New VLAN isn't handing out the proper IP address-help?

WG Firebox M370; Fireware 12.8.2; WSM 12.9.0u1

I'm setting up another new VLAN for our Credit Card terminals to be segregated from the rest of our network.

I setup VLAN 70 (ccmach) with a Custom security zone; private ip-172.xxx.70.xxx, handing out IP's from .15 - .30. I only have 8 terminals. My WGfirbox will be doing the DHCP handouts.

I wanted to use Interface 2* as my connection to the Firebox; Interface Name - CCVlan, Interface type - VLAN, Send and Receive tagged traffice for selected VLANs - Yes, VLAN 70 is checked.

  • send and receive untagged traffic for selected VLAN - unchecked - I don't get any IP address handed out from the Firebox.
  • send and receive untagged traffic for selected VLAN - checked - I get an IP address but it's not the correct IP for VLAN 70.

If I use our main Trusted Network (VLAN 1) for the 'untagged traffic' I get an IP address from our VLAN 10 (WiFi AP Maint. vlan).
If I use our AP Maint. Vlan(10) for 'untagged traffic' I get an IP address from the AP Maint VLAN.

I have a Policy setup as:
CCMach_PCI; From-CCMach(vlan 70 alias) To- Credit Card URL's via there designated ports. SD-WAN routing out our fiber connection. Logging turned on

For Test purposes, because I wasn't getting a correct IP address when plugged into our Cisco switches, I have plugged a Pc directly into Interface 2* and these are where I'm getting the above results.

  • for another test I turned off Interface 2 and switched to Interface 7 with the exact same results.

I have 4 other VLANs setup primarily for WiFi segregation, this is for a network cabled connection but not sure what I'm missing. I am concerned and questioning why I'm getting a AP Maint IP address (being the wrong IP address) when this has nothing to do with an AP.

Q: by directly connecting to the FB Interface I should get handed the correct IP address I'm expecting?

Q: could I have my AP Maint VLAN setup incorrectly somewhere causing my problem and why I'm getting an AP Maint IP address?

Best Answer

  • Answer ✓

    "send and receive untagged traffic for selected VLAN - unchecked - I don't get any IP address handed out from the Firebox."
    This suggests that the packets coming in to interface 2 are untagged

    "I have plugged a PC directly into Interface 2* and these are where I'm getting the above results."
    A PC connected to the firewall interface won't sent tagged packets.
    Packet tagging is done by a VLAN capable device, such as a VLAN capable switch or a VLAN capable AP.

    "send and receive untagged traffic for selected VLAN - checked - I get an IP address but it's not the correct IP for VLAN 70."
    Verify that you have selected VLAN 70 here, and that VLAN 70 has the correct DCHP settings.

    Q: by directly connecting to the FB Interface I should get handed the correct IP address I'm expecting?
    A. yes - as long as everything is set up correctly.

    Verify that your Cisco switch is set to tag packets for VLAN 70 on the connection to your firewall Interface 2 (perhaps set as trunk) and for the switch port(s) connected to the credit card terminals.

Answers

  • @Bruce_Briggs
    Thanks for the information, as usual, very helpful!

    I went brain dead, too many things going on; "Pc won't get tagged packets", I forgot!

    I had to change my Interface 2 to "send and receive untagged traffic for VLAN 70 and turn off (uncheck) the "send and receive tagged traffic for selected VLAN" (no VLAN selected).

    If I checked "send and receive tagged traffic for the selected VLANs" and left the "send and received untagged traffic for selected VLAN" unchecked, I didn't get an IP address.

    If I checked BOTH "send and receive tagged & send and receive untagged traffic for the selected VLANs", I got the wrong IP address (AP Maint. IP address; vlan10).

    I have my Cisco switch ports set at Static Access for VLAN70.

    Thanks again for your input!

  • So, are you working as expected now?

  • Yes, I have one confirmed tested and working.

Sign In to comment.