New VLAN isn't handing out the proper IP address-help?
WG Firebox M370; Fireware 12.8.2; WSM 12.9.0u1
I'm setting up another new VLAN for our Credit Card terminals to be segregated from the rest of our network.
I setup VLAN 70 (ccmach) with a Custom security zone; private ip-172.xxx.70.xxx, handing out IP's from .15 - .30. I only have 8 terminals. My WGfirbox will be doing the DHCP handouts.
I wanted to use Interface 2* as my connection to the Firebox; Interface Name - CCVlan, Interface type - VLAN, Send and Receive tagged traffice for selected VLANs - Yes, VLAN 70 is checked.
- send and receive untagged traffic for selected VLAN - unchecked - I don't get any IP address handed out from the Firebox.
- send and receive untagged traffic for selected VLAN - checked - I get an IP address but it's not the correct IP for VLAN 70.
If I use our main Trusted Network (VLAN 1) for the 'untagged traffic' I get an IP address from our VLAN 10 (WiFi AP Maint. vlan).
If I use our AP Maint. Vlan(10) for 'untagged traffic' I get an IP address from the AP Maint VLAN.
I have a Policy setup as:
CCMach_PCI; From-CCMach(vlan 70 alias) To- Credit Card URL's via there designated ports. SD-WAN routing out our fiber connection. Logging turned on
For Test purposes, because I wasn't getting a correct IP address when plugged into our Cisco switches, I have plugged a Pc directly into Interface 2* and these are where I'm getting the above results.
- for another test I turned off Interface 2 and switched to Interface 7 with the exact same results.
I have 4 other VLANs setup primarily for WiFi segregation, this is for a network cabled connection but not sure what I'm missing. I am concerned and questioning why I'm getting a AP Maint IP address (being the wrong IP address) when this has nothing to do with an AP.
Q: by directly connecting to the FB Interface I should get handed the correct IP address I'm expecting?
Q: could I have my AP Maint VLAN setup incorrectly somewhere causing my problem and why I'm getting an AP Maint IP address?
Best Answer
-
"send and receive untagged traffic for selected VLAN - unchecked - I don't get any IP address handed out from the Firebox."
This suggests that the packets coming in to interface 2 are untagged"I have plugged a PC directly into Interface 2* and these are where I'm getting the above results."
A PC connected to the firewall interface won't sent tagged packets.
Packet tagging is done by a VLAN capable device, such as a VLAN capable switch or a VLAN capable AP."send and receive untagged traffic for selected VLAN - checked - I get an IP address but it's not the correct IP for VLAN 70."
Verify that you have selected VLAN 70 here, and that VLAN 70 has the correct DCHP settings.Q: by directly connecting to the FB Interface I should get handed the correct IP address I'm expecting?
A. yes - as long as everything is set up correctly.Verify that your Cisco switch is set to tag packets for VLAN 70 on the connection to your firewall Interface 2 (perhaps set as trunk) and for the switch port(s) connected to the credit card terminals.
0
Answers
@Bruce_Briggs
Thanks for the information, as usual, very helpful!
I went brain dead, too many things going on; "Pc won't get tagged packets", I forgot!
I had to change my Interface 2 to "send and receive untagged traffic for VLAN 70 and turn off (uncheck) the "send and receive tagged traffic for selected VLAN" (no VLAN selected).
If I checked "send and receive tagged traffic for the selected VLANs" and left the "send and received untagged traffic for selected VLAN" unchecked, I didn't get an IP address.
If I checked BOTH "send and receive tagged & send and receive untagged traffic for the selected VLANs", I got the wrong IP address (AP Maint. IP address; vlan10).
I have my Cisco switch ports set at Static Access for VLAN70.
Thanks again for your input!
So, are you working as expected now?
Yes, I have one confirmed tested and working.