CCTV, fax machines etc that i'd prefer to keep outside of the VLAN, but printers and PC's inside the VLAN.
Ideally all using 192.168.1.x to save config chnages.
One option is to change the external subnet, if you have the ability to make changes on the external Internet router.
You could possibly use Drop-in mode, which allows the same subnet on external and on internal interfaces. However, drop-in mode cannot route VLAN tagged traffic, which introduces another potential problem.
Drop-In Mode
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/net_config_dropin_about_c.html
Note that you can have 2 subnets on the same firewall interface with neither being a VLAN. You could have the 192.168.1.x devices use static IP addrs and have the others (printers and PCs) use a different subnet such as 192.168.5.x
This was an option I'd considered, changing the internet router to 192.168.0.x
Having the Vlan on 192.168.1.x
The issue being that there are too many devices on either side of this VLAN which would require static IP changes.
The whole point of the exercise is to try and firewall a single device.
So even if i got this working, I'd still have to figure out how then firewall the device.
Maybe I'll emply the services of someone who knows.
More details on the single device that you want to protect...
Why can't that 1 device be connected to the firewall, and everything else not?
What needs to connect to that device?
Still not really understanding the real needs here.
Some ISP routers can be put into bridge mode so that the firewall external interface gets a public IP addr.
Perhaps your model can.
Two unmentioned issues are that you are running an older and vulnerable build level of Version 12.1.3.B586018, which is Update 2. You should update to 12.1.3 Update 8, which is build 655817.
Second, never post your serial number in a public forum.
Now, to the VLAN issue! I have never heard of a VLAN having the same subnet as any other VLAN, including the default VLAN 1 that exists on all switches, whether managed or not. To me, the whole reason to use VLANs is for traffic separation. I have something else I am working on right now and Bruce nailed it so far.
"The whole point of the exercise is to try and firewall a single device."
Why not set up your internal interfaces as VLANs, then plug that device into its own physical interface? If you need LAN access to it on its own VLAN, you can add rules to allow certain ports to reach it.
What is that one device?
I am assuming that I know you.
Gregg Hill
Doesn't changing the subnet on the ISP device resolve your issues?
And, I would not recommend using 192.168.0.x either. Choose a less commonly used subnet, which is almost anything other than 192.168.0.x or 192.168.1.x.
There are 3 private subnet ranges that you can use -
192.168.x.0/24 10.x.x.0/24 and 172.16.y.0/24 where y=0 to 31 x=0 to 255