Help with initial setup
I have an existing local SOHO system, which connects to a local campus network.
My incoming link from the next level switch, behind two levels of firewalls, comes into my house on a static IP 192.168.10.xx/24 link which comes into an HP 16-port switch for local distribution. I get DHCP from a server at some higher level. I get DNS from another external server with a 10.10.10.xxx address.
I am going to move to a separate VLan above the two firewalls, and thus need to insert my own. I have a WG-T20 for this and am trying to set it up. I put it between the incoming link and the HP switch, and tried to do setup, and when it fails I just disconnect it and remove it from the link.
I went through the basic UI setup process but have some problems. Notably that all my local systems with 192.168.10.xx DHCP addresses from my current higher level server fail, unless they are also going through my WiFi (Netgear) router, which has grabbed a 10.0.1.xx DHCP address from the T20.
I setup my interfaces so that I use an existing static IP on the external (incoming) link (port #1) and set it to the current gateway on that external segment.
And then the local port (#2) would do DHCP and feed into my local HP switch which feeds all other local connections. I point to the existing gateway which I get from DHCP (192.168…..).
I then tried to set the IP of the Trusted port (local, #2) to 192.168.10.1, and the DHCP range to .2-.254 since that is what I had before (& now), but the T20 gives an error, since “this address is in the same range as the external interface IP”.
I thought that these would be two different partitioned address spaces.
I could leave the Trusted (internal, local) range to the default 10.0.1.xxx range, but that would mean changing all of my local addresses. Since they are all DHCP that might be automatic, but some also have the 192. Gateway configured in and that would have to be changed.
Later I want to add a local DMZ and NAT two local externally accessible servers.
?? Any advice or guidance appreciated.
(I filed a support case with WG, but after 3 days, no response. :-( )
Comments
In Mixed Routing Mode, Routed interfaces must have different subnets on them.
2 options:
1) use a different internal subnet than 192.168.10.0/24
2) change to Drop-In Mode, where the external IP subnet can also be on devices connected to the internal interfaces.
There are a number of limitations when using drop-in mode.
See below for more info.
Drop-In Mode
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/net_config_dropin_about_c.html
Thanks, so I think I will have to change my subnet.
Since everything is DHCP, I am surprised that all local devices did not automatically adjust to that already since the WG is at the default 10.0.1.xx subnet already.
I can force some PCs to refresh DHCP and see if that works, but things like phones, TV, tablets, Echo devices, ... Seems like they should have auto-adjusted.
I'll re-check everything on the T20.
I don't think I want drop-in.
Power off/on or reboot devices to get them to try to get new DHCP addrs.
Many devices, even after that remember the old DHCP settings and ask the DHCP server to get their old IP addr back. But at least they will check with the DHCP server.
For phones etc., turn off wireless, and then back on.
Look at Traffic Monitor, and you will see devices which have not gotten a new (correct) DHCP IP addr yet - spoofed source log messages.
Also, DHCP devices ask for a lease refresh when half of the lease time is up. For long lease times, this could be a fairly long time.
This would be when a device finds out that it gets a different DHCP IP addr.
Many thanks - I can't check right now - but will do and respond!!
Thanks; works fine. greatly appreciated. :-)
Hmm; one confusion- my top level local connection is through an HP switch. I know its previous 192.168.10.xx address, but it does not answer to that any longer, presumably because it is DHCP and now sits below the WG firewall, so would now have some new 10.0.1.xx address.
I know its MAC address, and ran an IP scan but it does not show up.
It has a default admin UI web panel address, but again in the 192.168 range.
Since it should be DHCP'ing from the WG, can I find it's IP from there somehow?
Web UI -> System Status -> DHCP Leases
or
WatchGuard System Manager (WSM) -> Firebox System Manager (FSM) -> Status Report -> DHCP Leases section
One more (!) - in the WG ARP table, I see a bunch of the old subnet addresses - 192.168.10.xx - but none of them in the DCHP lease list.
Does this mean that they are not yet resetting to the new WG DHCP domain?
I do see the HP switch (old) IP there, but with the wrong MAC address - ??
Thanks - I did look there (DHCP list) and nothing with it's MAC address or name (and the device does have a name set in it).
Are you sure that the switch is DHCP enabled? And is connected to an internal firewall interface?
No idea how long the entries stay in the ARP table.
You can clear the ARP table.
FSM -> Tools -> Clear ARP Cache or a reboot.
Got it - just turned the switch on/off, it did a dhcp update, and I could lookup its IP in the WG DHCP lease table!
Thanks.